Feature Request: CLI Support for Presence & Files API Permissions #194
Description
Feature Request: CLI Support for Presence & Files API Permissions
Request
Add CLI commands to grant Presence and Files API delegated permissions to an Agent Identity Blueprint. This allows agents to appear online (particularly in MSTeams) and to interact with uploaded files.
Current Workaround
This workaround is cumbersome because it is manual.
Create a separate app registration with the required permissions:
- Register a new application in Entra ID
- Add the delegated permissions
- Grant admin consent
- Create a client secret
- Create a user-assigned managed identity (MSI)
- Add a federated identity credential linking the app to the MSI
- Use this app registration alongside the blueprint for Presence/Files functionality
App Registration Requirements
| Component | Details |
|---|---|
| Delegated Permissions | See full list below (10 permissions) |
| Admin Consent | Required for all permissions |
| Client Secret | For authentication (valid up to 2 years) |
| User-Assigned Managed Identity | Created in Azure resource group |
| Federated Identity Credential | Links app to MSI for workload identity |
Required Delegated Permissions (Microsoft Graph)
| # | Scope | Purpose |
|---|---|---|
| 1 | Chat.Read |
Read user chat messages |
| 2 | Chat.ReadWrite |
Read and send chat messages |
| 3 | Mail.ReadWrite |
Read and write user mail |
| 4 | Mail.Send |
Send mail on behalf of user |
| 5 | Files.Read.All |
Read files user can access |
| 6 | Sites.Read.All |
Read SharePoint sites |
| 7 | User.Read.All |
Read all user profiles |
| 8 | User.ReadBasic.All |
Read basic user profiles |
| 9 | Presence.ReadWrite |
Read/write user presence status |
| 10 | AgentInstance.Read.All |
Read agent instances |
Federated Identity Credential Configuration
{
"name": "<managed-identity-name>",
"issuer": "https://login.microsoftonline.com/<tenant-id>/v2.0",
"subject": "<managed-identity-client-id>",
"audiences": ["api://AzureADTokenExchange"]
}Graph API Calls Required
1. Create Application
POST https://graph.microsoft.com/v1.0/applications
Content-Type: application/json
{
"displayName": "<app-name>",
"signInAudience": "AzureADMyOrg"
}2. Create Service Principal
POST https://graph.microsoft.com/v1.0/servicePrincipals
Content-Type: application/json
{
"appId": "<app-id-from-step-1>"
}3. Grant Delegated Permissions (OAuth2PermissionGrant)
POST https://graph.microsoft.com/v1.0/oauth2PermissionGrants
Content-Type: application/json
{
"clientId": "<service-principal-id>",
"consentType": "AllPrincipals",
"resourceId": "<microsoft-graph-service-principal-id>",
"scope": "Chat.Read Chat.ReadWrite Mail.ReadWrite Mail.Send Files.Read.All Sites.Read.All User.Read.All User.ReadBasic.All Presence.ReadWrite AgentInstance.Read.All"
}4. Create Client Secret
POST https://graph.microsoft.com/v1.0/applications/<app-object-id>/addPassword
Content-Type: application/json
{
"passwordCredential": {
"displayName": "Agent Secret"
}
}5. Create Federated Identity Credential
POST https://graph.microsoft.com/beta/applications/<app-object-id>/federatedIdentityCredentials
Content-Type: application/json
{
"name": "<managed-identity-name>",
"issuer": "https://login.microsoftonline.com/<tenant-id>/v2.0",
"subject": "<managed-identity-client-id>",
"audiences": ["api://AzureADTokenExchange"]
}Prerequisites
Before making these calls, you need:
-
Microsoft Graph Service Principal ID - Get via:
GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq '00000003-0000-0000-c000-000000000000'
-
User-Assigned Managed Identity - Create via Azure CLI or ARM:
az identity create --name <msi-name> --resource-group <rg-name>
Key IDs
| Resource | ID |
|---|---|
| Microsoft Graph App ID | 00000003-0000-0000-c000-000000000000 |
Why This Matters
- Presence API: Enables agents to show/read user availability status in Teams
- Files API: Allows agents to access OneDrive/SharePoint files on behalf of users
- Manual Graph API calls are error-prone and require multiple steps (find SP IDs, check existing grants, merge scopes)