entra-agent-user
Installation
Summary
Create Agent Users in Microsoft Entra ID to enable AI agents to act as digital workers with user identity access.
- Provisions specialized user identities (
idtyp=usertokens) linked to agent identities, allowing agents to access user-only APIs like Exchange mailboxes, Teams, and org charts - Requires a parent agent identity created from an agent identity blueprint; supports 1:1 relationship with optional manager assignment and license provisioning
- Includes step-by-step HTTP and PowerShell examples for verification, creation, manager assignment, usage location setup, and license assignment
- Agent users cannot have passwords or interactive sign-in; they authenticate via their parent agent identity and cannot be assigned privileged admin roles
SKILL.md
SKILL: Creating Agent Users in Microsoft Entra Agent ID
Overview
An agent user is a specialized user identity in Microsoft Entra ID that enables AI agents to act as digital workers. It allows agents to access APIs and services that strictly require user identities (e.g., Exchange mailboxes, Teams, org charts), while maintaining appropriate security boundaries.
Agent users receive tokens with idtyp=user, unlike regular agent identities which receive idtyp=app.
Prerequisites
- A Microsoft Entra tenant with Agent ID capabilities
- An agent identity (service principal of type
ServiceIdentity) created from an agent identity blueprint - One of the following permissions:
AgentIdUser.ReadWrite.IdentityParentedBy(least privileged)AgentIdUser.ReadWrite.AllUser.ReadWrite.All
- The caller must have at minimum the Agent ID Administrator role (in delegated scenarios)