Share via

Agent blueprint and instance setup

Important

You need to be part of the Frontier preview program to get early access to Microsoft Agent 365. Frontier connects you directly with Microsoft’s latest AI innovations. Frontier previews are subject to the existing preview terms of your customer agreements. As these features are still in development, their availability and capabilities may change over time.

Note

Agent identity authentication is one of the two Authentication flows you can use. The other is On-Behalf-Of (OBO) flow.

The agentic authentication flow enables an agent to act with its own identity. In this flow:

  • The agent authenticates using its own credentials (agent blueprint credentials)
  • The agent operates independently with its own assigned permissions
  • The agent has its own identity, separate from any user
  • This flow is ideal for autonomous agent operations that don't require user context

Use cases:

  • Autonomous agent operations (scheduled tasks, monitoring)
  • Sending emails or creating meetings from the agent's mailbox
  • Creating and managing agent-owned resources
  • Background processing without user interaction

Create your agentic identity

To develop and test your agent with agentic authentication, you need to create the agent identity and register it with Microsoft 365. This identity allows you to test your agent's capabilities like tooling, observability, and notifications as you build them.

The agent creation process involves three key steps:

  1. Configure - Initialize the Agent 365 CLI configuration
  2. Setup - Create Azure resources and agent blueprint
  3. Create instance - Create agentic app ID and user

Prerequisites

Before you begin, ensure you have the following:

Required permissions:

  • Valid tenant user with one of the following roles:
    • Global Administrator
    • Agent ID Administrator
    • Agent ID Developer
  • Access to an Azure subscription with permissions to create resources

Step 1: Configure the Agent 365 CLI

The a365 config init command creates a365.config.json, the central configuration file used by all Agent 365 CLI commands. The CLI provides an interactive wizard with Azure CLI integration and smart defaults to minimize manual input.

Authenticate with Azure

Before initializing configuration, authenticate with Azure using the az login command:

az login

Select the appropriate subscription when prompted. The configuration wizard uses Azure CLI to query available subscriptions, resource groups, and app service plans.

Initialize configuration

Run the following command to start the interactive configuration wizard:

a365 config init

The wizard uses Azure CLI integration and smart defaults to minimize manual input. You'll be prompted for:

Field Description Example
Agent name A unique identifier (alphanumeric only) myagent
Deployment project path Path to your agent project directory C:\MyAgent\sample-agent
Manager email Email of the manager overseeing this agent [email protected]
Azure resources Select from existing resource groups and app service plans (Interactive selection)

The wizard automatically generates related resource names, identities, and validates your project type.

For more information, see the a365 config command reference.

Verify configuration

Use the a365 config display command to display your configuration to verify all values are correct:

a365 config display

Step 2: Create agent blueprint

The a365 setup command creates Azure resources and registers your agent blueprint. The blueprint defines your agent's identity, permissions, and infrastructure requirements. This step establishes the foundation for deploying and running your agent in Azure.

Run setup

Execute the setup command:

a365 setup

The setup process performs these operations:

  1. Creates Azure infrastructure (if it doesn't already exist):

    • Resource group
    • App Service Plan with specified SKU
    • Azure Web App with managed identity enabled

  2. Registers agent blueprint:

    • Creates the agent blueprint in your Azure AD tenant
    • Creates Azure AD application registrations
    • Configures the agent identity with required permissions

  3. Configures API permissions:

    • Sets up Microsoft Graph API scopes
    • Configures Messaging Bot API permissions
    • Applies inheritable permissions for agent instances

  4. Updates configuration files:

    • Saves generated IDs and endpoints to a365.generated.config.json
    • Records managed identity and resource information

Note

During setup, browser windows will open for admin consent. Complete these consent flows to proceed. Setup typically takes 3-5 minutes and auto-saves configuration to a365.generated.config.json.

Verify setup

After setup completes successfully, you should see a summary showing all completed steps. Verify the created resources:

  1. View generated configuration:

    a365 config display -g

    Confirm these values are present:

    • agentBlueprintId - Your agent blueprint's application ID
    • agentBlueprintObjectId - Blueprint's Azure AD object ID
    • managedIdentityPrincipalId - System-assigned managed identity principal ID

  2. Review Azure resources in Azure Portal:

    Verify the following resources were created:

    • Resource Group:

      • Go to Resource Groups → Select your resource group
      • Verify it contains your App Service Plan and Web App

    • App Service Plan:

      • Go to App Services > App Service Plans
      • Find your plan and verify the pricing tier matches your configuration SKU

    • Web App:

      • Go to App Services > Web Apps
      • Find your web app, then go to Settings > Identity > System assigned
      • Verify status is On
      • Note the Object (principal) ID matches managedIdentityPrincipalId

  3. Verify Azure AD applications in Azure Portal:

    Go to Azure Active Directory > App registrations > All applications:

    • Search for your agent blueprint by the agentBlueprintId
    • Open the application and select API permissions
    • Verify permissions are granted with green checkmarks:
      • Microsoft Graph (delegated and application permissions)
      • Messaging Bot API permissions
    • All permissions should show "Granted for [Your Tenant]"

Step 3: Create agent instance

The a365 create-instance command creates the agentic app ID and agentic user for your agent blueprint, enabling authentication and permissions. This creates a specific instance of your agent with its own identity and credentials, allowing it to authenticate and operate within your Microsoft 365 environment.

Create instance

Run the following command:

a365 create-instance

What it does:

  1. Creates agentic app ID - Azure AD application for this agent instance
  2. Creates agentic user - Service principal for the agent instance
  3. Uses agent blueprint ID - From the generated config (a365.generated.config.json)
  4. Grants admin consent - Applies inherited permissions from the blueprint automatically
  5. Updates configuration - Saves new agentic credentials to local environment

Expected output:

You will see progress messages for each phase:

  • Phase 1: Creating Agent Identity and Agent User
  • Admin consent requests (browser windows will open)
  • Phase 2: License assignment
  • Configuration updates

Verify instance

  1. View generated configuration:

    a365 config display -g

    Verify the following values are present:

    • AgenticAppId - Your agent instance application ID
    • AgenticUserId - Your agent user ID

  2. Validate in Azure Portal:

    • Go to Azure Active Directory > App registrations
    • Find your agentic app ID (check the generated config for the ID)
    • Verify API permissions are granted and consented

Next steps

Your agent identity is now registered and ready. Next:

  1. Add tooling capabilities - Enable Microsoft 365 tools (recommended for testing authentication)
  2. Test your agent - Validate with Agent Playground
  • Last updated on