Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article explains app registration, agent identities, and authentication for Copilot Studio agents.
Understanding agent identities
How does Copilot Studio identify agents for authentication?
Copilot Studio assigns a unique identifier to each agent so it can communicate with channels (Teams, Omnichannel, etc.) and services. Copilot Studio automatically creates and manages these identities.
There are two types of agent identities:
Entra Agent IDs: Microsoft Entra service principals with an "Agent" subtype. When you enable Entra Agent Identity for an environment, new agents automatically receive Entra Agent IDs.
App registrations (legacy): Existing agents that you created before enabling Entra Agent Identity continue using traditional app registrations.
Important: Agent IDs are service principals with an "Agent" subtype. The underlying OAuth-based authentication flow remains the same. Agent IDs provide enhanced governance visibility and management capabilities compared to traditional app registrations.
Why does my agent have an identity in Microsoft Entra ID?
Agent identities enable your agent to securely authenticate when communicating with channels (Teams, Omnichannel, and more) and services. Copilot Studio automatically creates and manages these identities following Zero Trust security principles.
What's the difference between Copilot Studio agents and Agent Builder agents?
Copilot Studio agents: Receive Entra Agent IDs (or app registrations for legacy agents) for authentication with channels and services. You can enable Entra Agent Identity at the environment level in Power Platform admin center.
Agent Builder agents: Currently don't use or require app registration IDs or Agent IDs. For more information, see Agent Builder in Microsoft 365 Copilot.
Working with agent identities
Do I need to manually create or configure an agent identity?
No. Copilot Studio automatically manages agent identities:
- New agents (when Entra Agent Identity is enabled): Automatically get Entra Agent IDs
- Existing agents: Continue using app registrations
Microsoft's security and compliance standards guide the automatic management of all credentials. You have full visibility and control in the Microsoft Entra admin center, where you can monitor authentication activity and manage the agent identity lifecycle.
How do I find which app registration or Agent ID belongs to my agent?
- In Copilot Studio, go to Settings > Advanced > Metadata.
- View the Entra Agent ID (GUID) for agents with Entra identities.
- For legacy agents with app registrations, the Application ID is displayed in the same section.
- Use this GUID to locate the identity in Microsoft Entra admin center.
Can I bring my own Agent ID or app registration?
No. To ensure security, compliance, and integration with channels and services, Copilot Studio requires automatic management.
Why does Copilot Studio add the agent owner to the agent identity?
Copilot Studio adds the agent owner to provide:
- Governance traceability for each agent
- Accountability for agent lifecycle
- Alignment with organizational ownership policies
For Entra Agent IDs: The agent owner is added as a sponsor with limited permissions compared to full owners, which reduces security concerns around permission modifications. Some preexisting agents might not have sponsors yet.
For legacy app registrations: The agent owner is added as an owner of the app registration. To opt out of adding the agent owner, contact support.
Security and permissions
Who can generate tokens by using the agent identity?
For Entra Agent IDs
A Microsoft-owned blueprint principal creates and manages agent identities by using Federated Identity Credentials. No one in your tenant - including tenant administrators - can generate tokens by using the agent identity. Microsoft fully controls the blueprint and authentication mechanism.
For legacy app registrations
Users with Global Administrator, Application Administrator, or Cloud Application Administrator roles can create client secrets or certificates for any app registration in the tenant without needing ownership. Users without these roles must be granted ownership of the specific app registration to create credentials necessary for token generation. Copilot Studio doesn't add any API scopes or permissions to these app registrations, so tokens generated from these identities have no access to customer data or resources.
Important
App registrations created for Copilot Studio agents are reserved for agent use only. Don't modify or delete the credentials of these app registrations. Don't use them for any other purpose.
Entra Agent Identity
Can I opt out of Entra Agent Identity?
Yes, you can currently opt out at the environment level in Power Platform admin center. See Automatically create Entra agent identities for instructions.
Important
The ability to opt out of Entra Agent Identity is temporary. Entra Agent Identity will become mandatory for all new agents in the future.
What happens to existing agents when I enable Entra Agent Identity?
Existing agents created before Entra Agent Identity was enabled continue using app registrations. They'll be migrated to Agent IDs in the future.
Migration characteristics:
- GUID preservation: Agent identifiers remain identical (no breaking changes)
- Zero downtime: Agents continue functioning during migration
- Automatic: No manual action required
- Channel compatibility maintained: Teams, Omnichannel, and skills continue working
Does enabling Agent ID change how my agent authenticates?
No. Agent IDs are service principals with an "Agent" subtype that use the same OAuth-based authentication flows as traditional app registrations. The enhancement is governance visibility - Agent IDs appear in the Microsoft Entra admin center with more lifecycle management and monitoring capabilities.
What are Blueprint Principals?
When the first agent identity is created in an environment, Copilot Studio adds a Microsoft Copilot Studio agent identity blueprint to your tenant. This blueprint principal has privileges to create agent identities and agent users in the tenant.
For detailed information including Blueprint IDs (production and test), see Understanding Blueprint Principals. For more technical details, see How are agent identities created?.
Agent Lifecycle
What happens to the agent identity when you delete an agent?
When you delete an agent from Copilot Studio, the process removes the associated Agent ID (or app registration) from Microsoft Entra ID.
For more information, see Delete agents.