Microsoft Entra Agent ID 创建代理用户指南 - AI代理身份管理

entra-agent-user by github/awesome-copilot

7,300 周安装量

26,700 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/github/awesome-copilot --skill entra-agent-user

开发云服务安全

🇨🇳中文介绍

SKILL: 在 Microsoft Entra Agent ID 中创建代理用户

概述

代理用户 是 Microsoft Entra ID 中的一种特殊用户身份，它使 AI 代理能够作为数字工作者运行。它允许代理访问那些严格要求用户身份（例如，Exchange 邮箱、Teams、组织架构图）的 API 和服务，同时保持适当的安全边界。

与接收 idtyp=app 令牌的常规代理身份不同，代理用户接收的令牌带有 idtyp=user 声明。

先决条件

一个具备 Agent ID 功能的 Microsoft Entra 租户
从 代理身份蓝图 创建的 代理身份（类型为 ServiceIdentity 的服务主体）
以下权限之一：
- AgentIdUser.ReadWrite.IdentityParentedBy（最低特权）
- AgentIdUser.ReadWrite.All
- User.ReadWrite.All

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

组件	类型	令牌声明	用途
代理身份	服务主体	`idtyp=app`	后端/API 操作
代理用户	用户 (`agentUser`)	`idtyp=user`	在 M365 中作为数字工作者运行

步骤 1：验证代理身份是否存在

在创建代理用户之前，请确认代理身份是适当的 agentIdentity 类型：

GET https://graph.microsoft.com/beta/servicePrincipals/{agent-identity-id}
Authorization: Bearer <token>

验证响应包含：

{
  "@odata.type": "#microsoft.graph.agentIdentity",
  "servicePrincipalType": "ServiceIdentity",
  "agentIdentityBlueprintId": "<blueprint-id>"
}

Connect-MgGraph -Scopes "Application.Read.All" -TenantId "<tenant>" -UseDeviceCode -NoWelcome
Invoke-MgGraphRequest -Method GET `
  -Uri "https://graph.microsoft.com/beta/servicePrincipals/<agent-identity-id>" | ConvertTo-Json -Depth 3

常见错误： 使用应用注册的 appId 或普通应用程序服务主体的 id 将会失败。只有从蓝图创建的代理身份才有效。

步骤 2：创建代理用户

POST https://graph.microsoft.com/beta/users/microsoft.graph.agentUser
Content-Type: application/json
Authorization: Bearer <token>

{
  "accountEnabled": true,
  "displayName": "My Agent User",
  "mailNickname": "my-agent-user",
  "userPrincipalName": "my-agent-user@yourtenant.onmicrosoft.com",
  "identityParentId": "<agent-identity-object-id>"
}

属性	类型	描述
`accountEnabled`	布尔值	`true` 以启用账户
`displayName`	字符串	易于理解的名称
`mailNickname`	字符串	邮件别名（无空格/特殊字符）
`userPrincipalName`	字符串	UPN — 必须在租户内唯一（`alias@verified-domain`）
`identityParentId`	字符串	父代理身份的对象 ID

Connect-MgGraph -Scopes "User.ReadWrite.All" -TenantId "<tenant>" -UseDeviceCode -NoWelcome

$body = @{
  accountEnabled    = $true
  displayName       = "My Agent User"
  mailNickname      = "my-agent-user"
  userPrincipalName = "my-agent-user@yourtenant.onmicrosoft.com"
  identityParentId  = "<agent-identity-object-id>"
} | ConvertTo-Json

Invoke-MgGraphRequest -Method POST `
  -Uri "https://graph.microsoft.com/beta/users/microsoft.graph.agentUser" `
  -Body $body -ContentType "application/json" | ConvertTo-Json -Depth 3

无密码 — 代理用户不能有密码。它们通过其父代理身份的凭据进行身份验证。
1:1 关系 — 每个代理身份最多只能有一个代理用户。尝试创建第二个将返回 400 Bad Request。
userPrincipalName 必须是唯一的。不要重复使用现有用户的 UPN。

步骤 3：分配经理（可选）

分配经理允许代理用户出现在组织架构图中（例如，Teams）。

PUT https://graph.microsoft.com/beta/users/{agent-user-id}/manager/$ref
Content-Type: application/json
Authorization: Bearer <token>

