Provision Entra agent identities, blueprints, and OAuth token exchange flows.
The material indicates an open-source, prompt-oriented skill with no declared built-in secrets, remote endpoints, or local execution capability, so overall risk is low. However, it targets Microsoft Graph identity and permission configuration; if followed in practice, it may involve high-privilege directory objects and OAuth changes, so least-privilege validation against official docs is important.
The header says no keys/environment variables are required, but the README explicitly covers configuring Blueprint credentials (FIC, Managed Identity, or client secret) and OAuth token exchange flows. This means the skill itself does not bundle credentials, yet the real-world workflow handles sensitive identity settings, creating misuse exposure if misconfigured or leaked.
The README points to the known official Microsoft Graph endpoint (https://graph.microsoft.com/v1.0) and suggests checking Microsoft Learn/MCP documentation. There is no sign of exfiltration to unrelated third parties, but following the guidance would send identity configuration requests to Microsoft services.
The objective checks mark this as prompt-only, and the document only describes guiding direct Graph API calls (for example via PowerShell or Python requests). It does not declare that the skill itself launches local processes, executes scripts, or gains additional system capabilities.
The material does not claim direct local file read/write, but it aims to create and manage Entra Blueprints, service principals, agent identities, permission grants, and cross-tenant/OBO token flows, which are sensitive tenant identity and authorization operations. The README also lists roles such as Agent Identity Developer/Administrator or Application Administrator, so privilege scope should be checked against actual need.
The source is a Microsoft GitHub repository and is marked open-source, making it auditable and meaningfully lowering risk. Downsides are the undeclared license, 0 stars, and unknown maintenance status, so trust is not maximal, but the provided material shows no red flags such as closed-source exfiltration, malicious injection, or obvious abandonment.
Copy the install command and let the AI configure it · recommended for beginners
Please install the "entra-agent-id" skill from askskill: 1. Download https://raw.githubusercontent.com/microsoft/GitHub-Copilot-for-Azure/main/plugin/skills/entra-agent-id/SKILL.md 2. Save it as ~/.claude/skills/entra-agent-id/SKILL.md 3. Reload skills and tell me it's ready
Design a Microsoft Entra Agent Identity Blueprint for an internal enterprise AI agent, including the BlueprintPrincipal, required permission scopes, naming conventions, and example steps to create it through Microsoft Graph.
A practical blueprint design, principal configuration guidance, and example Graph creation flow.
Help me configure an OAuth 2.0 OBO token exchange flow for a multi-service agent, including prerequisites, Microsoft Entra settings, token flow steps, and common troubleshooting points.
A complete OBO setup guide, step-by-step token flow, and troubleshooting checklist.
Explain how to integrate the Microsoft Entra SDK for AgentID sidecar in a polyglot agent system to enable per-instance identities and cross-tenant token exchange, and provide deployment and configuration recommendations.
A sidecar integration plan, identity assignment approach, cross-tenant exchange guidance, and deployment recommendations.
Create and manage OAuth 2.0-capable identities for AI agents using Microsoft Graph. Every agent instance gets a distinct identity, audit trail, and independently-scoped permission grants.
| Property | Value |
|---|---|
| Service | Microsoft Entra Agent ID |
| API | Microsoft Graph (https://graph.microsoft.com/v1.0) |
| Required role | Agent Identity Developer, Agent Identity Administrator, or Application Administrator |
| Object model | Blueprint (application) → BlueprintPrincipal (SP) → Agent Identity (SP) |
| Runtime exchange | Two-step fmi_path exchange (autonomous and OBO) |
| .NET helper | Microsoft.Identity.Web.AgentIdentities |
| Polyglot helper | Microsoft Entra SDK for AgentID (sidecar container) |
fmi_path runtime token exchange (autonomous or OBO)appRoleAssignments) or delegated (oauth2PermissionGrants) permissionsAADSTS82001, AADSTS700211, or PropertyNotCompatibleWithAgentIdentity| Tool | Use |
|---|---|
mcp_azure_mcp_documentation | Search Microsoft Learn for current Agent ID setup, Graph API shapes, and SDK configuration |
There is no dedicated Agent Identity MCP server today. This skill guides direct Microsoft Graph API calls (PowerShell or Python requests). Use mcp_azure_mcp_documentation to verify request bodies and endpoints against current docs before running.
Use the mcp_azure_mcp_documentation tool to search Microsoft Learn for current Agent ID documentation:
Verify request bodies and endpoints against the installed SDK version — Graph API shapes evolve.
Agent Identity Blueprint (application) ← one per agent type/project
└── BlueprintPrincipal (service principal) ← MUST be created explicitly
├── Agent Identity (SP): agent-1 ← one per agent instance
├── Agent Identity (SP): agent-2
└── Agent Identity (SP): agent-3
| Concept | Description |
|---|---|
| Blueprint | Application object that defines a type/class of agent. Holds credentials (secret, certificate, federated identity). |
| BlueprintPrincipal | Service principal for the Blueprint in the tenant. Not auto-created. |
| Agent Identity | Service-principal-only identity for a single agent instance. Cannot hold its own credentials. |
| Sponsor | A User (or Group, for Agent Identity) who is responsible for the identity. Required on creation. |
One of: Agent Identity Developer, Agent Identity Administrator, or Application Administrator.
# PowerShell 7+
Install-Module Microsoft.Graph.Applications -Scope CurrentUser -Force
pip install azure-identity requests
DefaultAzureCredentialis not supported. Azure CLI tokens carryDirectory.AccessAsUser.All, which Agent Identity APIs hard-reject (403). Use a dedicated app registration withclient_credentials, orConnect-MgGraphwith explicit delegated scopes.
Connect-MgGraph -Scopes @(
"AgentIdentityBlueprint.Create",
"AgentIdentityBlueprint.ReadWrite.All",
"AgentIdentityBlueprintPrincipal.Create",
"AgentIdentity.Create.All",
"User.Read"
)
…
Set up Entra ID app registration, OAuth, permissions, and MSAL integration.
Set up Azure Application Insights telemetry for web apps with best practices.
Troubleshoot Azure Event Hubs and Service Bus SDK connection and messaging issues.
Find, list, and inspect Azure resources across subscriptions and resource groups.
Deploy, evaluate, fine-tune, and optimize Microsoft Foundry agents and models.
Deploy prepared Azure apps with built-in recovery for common release errors.
Search Microsoft Entra ID and Graph permissions plus first-party app details.
Manage Entra ID users, access, devices, and security policies via Microsoft Graph.
Operate long-running agent workloads with monitoring, security, and lifecycle control.
Enable enterprise auth, token validation, and access control for AI agents.
Inspect, run, and build Microsoft Power Automate cloud flows from AI agents.
Explore AI models, MCP servers, and agent integrations in one gateway.