AgentInstance.ReadWrite.ManagedBy
Export JSON
Export CSV
Copy URL
Print
Application
Read/Write
User Scope
Allows the app to create, read, update, and delete agent instances that designate the calling app as their manager in your organization's Agent Registry without a signed-in user.
Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access
App-Only Access
Permission Details
Application Permission
Read and write managed-by agent instances in Agent Registry
Allows the app to create, read, update, and delete agent instances that designate the calling app as their manager in your organization's Agent Registry without a signed-in user.
Permission ID:
782ab1bf-24f1-4c27-8bbc-2006d42792a6
Properties
Microsoft Graph beta
exact-category-docs
Properties is shown from beta metadata because a stable v1.0 schema is not available for this resource mapping.
| Property | Type | Description |
|---|---|---|
additionalInterfaces |
agentInterface collection |
Additional interfaces/transports supported by the agent. |
agentIdentityBlueprintId |
StringNullable |
Object ID of the agentIdentityBlueprint object. |
agentIdentityId |
StringNullable |
Object ID of the agentIdentity object. |
agentUserId |
StringNullable |
Object ID of the agentUser associated with the agent. Read-only. |
createdBy |
StringNullable |
Object ID of the user or application that created the agent instance. Read-only. |
createdDateTime |
DateTimeOffsetNullable |
Timestamp when agent instance was created. Read-only. |
displayName |
String |
Display name for the agent instance. |
id |
String |
Unique identifier for the agent instance. Key. Inherited from entity. |
lastModifiedDateTime |
DateTimeOffsetNullable |
Timestamp of last modification. |
managedBy |
StringNullable |
appId (referred to as Application (client) ID on the Microsoft Entra admin center) of the application managing this agent. |
originatingStore |
StringNullable |
Name of the store/system where agent originated. For example Copilot Studio. |
ownerIds |
String collection |
List of object IDs for the owners of the agent instance. |
preferredTransport |
StringNullable |
Preferred transport protocol. The possible values are JSONRPC, GRPC, and HTTP+JSON. |
signatures |
agentCardSignature collection |
Digital signatures for the agent instance. |
sourceAgentId |
StringNullable |
Identifier of the agent in the original source system. |
Showing 15 of 18 properties.
JSON Representation
Microsoft Graph beta
exact-category-docs
JSON representation is shown from beta metadata because a stable v1.0 schema is not available for this resource mapping.
JSON representation
{
"@odata.type": "#microsoft.graph.agentInstance",
"id": "String (identifier)",
"ownerIds": [
"String"
],
"managedBy": "String",
"originatingStore": "String",
"createdBy": "String",
"displayName": "String",
"sourceAgentId": "String",
"agentIdentityBlueprintId": "String",
"agentIdentityId": "String",
"agentUserId": "String",
"createdDateTime": "String (timestamp)",
"lastModifiedDateTime": "String (timestamp)",
"url": "String",
"preferredTransport": "String",
"additionalInterfaces": [
{
"@odata.type": "microsoft.graph.agentInterface"
}
],
"signatures": [
{
"@odata.type": "microsoft.graph.agentCardSignature"
}
]
}Relationships
Microsoft Graph beta
exact-category-docs
Relationships is shown from beta metadata because a stable v1.0 schema is not available for this resource mapping.
| Relationship | Type | Description |
|---|---|---|
agentCardManifest |
agentCardManifest |
The agent card manifest of the agent instance. |
collections |
agentCollection collection |
The agent collections that the agent instance is a member of. |
additionalInterfaces |
agentInterface collection |
Additional interfaces/transports supported by the agent. |
ownerIds |
string collection |
List of object IDs for the owners of the agent instance. |
signatures |
agentCardSignature collection |
Digital signatures for the agent instance. |
Graph Methods
Delegated access
App-only access
Exact Microsoft Learn match
Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
No API methods available for this version.
Exact Microsoft Learn match
Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
No Microsoft Learn PowerShell mapping available
Microsoft Graph PowerShell v1.0 commands are not available from refreshed Microsoft Learn PowerShell snippets for this permission.
No deterministic PowerShell command map is available for this permission.
Browse PowerShell docs
No Microsoft Learn PowerShell mapping available
Microsoft Graph PowerShell beta commands are not available from refreshed Microsoft Learn PowerShell snippets for this permission.
No deterministic PowerShell command map is available for this permission.
