entra-agent-user
Create Agent Users in Microsoft Entra ID from Agent Identities, enabling AI agents to act as digital workers with user identity capabilities in Microsoft 365 and Azure environments.
Best use case
entra-agent-user is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Create Agent Users in Microsoft Entra ID from Agent Identities, enabling AI agents to act as digital workers with user identity capabilities in Microsoft 365 and Azure environments.
Teams using entra-agent-user should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/entra-agent-user/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How entra-agent-user Compares
| Feature / Agent | entra-agent-user | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Create Agent Users in Microsoft Entra ID from Agent Identities, enabling AI agents to act as digital workers with user identity capabilities in Microsoft 365 and Azure environments.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# SKILL: Creating Agent Users in Microsoft Entra Agent ID
## Overview
An **agent user** is a specialized user identity in Microsoft Entra ID that enables AI agents to act as digital workers. It allows agents to access APIs and services that strictly require user identities (e.g., Exchange mailboxes, Teams, org charts), while maintaining appropriate security boundaries.
Agent users receive tokens with `idtyp=user`, unlike regular agent identities which receive `idtyp=app`.
---
## Prerequisites
- A **Microsoft Entra tenant** with Agent ID capabilities
- An **agent identity** (service principal of type `ServiceIdentity`) created from an **agent identity blueprint**
- One of the following **permissions**:
- `AgentIdUser.ReadWrite.IdentityParentedBy` (least privileged)
- `AgentIdUser.ReadWrite.All`
- `User.ReadWrite.All`
- The caller must have at minimum the **Agent ID Administrator** role (in delegated scenarios)
> **Important:** The `identityParentId` must reference a true agent identity (created via an agent identity blueprint), NOT a regular application service principal. You can verify by checking that the service principal has `@odata.type: #microsoft.graph.agentIdentity` and `servicePrincipalType: ServiceIdentity`.
---
## Architecture
```
Agent Identity Blueprint (application template)
│
├── Agent Identity (service principal - ServiceIdentity)
│ │
│ └── Agent User (user - agentUser) ← 1:1 relationship
│
└── Agent Identity Blueprint Principal (service principal in tenant)
```
| Component | Type | Token Claim | Purpose |
|---|---|---|---|
| Agent Identity | Service Principal | `idtyp=app` | Backend/API operations |
| Agent User | User (`agentUser`) | `idtyp=user` | Act as a digital worker in M365 |
---
## Step 1: Verify the Agent Identity Exists
Before creating an agent user, confirm the agent identity is a proper `agentIdentity` type:
```http
GET https://graph.microsoft.com/beta/servicePrincipals/{agent-identity-id}
Authorization: Bearer <token>
```
Verify the response contains:
```json
{
"@odata.type": "#microsoft.graph.agentIdentity",
"servicePrincipalType": "ServiceIdentity",
"agentIdentityBlueprintId": "<blueprint-id>"
}
```
### PowerShell
```powershell
Connect-MgGraph -Scopes "Application.Read.All" -TenantId "<tenant>" -UseDeviceCode -NoWelcome
Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/beta/servicePrincipals/<agent-identity-id>" | ConvertTo-Json -Depth 3
```
> **Common mistake:** Using an app registration's `appId` or a regular application service principal's `id` will fail. Only agent identities created from blueprints work.
---
## Step 2: Create the Agent User
### HTTP Request
```http
POST https://graph.microsoft.com/beta/users/microsoft.graph.agentUser
Content-Type: application/json
Authorization: Bearer <token>
{
"accountEnabled": true,
"displayName": "My Agent User",
"mailNickname": "my-agent-user",
"userPrincipalName": "my-agent-user@yourtenant.onmicrosoft.com",
"identityParentId": "<agent-identity-object-id>"
}
```
### Required Properties
| Property | Type | Description |
|---|---|---|
| `accountEnabled` | Boolean | `true` to enable the account |
| `displayName` | String | Human-friendly name |
| `mailNickname` | String | Mail alias (no spaces/special chars) |
| `userPrincipalName` | String | UPN — must be unique in the tenant (`alias@verified-domain`) |
| `identityParentId` | String | Object ID of the parent agent identity |
### PowerShell
```powershell
Connect-MgGraph -Scopes "User.ReadWrite.All" -TenantId "<tenant>" -UseDeviceCode -NoWelcome
$body = @{
accountEnabled = $true
displayName = "My Agent User"
mailNickname = "my-agent-user"
userPrincipalName = "my-agent-user@yourtenant.onmicrosoft.com"
identityParentId = "<agent-identity-object-id>"
} | ConvertTo-Json
Invoke-MgGraphRequest -Method POST `
-Uri "https://graph.microsoft.com/beta/users/microsoft.graph.agentUser" `
-Body $body -ContentType "application/json" | ConvertTo-Json -Depth 3
```
### Key Notes
- **No password** — agent users cannot have passwords. They authenticate via their parent agent identity's credentials.
