Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
When an AI agent acts on behalf of a user, it always needs two authorizations:
- Agent authorization. The agent itself needs an identity in Microsoft Entra ID and credentials to authenticate. To configure this authorization for an agent that lives outside Microsoft Entra ID, see Configure third-party agents.
- User authorization. The user must consent to the agent acting on their behalf, and the agent must obtain a user token it can use to call downstream APIs.
This article describes the second authorization: how to authorize users that sign in through a third-party identity provider (IdP) so that an agent built on Microsoft Entra Agent ID can act on their behalf.
Integrate with Agent 365 Observability by using user ID and email
You don't need full federation to integrate a third-party agent with Agent 365 Observability. An agent can integrate with Agent 365 Observability by passing the signed-in user's user ID and email address. This lightweight integration is an option for agents whose users authenticate with a third-party IdP but don't require access to resources that require tokens from Microsoft Entra ID.
For the integration steps and request shapes, see Agent 365 observability.
Resolve a user ID with Microsoft Graph
If your agent only knows the user's email address or user principal name (UPN), use Microsoft Graph to look up the user's object ID. The following examples assume the agent calls Microsoft Graph with an app-only token that has the User.Read.All application permission.
Get a user's object ID from an email address by filtering on the mail property:
GET https://graph.microsoft.com/v1.0/users?$filter=mail eq 'user@contoso.com'&$select=id,mail,userPrincipalName
Authorization: Bearer {app-only-token}
The mail property doesn't always match the address users sign in with. If the lookup returns no results, fall back to the otherMails collection:
GET https://graph.microsoft.com/v1.0/users?$filter=otherMails/any(o:o eq 'user@contoso.com')&$select=id,mail,userPrincipalName
Authorization: Bearer {app-only-token}
Get a user's object ID from a UPN by addressing the user resource directly:
GET https://graph.microsoft.com/v1.0/users/user@contoso.onmicrosoft.com?$select=id,mail,userPrincipalName
Authorization: Bearer {app-only-token}
A successful response returns the user's object ID in the id property. Pass that value as the user ID when you call Agent 365 Observability.
Federate Microsoft Entra ID with the third-party IdP
Many customers with a third-party IdP have their users use Microsoft 365. To enable this, they configure Microsoft Entra ID to federate with the IdP of their choice. With this configuration, users access Microsoft 365 as normal, but the user authenticates with the third-party IdP rather than with Microsoft Entra ID.
Authenticate your agent with Microsoft Entra ID
Any agent can use the same approach Microsoft 365 uses: the agent authenticates the user with Microsoft Entra ID, and Microsoft Entra ID redirects the user to the IdP of choice when federation is configured. Now that the agent has authenticated the user with the IDP of choice and the agent can access resources, like WorkIQ that require tokens from Microsoft Entra ID. There's no configuration required in the agent for federation.
Once the agent obtains a user token through this flow, it can use that token to call any Agent 365 capability that requires a user token - not just Observability. The same token works for Work IQ tool access, On-Behalf-Of (OBO) calls to Microsoft Graph and other downstream APIs, and any other Agent 365 feature that acts in the user's context.
Microsoft Entra ID supports the standard authentication and authorization protocols that most agents already use:
Any agent that authenticates users with one of these protocols today can be migrated to Microsoft Entra ID by repointing its authentication endpoints and testing for compatibility. For an overview of the app types and flows that Microsoft Entra ID supports, see Application types in the Microsoft identity platform.