{
  "@odata.id": "https://graph.microsoft.com/beta/users/{manager-user-id}"
}

$managerBody = '{"@odata.id":"https://graph.microsoft.com/beta/users/<manager-user-id>"}'
Invoke-MgGraphRequest -Method PUT `
  -Uri "https://graph.microsoft.com/beta/users/<agent-user-id>/manager/`$ref" `
  -Body $managerBody -ContentType "application/json"

步骤 4：设置使用位置并分配许可证（可选）

代理用户需要许可证才能拥有邮箱、Teams 状态等。必须先设置使用位置。

PATCH https://graph.microsoft.com/beta/users/{agent-user-id}
Content-Type: application/json
Authorization: Bearer <token>

{
  "usageLocation": "US"
}

列出可用许可证

GET https://graph.microsoft.com/beta/subscribedSkus?$select=skuPartNumber,skuId,consumedUnits,prepaidUnits
Authorization: Bearer <token>

需要 Organization.Read.All 权限。

POST https://graph.microsoft.com/beta/users/{agent-user-id}/assignLicense
Content-Type: application/json
Authorization: Bearer <token>

{
  "addLicenses": [
    { "skuId": "<sku-id>" }
  ],
  "removeLicenses": []
}

PowerShell（一体化操作）

Connect-MgGraph -Scopes "User.ReadWrite.All","Organization.Read.All" -TenantId "<tenant>" -NoWelcome

# Set usage location
Invoke-MgGraphRequest -Method PATCH `
  -Uri "https://graph.microsoft.com/beta/users/<agent-user-id>" `
  -Body '{"usageLocation":"US"}' -ContentType "application/json"

# Assign license
$licenseBody = '{"addLicenses":[{"skuId":"<sku-id>"}],"removeLicenses":[]}'
Invoke-MgGraphRequest -Method POST `
  -Uri "https://graph.microsoft.com/beta/users/<agent-user-id>/assignLicense" `
  -Body $licenseBody -ContentType "application/json"

提示： 您也可以通过 Entra 管理中心 分配许可证，路径为：身份 → 用户 → 所有用户 → 选择代理用户 → 许可证和应用。

服务	预计时间
Exchange 邮箱	5–30 分钟
Teams 可用性	15 分钟 – 24 小时
组织架构图 / 人员搜索	最长 24–48 小时
SharePoint / OneDrive	5–30 分钟
全局地址列表	最长 24 小时

✅ 可添加到 Microsoft Entra 组（包括动态组）
✅ 访问仅限用户的 API（idtyp=user 令牌）
✅ 拥有邮箱、日历和联系人
✅ 参与 Teams 聊天和频道
✅ 出现在组织架构图和人员搜索中
✅ 可添加到管理单元
✅ 可分配许可证

代理用户安全限制

❌ 不能有密码、通行密钥或交互式登录
❌ 不能被分配特权管理员角色
❌ 不能被添加到可分配角色的组
❌ 默认权限类似于来宾用户
❌ 不可用自定义角色分配

错误	原因	解决方法
`Agent user IdentityParent does not exist`	`identityParentId` 指向不存在的或非代理身份的对象	验证该 ID 是否为 `agentIdentity` 服务主体，而不是普通应用
`400 Bad Request` (identityParentId already linked)	该代理身份已有一个代理用户	每个代理身份仅支持一个代理用户
`409 Conflict` on UPN	`userPrincipalName` 已被占用	使用唯一的 UPN
许可证分配失败	未设置使用位置	在分配许可证之前设置 `usageLocation`

🇺🇸English

SKILL: Creating Agent Users in Microsoft Entra Agent ID

Overview

An agent user is a specialized user identity in Microsoft Entra ID that enables AI agents to act as digital workers. It allows agents to access APIs and services that strictly require user identities (e.g., Exchange mailboxes, Teams, org charts), while maintaining appropriate security boundaries.

Agent users receive tokens with idtyp=user, unlike regular agent identities which receive idtyp=app.

Prerequisites

A Microsoft Entra tenant with Agent ID capabilities
An agent identity (service principal of type ServiceIdentity) created from an agent identity blueprint
One of the following permissions :
- AgentIdUser.ReadWrite.IdentityParentedBy (least privileged)
- AgentIdUser.ReadWrite.All
- User.ReadWrite.All
The caller must have at minimum the Agent ID Administrator role (in delegated scenarios)

Important: The identityParentId must reference a true agent identity (created via an agent identity blueprint), NOT a regular application service principal. You can verify by checking that the service principal has @odata.type: #microsoft.graph.agentIdentity and servicePrincipalType: ServiceIdentity.