Browse PowerShell docsCode Examples
C# / .NET SDK
Create agentInstance
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new AgentInstance
{
Id = "Security Copilot Platform Agent: 00222",
OwnerIds = new List<string>
{
"daf58b0e-44e1-433c-b6b0-ca70cae320b8",
"b9108c41-d2d2-4e78-b073-92f57b752bd0",
},
ManagedBy = "719cc904-9700-4e08-9941-fd826cc84c60",
OriginatingStore = "Microsoft Security Copilot",
CreatedBy = "d47bffae-411a-4de9-8548-05e79bc01f0d",
DisplayName = "Conditional Access Agent",
SourceAgentId = "00222",
AgentIdentityBlueprintId = "d0108c41-d2d2-4e78-b073-92f57b752bd0",
AgentIdentityId = "dd108c41-d2d2-4e78-b073-92f57b752bd0",
AgentUserId = "ee108c41-d2d2-4e78-b073-92f57b752bd0",
CreatedDateTime = DateTimeOffset.Parse("2025-01-01T00:00:00.1234567Z"),
LastModifiedDateTime = DateTimeOffset.Parse("2025-01-01T00:00:00.1234567Z"),
Url = "https://conditional-access-agent.example.com/a2a/v1",
PreferredTransport = "JSONRPC",
AdditionalInterfaces = new List<AgentInterface>
{
new AgentInterface
{
Url = "https://conditional-access-agent.example.com/a2a/v1",
Transport = "JSONRPC",
},
new AgentInterface
{
Url = "https://conditional-access-agent.example.com/a2a/grpc",
Transport = "GRPC",
},
new AgentInterface
{
Url = "https://conditional-access-agent.example.com/a2a/json",
Transport = "HTTP+JSON",
},
},
Signatures = new List<AgentCardSignature>
{
new AgentCardSignature
{
Protected = "eyJhbGciOiJFUzI1NiIsImtpZCI6ImRpZDp3ZWI6Y29udG9zby5leGFtcGxlI2tleS0xIiwidHlwIjoiYWdlbnRjYXJkK2p3cyJ9",
Signature = "xOSim9oMw_CdZM-qDhmwpB5fJcBx5I30yh-FZULd1j9ruPEUBnJzmfCynNfH1KgmJ2B7ulAYc7D2iIb-4Ul-8w",
Header = new JwsHeader
{
AdditionalData = new Dictionary<string, object>
{
{
"kidHint" , "contoso-key-1"
},
{
"nonce" , "f1e9b6c3-2f3a-4a3a-b604-1f9af3f2a9c0"
},
},
},
},
},
AgentCardManifest = new AgentCardManifest
{
OwnerIds = new List<string>
{
"0ef68a76-e247-41dd-947b-41282760a2ac",
},
OriginatingStore = "Copilot Studio",
DisplayName = "Conditional Access Agent Card",
Description = "Manages organizational conditional access policies",
IconUrl = "https://example.com/icon.png",
Provider = new AgentProvider
{
Organization = "Test Organization",
Url = "https://test.com",
},
ProtocolVersion = "1.0",
Version = "1.0.0",
DocumentationUrl = "https://example.com/docs",
Capabilities = new AgentCapabilities
{
Streaming = false,
PushNotifications = false,
StateTransitionHistory = true,
Extensions = new List<AgentExtension>
{
new AgentExtension
{
Uri = "https://contoso.example.com/a2a/capabilities/secureMessaging",
Description = null,
Required = false,
Params = new AgentExtensionParams
{
AdditionalData = new Dictionary<string, object>
{
{
"useHttps" , true
},
},
},
},
},
},
DefaultInputModes = new List<string>
{
"application/json",
},
DefaultOutputModes = new List<string>
{
"application/json",
"text/html",
},
SupportsAuthenticatedExtendedCard = true,
Skills = new List<AgentSkill>
{
new AgentSkill
{
Id = "threat-detection",
DisplayName = "Threat Detection",
Description = "Detect security threats in real-time",
Tags = new List<string>
{
"security",
"threat",
"detection",
},
Examples = new List<string>
{
"Analyze this log for threats",
"Check for malware",
},
InputModes = new List<string>
{
"application/json",
"text/plain",
},
OutputModes = new List<string>
{
"application/json",
"text/html",
},
},
},
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.AgentRegistry.AgentInstances.PostAsync(requestBody);
JavaScript
Add agentInstance to agentCollection
const options = {
authProvider,
};
const client = Client.init(options);
const agentInstance = {
'@odata.id': 'https://graph.microsoft.com/beta/agentRegistry/agentInstances(\'agent-instance-id\')'
};
await client.api('/agentRegistry/agentInstances/{agentInstanceId}/collections/{agentCollectionId}/members/$ref')
.version('beta')
.post(agentInstance);
PowerShell
Connect-MgGraph -Scopes "AgentInstance.ReadWrite.ManagedBy"
Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/agentRegistry/agentInstances"
Python
Create agentInstance
