Get insights into Microsoft Entra Agent ID apps with Microsoft Graph

At Build 2025, Microsoft introduced Microsoft Entra Agent ID to find AI Agents in Entra ID.

Microsoft Entra Agent ID

Just open Enterprise Applications in Entra ID and filter for the application type Agent ID.

Agent ID in Enterprise Applications
Agent ID in Enterprise Applications

If you analyze what Entra ID is doing for the filter, it’s a simple query for service principal tags with the following values:

  • tags startswith power-virtual-agents- OR
  • tags is equal AgenticInstance OR
  • tags is equal AgenticApp
  • filter the first 100

You can do the same, as Entra ID is querying the servicePrincipals resource in the background.
I recommend checking your Agent ID service principals. I think you will find some interesting changes.

PowerShell
# Filter Agent ID service principals with Microsoft Graph.
# Note that you getting the first 100 service principals with the filter.

Import-Module Microsoft.Graph.Authentication
Connect-MgGraph -Scopes "Application.Read.All"

$Header = @{ "ConsistencyLevel" = "eventual" }
$Url = "https://graph.microsoft.com/v1.0/servicePrincipals?`$count=true&`$filter=(tags/Any(p: startswith(p, 'power-virtual-agents-')) or tags/Any(p: p eq 'AgenticInstance') or tags/Any(p: p eq 'AgenticApp'))&`$top=100"
$Result = Invoke-MgGraphRequest -Method Get -Uri $Url -Headers $Header
$Result.value 


Copilot Studio Service Principals
  1. Microsoft changed the signInAudience in January. Until then, the signInAudience for all newly created Copilot Studio Agents was an AzureADMultipleOrgs service principal. Microsoft changed this to AzureADMyOrg in January for new Copilot Studio service principals.
signInAudience has been changed for Copilot Studio service principals
signInAudience has been changed for Copilot Studio service principals
  1. Since May, Microsoft has been adding the Agent ID tags to all new Copilot Studio service principals.
    Previously, there was just the tag “power-virtual-agents-[AgentID].” Now, there are the additional tags: AgenticInstance, AgenticApp, AIAgentBuilder, and AgentCreatedBy:CopilotStudio
Additional tags for Copilot Studio service principals
  1. All Copilot Studio service principals include the Power Platform environment where they are hosted in the description.
Service principal description includes the Power Platform environment
Service principal description includes the Power Platform environment

You can extract the environment ID. The tag power-virtual-agents- includes the agent ID from the environment.

PowerShell
# Extract the Power Platform environment from the service principal description

if ($CopilotStudioSP.description -match "Power Platform Environment: '([0-9a-fA-F\-]{36})'") {
    $envGuid = $matches[1]
    Write-Output "Extracted GUID: $envGuid"
} 


Azure AI Foundry Service Principals

An Azure AI Foundry service principal is a Managed Identity compared to Copilot Studio service principals and includes the tags AgentCreatedBy:Foundry and AgenticInstance. A new Azure AI Foundry project creates a new Managed Identity.
The Microsoft presentation mentioned that the agent should be visible in the Enterprise apps. In my case, the Azure AI Foundry project creates a Managed Identity, not the agent in the project.

Edit:
The Microsoft demo about the Azure AI Foundry agent was not adequately prepared. Microsoft named the agent with the same title as the project. As a result, the customer sees the project name in the demo, not the modified agent.

Filtered Agent ID service principals
Filtered Agent ID service principals

The documentation mentions the scoping:

Agents are scoped at the project level, which ensures data isolation—agents within the same project share access to the same resources.

Share
Avatar photo

Tobias Asböck

Tobias is a Senior System Engineer with around ten years of professional experience with Microsoft 365 products such as SharePoint Online, SharePoint Premium, OneDrive for Business, Teams Collaboration, Entra ID, Information Protection, Universal Print, and Microsoft 365 Licensing. He also has 15+ years of experience planning, administering, and operating SharePoint Server environments. Tobias is a PowerShell Scripter with certifications for Microsoft 365 products. In his spare time, Tobias is busy with updates in the Microsoft 365 world or on the road with his road bike and other sports activities. If you have additional questions, please contact me via LinkedIn or [email protected].

Leave a Reply

Your email address will not be published. Required fields are marked *