Architecture

Agent Identity Blueprint (application template)
    │
    ├── Agent Identity (service principal - ServiceIdentity)
    │       │
    │       └── Agent User (user - agentUser) ← 1:1 relationship
    │
    └── Agent Identity Blueprint Principal (service principal in tenant)

Component	Type	Token Claim	Purpose
Agent Identity	Service Principal	`idtyp=app`	Backend/API operations
Agent User	User (`agentUser`)	`idtyp=user`	Act as a digital worker in M365

Step 1: Verify the Agent Identity Exists

Before creating an agent user, confirm the agent identity is a proper agentIdentity type:

GET https://graph.microsoft.com/beta/servicePrincipals/{agent-identity-id}
Authorization: Bearer <token>

Verify the response contains:

{
  "@odata.type": "#microsoft.graph.agentIdentity",
  "servicePrincipalType": "ServiceIdentity",
  "agentIdentityBlueprintId": "<blueprint-id>"
}

PowerShell

Connect-MgGraph -Scopes "Application.Read.All" -TenantId "<tenant>" -UseDeviceCode -NoWelcome
Invoke-MgGraphRequest -Method GET `
  -Uri "https://graph.microsoft.com/beta/servicePrincipals/<agent-identity-id>" | ConvertTo-Json -Depth 3

Common mistake: Using an app registration's appId or a regular application service principal's id will fail. Only agent identities created from blueprints work.

Step 2: Create the Agent User

HTTP Request

POST https://graph.microsoft.com/beta/users/microsoft.graph.agentUser
Content-Type: application/json
Authorization: Bearer <token>

{
  "accountEnabled": true,
  "displayName": "My Agent User",
  "mailNickname": "my-agent-user",
  "userPrincipalName": "my-agent-user@yourtenant.onmicrosoft.com",
  "identityParentId": "<agent-identity-object-id>"
}

Required Properties

Property	Type	Description
`accountEnabled`	Boolean	`true` to enable the account
`displayName`	String	Human-friendly name
`mailNickname`	String	Mail alias (no spaces/special chars)
`userPrincipalName`	String	UPN — must be unique in the tenant (`alias@verified-domain`)

PowerShell

Connect-MgGraph -Scopes "User.ReadWrite.All" -TenantId "<tenant>" -UseDeviceCode -NoWelcome

$body = @{
  accountEnabled    = $true
  displayName       = "My Agent User"
  mailNickname      = "my-agent-user"
  userPrincipalName = "my-agent-user@yourtenant.onmicrosoft.com"
  identityParentId  = "<agent-identity-object-id>"
} | ConvertTo-Json

Invoke-MgGraphRequest -Method POST `
  -Uri "https://graph.microsoft.com/beta/users/microsoft.graph.agentUser" `
  -Body $body -ContentType "application/json" | ConvertTo-Json -Depth 3

Key Notes

No password — agent users cannot have passwords. They authenticate via their parent agent identity's credentials.
1:1 relationship — each agent identity can have at most one agent user. Attempting to create a second returns 400 Bad Request.
The userPrincipalName must be unique. Don't reuse an existing user's UPN.

Step 3: Assign a Manager (Optional)

Assigning a manager allows the agent user to appear in org charts (e.g., Teams).

PUT https://graph.microsoft.com/beta/users/{agent-user-id}/manager/$ref
Content-Type: application/json
Authorization: Bearer <token>

{
  "@odata.id": "https://graph.microsoft.com/beta/users/{manager-user-id}"
}

PowerShell

$managerBody = '{"@odata.id":"https://graph.microsoft.com/beta/users/<manager-user-id>"}'
Invoke-MgGraphRequest -Method PUT `
  -Uri "https://graph.microsoft.com/beta/users/<agent-user-id>/manager/`$ref" `
  -Body $managerBody -ContentType "application/json"

Step 4: Set Usage Location and Assign Licenses (Optional)

A license is needed for the agent user to have a mailbox, Teams presence, etc. Usage location must be set first.

