Invoke-EntraAgentIdInteractive
Interactive cmdlet to create and configure an Agent ID.
Syntax
Default (Default)
Invoke-EntraAgentIdInteractive
Description
The Invoke-EntraAgentIdInteractive cmdlet demonstrates the full workflow of creating and configuring an Agent Identity Blueprint, including creating Agent Identities and Agent Users as needed.
This interactive cmdlet guides you through the complete Agent Identity setup process with prompts at key decision points:
- Blueprint creation — Create an Agent Identity Blueprint with optional sponsors
- Security configuration — Add a client secret for API authentication
- Interactive agent support — Configure scopes for agents acting on behalf of users
- Agent user creation — Configure the blueprint to allow creating Agent ID users without a user
- Inheritable permissions — Set up permissions that agent identities inherit from the blueprint
- Permission model — Choose between static (recommended for Agent 365) or dynamic permissions
- Admin consent — Obtain tenant admin consent for the blueprint's permissions
- Agent Identity and User creation — Create one or more Agent Identities and Agent Users
The cmdlet maintains state between operations, automatically passing Blueprint IDs and other required values to subsequent operations. You can create multiple Agent Identities and Users in a single session.
Examples
Example 1: Start the interactive Agent Identity configuration workflow
Connect-Entra -Scopes 'AgentIdentity.Create.All', 'AgentIdentityBlueprint.UpdateAuthProperties.All', 'AgentIdUser.ReadWrite.All', 'User.ReadBasic.All', 'AgentIdentityBlueprint.AddRemoveCreds.All', 'AgentIdentityBlueprint.ReadWrite.All' -TenantId <tenant ID>
Invoke-EntraAgentIdInteractive
This example starts the interactive Agent Identity configuration workflow. The cmdlet will prompt you for all required inputs and guide you through the complete setup process.
Inputs
None
Outputs
None
Notes
This cmdlet requires the following Microsoft Graph permissions:
- AgentIdentity.Create.All
- AgentIdentityBlueprint.UpdateAuthProperties.All
- AgentIdUser.ReadWrite.All
- User.ReadBasic.All
- AgentIdentityBlueprint.AddRemoveCreds.All
- AgentIdentityBlueprint.ReadWrite.All
The cmdlet requires an active Microsoft Graph connection with the above permissions before running. Use Connect-Entra -Scopes to connect first. The cmdlet checks for an active connection at startup and throws an error if not connected.
The cmdlet stores state in module-scoped variables (such as $script:CurrentAgentBlueprintId) that are passed automatically to subsequent operations within the session.
Related Links
- New-EntraAgentIdentityBlueprint
- Add-EntraClientSecretToAgentIdentityBlueprint
- Add-EntraScopeToAgentIdentityBlueprint
- Add-EntraInheritablePermissionsToAgentIdentityBlueprint
- Add-EntraRequiredResourceAccessToAgentIdentityBlueprint
- New-EntraAgentIdentityBlueprintPrincipal
- Add-EntraPermissionToCreateAgentUsersToAgentIdentityBlueprintPrincipal
- Add-EntraPermissionsToInheritToAgentIdentityBlueprintPrincipal
- New-EntraAgentIDForAgentIdentityBlueprint
- New-EntraAgentUserForAgentId