entra-agent-user

# SKILL: Creating Agent Users in Microsoft Entra Agent ID ## Overview An **agent user** is a specialized user identity in Microsoft Entra ID that enables AI agents to act as digital workers. It allows agents to access APIs and services that strictly require user identities (e.g., Exchange mailboxes, Teams, org charts), while maintaining appropriate security boundaries. Agent users receive tokens with `idtyp=user`, unlike regular agent identities which receive `idtyp=app`. --- ## Prerequisites - A **Microsoft Entra tenant** with Agent ID capabilities - An **agent identity** (service principal of type `ServiceIdentity`) created from an **agent identity blueprint** - One of the following **permissions**: - `AgentIdUser.ReadWrite.IdentityParentedBy` (least privileged) - `AgentIdUser.ReadWrite.All` - `User.ReadWrite.All` - The caller must have at minimum the **Agent ID Administrator** role (in delegated scenarios) > **Important:** The `identityParentId` must reference a true agent identity (created via an agent identity blueprint), NOT a regular application service principal. You can verify by checking that the service principal has `@odata.type: #microsoft.graph.agentIdentity` and `servicePrincipalType: ServiceIdentity`. --- ## Architecture ``` Agent Identity Blueprint (application template) │ ├── Agent Identity (service principal - ServiceIdentity) │ │ │ └── Agent User (user - agentUser) ← 1:1 relationship │ └── Agent Identity ...