Set Usage Location

PATCH https://graph.microsoft.com/beta/users/{agent-user-id}
Content-Type: application/json
Authorization: Bearer <token>

{
  "usageLocation": "US"
}

List Available Licenses

GET https://graph.microsoft.com/beta/subscribedSkus?$select=skuPartNumber,skuId,consumedUnits,prepaidUnits
Authorization: Bearer <token>

Requires Organization.Read.All permission.

Assign a License

POST https://graph.microsoft.com/beta/users/{agent-user-id}/assignLicense
Content-Type: application/json
Authorization: Bearer <token>

{
  "addLicenses": [
    { "skuId": "<sku-id>" }
  ],
  "removeLicenses": []
}

PowerShell (all in one)

Connect-MgGraph -Scopes "User.ReadWrite.All","Organization.Read.All" -TenantId "<tenant>" -NoWelcome

# Set usage location
Invoke-MgGraphRequest -Method PATCH `
  -Uri "https://graph.microsoft.com/beta/users/<agent-user-id>" `
  -Body '{"usageLocation":"US"}' -ContentType "application/json"

# Assign license
$licenseBody = '{"addLicenses":[{"skuId":"<sku-id>"}],"removeLicenses":[]}'
Invoke-MgGraphRequest -Method POST `
  -Uri "https://graph.microsoft.com/beta/users/<agent-user-id>/assignLicense" `
  -Body $licenseBody -ContentType "application/json"

Tip: You can also assign licenses via the Entra admin center under Identity → Users → All users → select the agent user → Licenses and apps.

Provisioning Times

Service	Estimated Time
Exchange mailbox	5–30 minutes
Teams availability	15 min – 24 hours
Org chart / People search	Up to 24–48 hours
SharePoint / OneDrive	5–30 minutes
Global Address List	Up to 24 hours

Agent User Capabilities

✅ Added to Microsoft Entra groups (including dynamic groups)
✅ Access user-only APIs (idtyp=user tokens)
✅ Own a mailbox, calendar, and contacts
✅ Participate in Teams chats and channels
✅ Appear in org charts and People search
✅ Added to administrative units
✅ Assigned licenses

Agent User Security Constraints

❌ Cannot have passwords, passkeys, or interactive sign-in
❌ Cannot be assigned privileged admin roles
❌ Cannot be added to role-assignable groups
❌ Permissions similar to guest users by default
❌ Custom role assignment not available

Troubleshooting

Error	Cause	Fix
`Agent user IdentityParent does not exist`	`identityParentId` points to a non-existent or non-agent-identity object	Verify the ID is an `agentIdentity` service principal, not a regular app
`400 Bad Request` (identityParentId already linked)	The agent identity already has an agent user	Each agent identity supports only one agent user
`409 Conflict` on UPN	The `userPrincipalName` is already taken	Use a unique UPN

References

Weekly Installs

7.3K

Repository

github/awesome-copilot

GitHub Stars

26.7K

First Seen

Feb 24, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

codex7.2K

gemini-cli7.2K

opencode7.2K

cursor7.2K

github-copilot7.2K

amp7.1K

Microsoft Entra Agent ID 创建代理用户指南 - AI代理身份管理

🇨🇳中文介绍

SKILL: 在 Microsoft Entra Agent ID 中创建代理用户

概述

先决条件

相关 Skills

架构

步骤 1：验证代理身份是否存在

PowerShell

步骤 2：创建代理用户

HTTP 请求

必需属性

PowerShell

关键注意事项

步骤 3：分配经理（可选）

PowerShell

步骤 4：设置使用位置并分配许可证（可选）

设置使用位置

列出可用许可证

分配许可证

PowerShell（一体化操作）

预配时间

代理用户能力

代理用户安全限制

故障排除

参考

🇺🇸English

SKILL: Creating Agent Users in Microsoft Entra Agent ID

Overview

Prerequisites

Architecture

Step 1: Verify the Agent Identity Exists

PowerShell

Step 2: Create the Agent User

HTTP Request

Required Properties

PowerShell

Key Notes

Step 3: Assign a Manager (Optional)

PowerShell

Step 4: Set Usage Location and Assign Licenses (Optional)

Set Usage Location

List Available Licenses

Assign a License

PowerShell (all in one)

Provisioning Times

Agent User Capabilities

Agent User Security Constraints

Troubleshooting

References