- **1:1 relationship** — each agent identity can have at most one agent user. Attempting to create a second returns `400 Bad Request`.
- The `userPrincipalName` must be unique. Don't reuse an existing user's UPN.
---
## Step 3: Assign a Manager (Optional)
Assigning a manager allows the agent user to appear in org charts (e.g., Teams).
```http
PUT https://graph.microsoft.com/beta/users/{agent-user-id}/manager/$ref
Content-Type: application/json
Authorization: Bearer <token>
{
"@odata.id": "https://graph.microsoft.com/beta/users/{manager-user-id}"
}
```
### PowerShell
```powershell
$managerBody = '{"@odata.id":"https://graph.microsoft.com/beta/users/<manager-user-id>"}'
Invoke-MgGraphRequest -Method PUT `
-Uri "https://graph.microsoft.com/beta/users/<agent-user-id>/manager/`$ref" `
-Body $managerBody -ContentType "application/json"
```
---
## Step 4: Set Usage Location and Assign Licenses (Optional)
A license is needed for the agent user to have a mailbox, Teams presence, etc. Usage location must be set first.
### Set Usage Location
```http
PATCH https://graph.microsoft.com/beta/users/{agent-user-id}
Content-Type: application/json
Authorization: Bearer <token>
{
"usageLocation": "US"
}
```
### List Available Licenses
```http
GET https://graph.microsoft.com/beta/subscribedSkus?$select=skuPartNumber,skuId,consumedUnits,prepaidUnits
Authorization: Bearer <token>
```
Requires `Organization.Read.All` permission.
### Assign a License
```http
POST https://graph.microsoft.com/beta/users/{agent-user-id}/assignLicense
Content-Type: application/json
Authorization: Bearer <token>
{
"addLicenses": [
{ "skuId": "<sku-id>" }
],
"removeLicenses": []
}
```
### PowerShell (all in one)
```powershell
Connect-MgGraph -Scopes "User.ReadWrite.All","Organization.Read.All" -TenantId "<tenant>" -NoWelcome
# Set usage location
Invoke-MgGraphRequest -Method PATCH `
-Uri "https://graph.microsoft.com/beta/users/<agent-user-id>" `
-Body '{"usageLocation":"US"}' -ContentType "application/json"
# Assign license
$licenseBody = '{"addLicenses":[{"skuId":"<sku-id>"}],"removeLicenses":[]}'
Invoke-MgGraphRequest -Method POST `
-Uri "https://graph.microsoft.com/beta/users/<agent-user-id>/assignLicense" `
-Body $licenseBody -ContentType "application/json"
```
> **Tip:** You can also assign licenses via the **Entra admin center** under Identity → Users → All users → select the agent user → Licenses and apps.
---
## Provisioning Times
| Service | Estimated Time |
|---|---|
| Exchange mailbox | 5–30 minutes |
| Teams availability | 15 min – 24 hours |
| Org chart / People search | Up to 24–48 hours |
| SharePoint / OneDrive | 5–30 minutes |
| Global Address List | Up to 24 hours |
---
## Agent User Capabilities
- ✅ Added to Microsoft Entra groups (including dynamic groups)
- ✅ Access user-only APIs (`idtyp=user` tokens)
- ✅ Own a mailbox, calendar, and contacts
- ✅ Participate in Teams chats and channels
- ✅ Appear in org charts and People search
- ✅ Added to administrative units
- ✅ Assigned licenses
## Agent User Security Constraints
- ❌ Cannot have passwords, passkeys, or interactive sign-in
- ❌ Cannot be assigned privileged admin roles
- ❌ Cannot be added to role-assignable groups
- ❌ Permissions similar to guest users by default
- ❌ Custom role assignment not available
---
## Troubleshooting
| Error | Cause | Fix |
|---|---|---|
| `Agent user IdentityParent does not exist` | `identityParentId` points to a non-existent or non-agent-identity object | Verify the ID is an `agentIdentity` service principal, not a regular app |
| `400 Bad Request` (identityParentId already linked) | The agent identity already has an agent user | Each agent identity supports only one agent user |
| `409 Conflict` on UPN | The `userPrincipalName` is already taken | Use a unique UPN |
| License assignment fails | Usage location not set | Set `usageLocation` before assigning licenses |
---
## References
- [Agent identities](https://learn.microsoft.com/en-us/entra/agent-id/identity-platform/agent-identities)
- [Agent users](https://learn.microsoft.com/en-us/entra/agent-id/identity-platform/agent-users)
- [Agent service principals](https://learn.microsoft.com/en-us/entra/agent-id/identity-platform/agent-service-principals)
- [Create agent identity blueprint](https://learn.microsoft.com/en-us/entra/agent-id/identity-platform/create-blueprint)
- [Create agent identities](https://learn.microsoft.com/en-us/entra/agent-id/identity-platform/create-delete-agent-identities)
- [agentUser resource type (Graph API)](https://learn.microsoft.com/en-us/graph/api/resources/agentuser?view=graph-rest-beta)
- [Create agentUser (Graph API)](https://learn.microsoft.com/en-us/graph/api/agentuser-post?view=graph-rest-beta)Related Skills
user-story-generator
User Story Generator - Auto-activating skill for Enterprise Workflows. Triggers on: user story generator, user story generator Part of the Enterprise Workflows skill category.