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.agent_instance import AgentInstance
from msgraph_beta.generated.models.agent_interface import AgentInterface
from msgraph_beta.generated.models.agent_card_signature import AgentCardSignature
from msgraph_beta.generated.models.jws_header import JwsHeader
from msgraph_beta.generated.models.agent_card_manifest import AgentCardManifest
from msgraph_beta.generated.models.agent_provider import AgentProvider
from msgraph_beta.generated.models.agent_capabilities import AgentCapabilities
from msgraph_beta.generated.models.agent_extension import AgentExtension
from msgraph_beta.generated.models.agent_extension_params import AgentExtensionParams
from msgraph_beta.generated.models.agent_skill import AgentSkill
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = AgentInstance(
id = "Security Copilot Platform Agent: 00222",
owner_ids = [
"daf58b0e-44e1-433c-b6b0-ca70cae320b8",
"b9108c41-d2d2-4e78-b073-92f57b752bd0",
],
managed_by = "719cc904-9700-4e08-9941-fd826cc84c60",
originating_store = "Microsoft Security Copilot",
created_by = "d47bffae-411a-4de9-8548-05e79bc01f0d",
display_name = "Conditional Access Agent",
source_agent_id = "00222",
agent_identity_blueprint_id = "d0108c41-d2d2-4e78-b073-92f57b752bd0",
agent_identity_id = "dd108c41-d2d2-4e78-b073-92f57b752bd0",
agent_user_id = "ee108c41-d2d2-4e78-b073-92f57b752bd0",
created_date_time = "2025-01-01T00:00:00.1234567Z",
last_modified_date_time = "2025-01-01T00:00:00.1234567Z",
url = "https://conditional-access-agent.example.com/a2a/v1",
preferred_transport = "JSONRPC",
additional_interfaces = [
AgentInterface(
url = "https://conditional-access-agent.example.com/a2a/v1",
transport = "JSONRPC",
),
AgentInterface(
url = "https://conditional-access-agent.example.com/a2a/grpc",
transport = "GRPC",
),
AgentInterface(
url = "https://conditional-access-agent.example.com/a2a/json",
transport = "HTTP+JSON",
),
],
signatures = [
AgentCardSignature(
protected = "eyJhbGciOiJFUzI1NiIsImtpZCI6ImRpZDp3ZWI6Y29udG9zby5leGFtcGxlI2tleS0xIiwidHlwIjoiYWdlbnRjYXJkK2p3cyJ9",
signature = "xOSim9oMw_CdZM-qDhmwpB5fJcBx5I30yh-FZULd1j9ruPEUBnJzmfCynNfH1KgmJ2B7ulAYc7D2iIb-4Ul-8w",
header = JwsHeader(
additional_data = {
"kid_hint" : "contoso-key-1",
"nonce" : "f1e9b6c3-2f3a-4a3a-b604-1f9af3f2a9c0",
}
),
),
],
agent_card_manifest = AgentCardManifest(
owner_ids = [
"0ef68a76-e247-41dd-947b-41282760a2ac",
],
originating_store = "Copilot Studio",
display_name = "Conditional Access Agent Card",
description = "Manages organizational conditional access policies",
icon_url = "https://example.com/icon.png",
provider = AgentProvider(
organization = "Test Organization",
url = "https://test.com",
),
protocol_version = "1.0",
version = "1.0.0",
documentation_url = "https://example.com/docs",
capabilities = AgentCapabilities(
streaming = False,
push_notifications = False,
state_transition_history = True,
extensions = [
AgentExtension(
uri = "https://contoso.example.com/a2a/capabilities/secureMessaging",
description = None,
required = False,
params = AgentExtensionParams(
additional_data = {
"use_https" : True,
}
),
),
],
),
default_input_modes = [
"application/json",
],
default_output_modes = [
"application/json",
"text/html",
],
supports_authenticated_extended_card = True,
skills = [
AgentSkill(
id = "threat-detection",
display_name = "Threat Detection",
description = "Detect security threats in real-time",
tags = [
"security",
"threat",
"detection",
],
examples = [
"Analyze this log for threats",
"Check for malware",
],
input_modes = [
"application/json",
"text/plain",
],
output_modes = [
"application/json",
"text/html",
],
),
],
),
)
result = await graph_client.agent_registry.agent_instances.post(request_body)App Registration
1
Navigate to Azure Portal
Go to App registrations in Microsoft Entra admin center
2
Add API Permission
Select your app → API permissions → Add a permission → Microsoft Graph
3
Select Permission Type
Choose Application permissions and search for AgentInstance.ReadWrite.ManagedBy
4
Grant Admin Consent
Application permissions always require admin consent.