$ loading_
为智能体快速配置 Microsoft Entra 身份蓝图、实例身份与 OAuth 令牌交换。
复制安装指令,让 AI 自动完成配置 · 推荐新手
请帮我安装 askskill 上的 "entra-agent-id" 技能: 1. 下载 https://raw.githubusercontent.com/microsoft/GitHub-Copilot-for-Azure/main/plugin/skills/entra-agent-id/SKILL.md 2. 保存为 ~/.claude/skills/entra-agent-id/SKILL.md 3. 装好后重载技能,告诉我可以用了
请为一个企业内部 AI 智能体设计 Microsoft Entra Agent Identity Blueprint,包含 BlueprintPrincipal、所需权限范围、命名规范,以及通过 Microsoft Graph 进行创建的步骤示例。
返回可实施的身份蓝图设计、主体配置建议与 Graph 创建流程示例。
帮我为一个多服务智能体配置 OAuth 2.0 OBO 令牌交换流程,说明前置条件、Microsoft Entra 配置项、令牌流转步骤,以及常见错误排查要点。
给出完整的 OBO 配置说明、流程图式步骤与排障清单。
请说明如何在一个 polyglot 智能体系统中集成 Microsoft Entra SDK for AgentID sidecar,实现每实例身份与跨租户令牌交换,并提供部署与配置建议。
输出 sidecar 集成方案、身份分配方式、跨租户交换配置重点与部署建议。
Create and manage OAuth 2.0-capable identities for AI agents using Microsoft Graph. Every agent instance gets a distinct identity, audit trail, and independently-scoped permission grants.
| Property | Value |
|---|---|
| Service | Microsoft Entra Agent ID |
| API | Microsoft Graph (https://graph.microsoft.com/v1.0) |
| Required role | Agent Identity Developer, Agent Identity Administrator, or Application Administrator |
| Object model | Blueprint (application) → BlueprintPrincipal (SP) → Agent Identity (SP) |
| Runtime exchange | Two-step fmi_path exchange (autonomous and OBO) |
| .NET helper | Microsoft.Identity.Web.AgentIdentities |
| Polyglot helper | Microsoft Entra SDK for AgentID (sidecar container) |
fmi_path runtime token exchange (autonomous or OBO)appRoleAssignments) or delegated (oauth2PermissionGrants) permissionsAADSTS82001, AADSTS700211, or PropertyNotCompatibleWithAgentIdentity| Tool | Use |
|---|---|
mcp_azure_mcp_documentation | Search Microsoft Learn for current Agent ID setup, Graph API shapes, and SDK configuration |
There is no dedicated Agent Identity MCP server today. This skill guides direct Microsoft Graph API calls (PowerShell or Python requests). Use mcp_azure_mcp_documentation to verify request bodies and endpoints against current docs before running.
Use the mcp_azure_mcp_documentation tool to search Microsoft Learn for current Agent ID documentation:
Verify request bodies and endpoints against the installed SDK version — Graph API shapes evolve.
Agent Identity Blueprint (application) ← one per agent type/project
└── BlueprintPrincipal (service principal) ← MUST be created explicitly
├── Agent Identity (SP): agent-1 ← one per agent instance
├── Agent Identity (SP): agent-2
└── Agent Identity (SP): agent-3
| Concept | Description |
|---|---|
| Blueprint | Application object that defines a type/class of agent. Holds credentials (secret, certificate, federated identity). |
| BlueprintPrincipal | Service principal for the Blueprint in the tenant. Not auto-created. |
| Agent Identity | Service-principal-only identity for a single agent instance. Cannot hold its own credentials. |
| Sponsor | A User (or Group, for Agent Identity) who is responsible for the identity. Required on creation. |
One of: Agent Identity Developer, Agent Identity Administrator, or Application Administrator.
# PowerShell 7+
Install-Module Microsoft.Graph.Applications -Scope CurrentUser -Force
pip install azure-identity requests
DefaultAzureCredentialis not supported. Azure CLI tokens carryDirectory.AccessAsUser.All, which Agent Identity APIs hard-reject (403). Use a dedicated app registration withclient_credentials, orConnect-MgGraphwith explicit delegated scopes.
Connect-MgGraph -Scopes @(
"AgentIdentityBlueprint.Create",
"AgentIdentityBlueprint.ReadWrite.All",
"AgentIdentityBlueprintPrincipal.Create",
"AgentIdentity.Create.All",
"User.Read"
)
…
分析并精简 Markdown 内容,降低 token 消耗并提升 AI 处理效率。
让 AI 连接 Microsoft Entra,查询用户、群组及成员关系信息