Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Namespace: microsoft.graph
Update the properties of an agentIdentityBlueprintPrincipal object.
Important
- Agent identity blueprint principals inherit specific properties from their associated agent identity blueprint registrations. These properties are synchronized from the agent identity blueprint registration, but the synchronization isn't immediate or continuous. Sometimes, updating an agent identity blueprint principal may prompt the directory to refresh properties from the agent identity blueprint registration, causing updates that weren't part of the original request.
Permissions
Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
| Permission type | Least privileged permission | Higher privileged permissions |
|---|---|---|
| Delegated (work or school account) | AgentIdentityBlueprintPrincipal.EnableDisable.All | AgentIdentityBlueprintPrincipal.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. | Not supported. |
| Application | AgentIdentityBlueprintPrincipal.EnableDisable.All | AgentIdentityBlueprintPrincipal.ReadWrite.All |
Important
For delegated access using work or school accounts, the admin must be assigned a supported Microsoft Entra role. This operation supports the following built-in roles, which provide only the least privilege necessary:
- Agent ID Administrator.
- Agent ID Developer - Create agent identity blueprints and blueprint principals. The principal with this role is assigned ownership of the blueprint or blueprint principal they create and can perform write operations on the resources they own.
Known issue: If the client is granted either the Directory.AccessAsUser.All or Directory.ReadWrite.All permission, the client's permissions to create, update, and delete Agent IDs are ignored, which can cause requests to fail with 403 Forbidden error. To resolve this issue, remove these permissions from the client, request new access tokens, and retry the request.
Permissions for specific scenarios
- To update the customSecurityAttributes property:
- In delegated scenarios, the admin must be assigned the Attribute Assignment Administrator role and the app granted the CustomSecAttributeAssignment.ReadWrite.All delegated permission.
- In app-only scenarios using Microsoft Graph permissions, the app must be granted the CustomSecAttributeAssignment.ReadWrite.All application permission.
HTTP request
PATCH /servicePrincipals/{id}/microsoft.graph.agentIdentityBlueprintPrincipal
Request headers
| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Content-Type | application/json. Required. |
Request body
In the request body, supply the values for relevant fields that should be updated. Existing properties that aren't included in the request body maintains their previous values or be recalculated based on changes to other property values. For best performance you shouldn't include existing values that haven't changed.
Provide the updated property values for the agent identity blueprint principal.
Response
If successful, this method returns a 204 No Content response code.
For information about errors returned by agent identity APIs, see Agent identity error codes.
Example
Request
The following example shows a request to update an agent identity blueprint principal.
PATCH https://graph.microsoft.com/v1.0/servicePrincipals/{id}/microsoft.graph.agentIdentityBlueprintPrincipal
Content-type: application/json
{
"appRoleAssignmentRequired": true
}
Response
The following example shows the response.
HTTP/1.1 204 No Content