Entra-Agent-User
Entra-Agent-User是一款data方向的AI技能,核心价值是Create Agent Users in Microsoft Entra ID from Agent Identities, enabling AI agents to act as digital workers with user identity capabilities in Microsoft 365 and Azure environments,可用于解决开发者在data领域的实际问题,帮助用户提升效率、自动化重复任务或优化工作流。
Create Agent Users in Microsoft Entra ID from Agent Identities, enabling AI agents to act as digital workers with user identity capabilities in Microsoft 365 and Azure environments.
mkdir -p ./skills/entra-agent-user && curl -sfL https://raw.githubusercontent.com/github/awesome-copilot/main/skills/entra-agent-user/SKILL.md -o ./skills/entra-agent-user/SKILL.mdRun in terminal / PowerShell. Requires curl (Unix) or PowerShell 5+ (Windows).
Skill Content
# SKILL: Creating Agent Users in Microsoft Entra Agent ID
Overview
An **agent user** is a specialized user identity in Microsoft Entra ID that enables AI agents to act as digital workers. It allows agents to access APIs and services that strictly require user identities (e.g., Exchange mailboxes, Teams, org charts), while maintaining appropriate security boundaries.
Agent users receive tokens with `idtyp=user`, unlike regular agent identities which receive `idtyp=app`.
---
Prerequisites
- A **Microsoft Entra tenant** with Agent ID capabilities
- An **agent identity** (service principal of type `ServiceIdentity`) created from an **agent identity blueprint**
- One of the following **permissions**:
- `AgentIdUser.ReadWrite.IdentityParentedBy` (least privileged)
- `AgentIdUser.ReadWrite.All`
- `User.ReadWrite.All`
- The caller must have at minimum the **Agent ID Administrator** role (in delegated scenarios)
> **Important:** The `identityParentId` must reference a true agent identity (created via an agent identity blueprint), NOT a regular application service principal. You can verify by checking that the service principal has `@odata.type: #microsoft.graph.agentIdentity` and `servicePrincipalType: ServiceIdentity`.
---
Architecture
Agent Identity Blueprint (application template)
│
├── Agent Identity (service principal - ServiceIdentity)
│ │
│ └── Agent User (user - agentUser) ← 1:1 relationship
│
└── Agent Identity Blueprint Principal (service principal in tenant)| Component | Type | Token Claim | Purpose |
|---|---|---|---|
| Agent Identity | Service Principal | `idtyp=app` | Backend/API operations |
| Agent User | User (`agentUser`) | `idtyp=user` | Act as a digital worker in M365 |
---
Step 1: Verify the Agent Identity Exists
Before creating an agent user, confirm the agent identity is a proper `agentIdentity` type:
GET https://graph.microsoft.com/beta/servicePrincipals/{agent-identity-id}
Authorization: Bearer <token>Verify the response contains:
{
"@odata.type": "#microsoft.graph.agentIdentity",
"servicePrincipalType": "ServiceIdentity",
"agentIdentityBlueprintId": "<blueprint-id>"
}PowerShell
Connect-MgGraph -Scopes "Application.Read.All" -TenantId "<tenant>" -UseDeviceCode -NoWelcome
Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/beta/servicePrincipals/<agent-identity-id>" | ConvertTo-Json -Depth 3> **Common mistake:** Using an app registration's `appId` or a regular application service principal's `id` will fail. Only agent identities created from blueprints work.
---
Step 2: Create the Agent User
HTTP Request
POST https://graph.microsoft.com/beta/users/microsoft.graph.agentUser
Content-Type: application/json
Authorization: Bearer <token>
{
"accountEnabled": true,
"displayName": "My Agent User",
"mailNickname": "my-agent-user",
"userPrincipalName": "my-agent-user@yourtenant.onmicrosoft.com",
"identityParentId": "<agent-identity-object-id>"
}Required Properties
| Property | Type | Description |
|---|---|---|
| `accountEnabled` | Boolean | `true` to enable the account |
| `displayName` | String | Human-friendly name |
| `mailNickname` | String | Mail alias (no spaces/special chars) |
| `userPrincipalName` | String | UPN — must be unique in the tenant (`alias@verified-domain`) |
| `identityParentId` | String | Object ID of the parent agent identity |
PowerShell
Connect-MgGraph -Scopes "User.ReadWrite.All" -TenantId "<tenant>" -UseDeviceCode -NoWelcome
$body = @{
accountEnabled = $true
displayName = "My Agent User"
mailNickname = "my-agent-user"
userPrincipalName = "my-agent-user@yourtenant.onmicrosoft.com"
identityParentId = "<agent-identity-object-id>"
} | ConvertTo-Json
Invoke-MgGraphRequest -Method POST `
-Uri "https://graph.microsoft.com/beta/users/microsoft.graph.agentUser"🎯 Best For
- Claude users
- GitHub Copilot users
- Data professionals
- Analytics teams
- Researchers
💡 Use Cases
- Data pipeline auditing
- Query optimization
📖 How to Use This Skill
- 1
Install the Skill
Copy the install command from the Terminal tab and run it. The SKILL.md file downloads to your local skills directory.
- 2
Load into Your AI Assistant
Open Claude or GitHub Copilot and reference the skill. Paste the SKILL.md content or use the system prompt tab.
- 3
Apply Entra-Agent-User to Your Work
Provide context for your task — paste source material, describe your audience, or share existing work to guide the AI.
- 4
Review and Refine
Edit the AI output for accuracy, tone, and completeness. Add human insight where the AI lacks context.
❓ Frequently Asked Questions
How do I install Entra-Agent-User?
Copy the install command from the Terminal tab and run it. The skill downloads to ./skills/entra-agent-user/SKILL.md, ready to use.
Can I customize this skill for my team?
Absolutely. Edit the SKILL.md file to add team-specific instructions, examples, or workflows.
⚠️ Common Mistakes to Avoid
Ignoring data quality
AI analysis inherits all data quality issues — profile your data first.