Agent Identity Blueprint - Complete Permissions Reference #192
Description
Agent Identity Blueprint - Complete Permissions Reference
This document lists all permissions and settings required for an Agent Identity Blueprint.
1. App Role Assignment
Assigned to the blueprint's service principal on Microsoft Graph:
| Role | App Role ID |
|---|---|
AgentIdUser.ReadWrite.IdentityParentedBy |
4aa6e624-eee0-40ab-bdd8-f9639038a614 |
2. Delegated Permissions (OAuth2PermissionGrants)
These are admin-consented delegated permissions granted to the blueprint.
Microsoft Graph API
App ID: 00000003-0000-0000-c000-000000000000
| Scope | Purpose |
|---|---|
Chat.Read |
Read user chat messages |
Chat.ReadWrite |
Read and send chat messages |
Mail.ReadWrite |
Read and write user mail |
Mail.Send |
Send mail on behalf of user |
Files.Read.All |
Read all files user can access |
Sites.Read.All |
Read SharePoint sites |
User.Read.All |
Read all user profiles |
User.ReadBasic.All |
Read basic user profiles |
Presence.ReadWrite |
Read and write user presence |
AgentInstance.Read.All |
Read agent instances |
Messaging Bot API
App ID: 5a807f24-c9de-44ee-a3a7-329e88a00ffc
| Scope | Purpose |
|---|---|
user_impersonation |
Act on behalf of user |
Authorization.ReadWrite |
Read/write authorization |
Power Platform API
App ID: Varies by tenant (search by displayName eq 'Power Platform API')
| Scope | Purpose |
|---|---|
Connectivity.Connections.Read |
Read Power Platform connections |
3. Inheritable Permissions
Inheritable permissions allow child agent identities to inherit scopes from the blueprint. Each API must be configured separately.
Configured APIs
| Resource API | App ID |
|---|---|
| Microsoft Graph | 00000003-0000-0000-c000-000000000000 |
| Messaging Bot API | 5a807f24-c9de-44ee-a3a7-329e88a00ffc |
| Power Platform API | (tenant-specific) |
Payload Structure
Each inheritable permission uses this structure:
{
"resourceAppId": "<api-app-id>",
"inheritableScopes": {
"@odata.type": "#microsoft.graph.allAllowedScopes",
"kind": "allAllowed"
}
}Graph API Endpoint
POST /beta/applications/{blueprint-object-id}/microsoft.graph.agentIdentityBlueprint/inheritablePermissions
4. Additional Blueprint Configuration
| Component | Description |
|---|---|
| Service Principal | Created automatically for the blueprint app registration |
| Client Secret | Used for authentication (stored securely, shown only once) |
| Federated Identity Credential | Links blueprint to a user-assigned managed identity for workload identity federation |
Summary
| Category | Count |
|---|---|
| App Role Assignments | 1 |
| Graph API Delegated Permissions | 10 |
| Messaging Bot API Delegated Permissions | 2 |
| Power Platform API Delegated Permissions | 1 |
| Inheritable Permission Configurations | 3 |
| Total Delegated Permissions | 13 |