Agent Blueprint Service Principal - Complete Configuration Reference #193
Description
Agent Blueprint Service Principal - Complete Configuration Reference
This document lists all configurations applied to the Blueprint Service Principal.
1. Service Principal Creation
The blueprint service principal is created using a special Graph API endpoint:
POST /beta/serviceprincipals/graph.agentIdentityBlueprintPrincipal
Request Body:
{
"appId": "<blueprint-app-id>"
}Required Header:
OData-Version: 4.0
2. App Role Assignment
The service principal receives this app role assignment from Microsoft Graph:
| Role | App Role ID | Resource |
|---|---|---|
AgentIdUser.ReadWrite.IdentityParentedBy |
4aa6e624-eee0-40ab-bdd8-f9639038a614 |
Microsoft Graph |
Graph API:
POST /v1.0/servicePrincipals/{sp-id}/appRoleAssignedTo
Payload:
{
"principalId": "<blueprint-sp-id>",
"resourceId": "<microsoft-graph-sp-id>",
"appRoleId": "4aa6e624-eee0-40ab-bdd8-f9639038a614"
}3. OAuth2 Permission Grants (Delegated Permissions)
The service principal is the clientId for all delegated permission grants. Each grant uses consentType: "AllPrincipals" for admin consent.
Microsoft Graph API
Resource App ID: 00000003-0000-0000-c000-000000000000
| Scope |
|---|
Chat.Read |
Chat.ReadWrite |
Mail.ReadWrite |
Mail.Send |
Files.Read.All |
Sites.Read.All |
User.Read.All |
User.ReadBasic.All |
Presence.ReadWrite |
AgentInstance.Read.All |
Messaging Bot API
Resource App ID: 5a807f24-c9de-44ee-a3a7-329e88a00ffc
| Scope |
|---|
user_impersonation |
Authorization.ReadWrite |
Power Platform API
Resource App ID: (tenant-specific, search by displayName)
| Scope |
|---|
Connectivity.Connections.Read |
Grant Structure
Each OAuth2PermissionGrant follows this structure:
{
"clientId": "<blueprint-service-principal-id>",
"consentType": "AllPrincipals",
"resourceId": "<resource-api-service-principal-id>",
"scope": "<space-separated-scopes>"
}Graph API:
POST /v1.0/oauth2PermissionGrants
4. Summary
| Configuration | Count |
|---|---|
| App Role Assignments | 1 |
| OAuth2 Permission Grants (APIs) | 3 |
| Total Delegated Scopes | 13 |
Service Principal Properties
| Property | Description |
|---|---|
id |
Object ID of the service principal |
appId |
Application (client) ID of the blueprint |
displayName |
Display name inherited from the application |
servicePrincipalType |
Type of service principal |