At Build 2025, Microsoft introduced Microsoft Entra Agent ID to find AI Agents in Entra ID.
Just open Enterprise Applications in Entra ID and filter for the application type Agent ID.
If you analyze what Entra ID is doing for the filter, it’s a simple query for service principal tags with the following values:
- tags startswith power-virtual-agents- OR
- tags is equal AgenticInstance OR
- tags is equal AgenticApp
- filter the first 100
You can do the same, as Entra ID is querying the servicePrincipals resource in the background.
I recommend checking your Agent ID service principals. I think you will find some interesting changes.
# Filter Agent ID service principals with Microsoft Graph.
# Note that you getting the first 100 service principals with the filter.
Import-Module Microsoft.Graph.Authentication
Connect-MgGraph -Scopes "Application.Read.All"
$Header = @{ "ConsistencyLevel" = "eventual" }
$Url = "https://graph.microsoft.com/v1.0/servicePrincipals?`$count=true&`$filter=(tags/Any(p: startswith(p, 'power-virtual-agents-')) or tags/Any(p: p eq 'AgenticInstance') or tags/Any(p: p eq 'AgenticApp'))&`$top=100"
$Result = Invoke-MgGraphRequest -Method Get -Uri $Url -Headers $Header
$Result.value
Content
Copilot Studio Service Principals
- Microsoft changed the signInAudience in January. Until then, the signInAudience for all newly created Copilot Studio Agents was an AzureADMultipleOrgs service principal. Microsoft changed this to AzureADMyOrg in January for new Copilot Studio service principals.
- Since May, Microsoft has been adding the Agent ID tags to all new Copilot Studio service principals.
Previously, there was just the tag “power-virtual-agents-[AgentID].” Now, there are the additional tags: AgenticInstance, AgenticApp, AIAgentBuilder, and AgentCreatedBy:CopilotStudio
- All Copilot Studio service principals include the Power Platform environment where they are hosted in the description.
You can extract the environment ID. The tag power-virtual-agents- includes the agent ID from the environment.
# Extract the Power Platform environment from the service principal description
if ($CopilotStudioSP.description -match "Power Platform Environment: '([0-9a-fA-F\-]{36})'") {
$envGuid = $matches[1]
Write-Output "Extracted GUID: $envGuid"
}
Azure AI Foundry Service Principals
An Azure AI Foundry service principal is a Managed Identity compared to Copilot Studio service principals and includes the tags AgentCreatedBy:Foundry and AgenticInstance. A new Azure AI Foundry project creates a new Managed Identity.
The Microsoft presentation mentioned that the agent should be visible in the Enterprise apps. In my case, the Azure AI Foundry project creates a Managed Identity, not the agent in the project.
Edit:
The Microsoft demo about the Azure AI Foundry agent was not adequately prepared. Microsoft named the agent with the same title as the project. As a result, the customer sees the project name in the demo, not the modified agent.
The documentation mentions the scoping:
Agents are scoped at the project level, which ensures data isolation—agents within the same project share access to the same resources.