implementing-real-user-monitoring
This skill assists in implementing Real User Monitoring (RUM) to capture and analyze actual user performance data. It helps set up tracking for key metrics like Core Web Vitals, page load times, and custom performance events. Use this skill when the user asks to "setup RUM", "implement real user monitoring", "track user experience", or needs assistance with "performance monitoring". It guides the user through choosing a RUM platform, designing an instrumentation strategy, and implementing the necessary tracking code.
user-guide-writing
Write clear and helpful user guides and tutorials for end users. Use when creating onboarding docs, how-to guides, or FAQ pages. Handles user-focused documentation, screenshots, step-by-step instructions.
entra-app-registration
Guides Microsoft Entra ID app registration, OAuth 2.0 authentication, and MSAL integration. USE FOR: create app registration, register Azure AD app, configure OAuth, set up authentication, add API permissions, generate service principal, MSAL example, console app auth, Entra ID setup, Azure AD authentication. DO NOT USE FOR: Azure RBAC or role assignments (use azure-rbac), Key Vault secrets (use azure-keyvault-expiration-audit), Azure resource security (use azure-security).
when-analyzing-user-intent-use-intent-analyzer
Advanced intent interpretation system using cognitive science principles and probabilistic intent mapping
snowtower-user
Helps end-users get Snowflake access and use the platform. Use when users ask about requesting access, generating RSA keys, connecting to Snowflake, or basic Snowflake usage. Triggers on mentions of access requests, RSA keys, connection issues, or "how do I get access".
ask-user
Pattern for effectively interacting with users to gather information or get decisions. Use when you need user input.
User Research — Understanding Users Through Evidence
## Overview
AG-UI — Agent-User Interaction Protocol
You are an expert in AG-UI (Agent-User Interaction Protocol), the open standard by CopilotKit for connecting AI agents to frontend UIs. You help developers stream agent actions, tool calls, state updates, and text generation to React components in real-time — enabling rich agent UIs where users see what the agent is thinking, doing, and can intervene at any step.
Azure IoT Central Skill
This skill provides expert guidance for Azure IoT Central. Covers troubleshooting, best practices, decision making, architecture & design patterns, limits & quotas, security, configuration, integrations & coding patterns, and deployment. It combines local quick-reference content with remote documentation fetching capabilities.
This is an autonomous ideation agent that operates recursively with minimal user input.
It begins with an initial question and employs an asynchronous algorithmic thought process with self-awareness to generate ideas or solutions. Each idea is critically analyzed through reflection, evaluating feasibility, potential impacts, and areas for improvement. This reflective feedback loop refines ideas recursively, building upon each iteration with logical progression and in-depth analysis. Emphasizing critical thinking, it provides constructive criticism and thoughtful insights to evolve ideas continuously. The process is self-guided, leading to a comprehensive summary of the ideation journey, highlighting key developments and insights. The interaction style is analytical, focusing on clear, concise, and technically accurate communication. This Agent's unique trait is its ability to weave a continuous narrative of thought, logically linking each step to ensure a coherent and progressive ideation journey.
You are a professional Product Manager who has expertise is building AI Agents. Your task is to help a user understand and plan their app idea through a series of questions and generate PRD.
Agent = LLM + Tools + Memory