Managing Entra Agent Identities for Copilot Studio
By Craig White
Governance for Copilot Studio expands way beyond using the Power Platform Admin Centre. The role of an Agent Administrator is to understand and use the full toolset at your disposal. This now includes managing Entra Agent Identities for your Copilot Studio agents.
As the name suggests, for this we need to dip our toes into the Microsoft Entra Admin Centre. Here, we can track agent activity and associated Agent ID’s. In this article, I’ll go over how to set this up (which is currently in preview) and where to track them.
When enabled, each agent in an environment will automatically get its own unique identity in Microsoft Entra.
Think of it like giving the agent its own ID badge; the badge doesn’t let the agent access or process your data or systems, it’s solely there so the agent can safely talk to the Azure Bot Service and prove it really is who it says it is.
As we starting building more autonomous agents, this type of identity model will become increasingly crucial. These agent types will need to run as an application user instead of an actual user. Those familiar with the Power Platform may already use similar concepts with Application Users & Service Principals, the latter of which is already the default identity for your agents.
At time of writing this is a preview feature, so the usual caveat of not recommended for productionised agents. However, another good candidate for having an admin-specific environment where you can evaluate these features and potential for your organisation once generally available.
Enabling the feature
Yes, I know I started this article with ‘there’s more to agent governance than just PPAC’, however that’s where we need to head first to enable it.
In PPAC, head to Copilot > Settings then Entra Agent Identity for Copilot Studio:
Select the environment & click Edit setting at the bottom. The setting is off by default (that makes a change for the Power Platform 😂), so enable it then click Save:
Now, when I create an agent in the environment with the setting enabled, it’ll instantly get an Entra ID assigned. From Copilot Studio though, it’s not immediately obvious. As per the documentation here, you can access the Settings area of an agent, then Advanced, then Metadata to see the GUID for the agent identity:
The trouble is, this happens for every agent, in every environment, whether you have the Entra Agent Identity setting enabled or not.
So how do we make sense of which agent(s) have an Entra Identity and which don’t.
For this, we need the Microsoft Entra Admin Centre.
Entra Admin Centre (EAC)
Firstly, your URL to access is – https://entra.microsoft.com/.
If you just have the Power Platform or D365 Administrator roles, this is where you need to extend access. Access to EAC requires different roles. See the full breakdown here.
There’s lots of good stuff in the Entra Admin Centre that supports agents, for now we are focusing on the Agent ID section:
There are a few different sections we can access inside the Agent ID area.
Overview
Once selected, the homepage gives you some good analytics around total number of agents and their identity types:
All agent identities
This is an inventory of all agent identities. All agents will have an identity; without the Entra ID setting enabled, agents will instead have a service principal created.
These are nothing to worry about – it’s simply Microsoft’s way of securing your agents before the arrival of the new Entra Identity feature. You can read more about agents built using application service principals here. Any agents not created with a dedicated Entra ID will continue to have a Service Principal auto-created and assigned as its primary identity.
One of the best things you can do at this point in the All agent identities section is select Choose Columns, then add the Uses agent identity column. This will instantly help you see which agent identities have been created with a Service Principal and which with an Entra Identity:
You can also see what identity type has been used by selecting a specific agent identity from the inventory. Those created with a Service Principal will be shown as such:
Ones with Entra Agent Identity will appear slightly different, including different options to configure too:
Agent registry
Any agent created with Copilot Studio, Microsoft Foundry, even external platforms (ie Google) should appear here too. It will show you which ones have been created using the new Entra Agent Identity feature:
You can click on an agent in the agent registry to see its metadata. Currently, this is lots of GUIDs that will hopefully be more user-friendly moving forward, such as Created By and Owner IDs:
Unlike the current inventory in M365 Admin Centre (under Agents > All Agents), the Agent Registry shows agents both published and unpublished.
Agent collections
Agent collections are a logical way to group agents in your tenant. You can add existing agents to predefined groups or create your own. Presently, you can’t delete custom collections – even if they’re empty (no agents added). You can read more about agent collections here and how they interact with the agent registry.
What I do think is cool though is the in-built ability to auto-quarantine an agent into the predefined Quarantined collection. Any risk signals detected from an agent by an identity protection engine should mean it gets automatically quarantined. You can also quarantine agents manually should you wish. By doing this, no other agent can see a quarantined agent as part of the discovery query to the registry.
Agent Identity blueprints
When you first create an agent identity in an environment after enabling the setting, the system adds a blueprint object to your tenant. This blueprint is like a template for creating new agent identities in future. It’s a very interesting concept, one I recommend you read more about here.
You’re able to view your agent blueprints in the All agent identities section:
Observations so far
I think Entra Agent Identities will be a useful feature and as it’s in preview, one I expect to mature in due course. Here’s a couple of things I’ve noticed whilst testing it out.
Legacy service principals
When I visit Entra admin centre > Agent ID (Preview) > All agent identities (Preview), I can see a bunch of service principal ID’s for agents that no longer exist in my tenant.
I’m sure this is some kind of timing issue that will resolve itself. Until then, there may need to be some manual monitoring and cleanups for admins, however…
Reconciliation isn't easy (yet)
As an admin, I’d like to tie back Entra agent ID’s and registries to agents across my tenant. This isn’t as easy as you’ve hope; Entra Agent ID’s get an Entra Object ID in Entra, but your Agent will have an Item ID in Power Platform.
My original need here came from trying to work out which identity this was:
It turns out, creating a blank agent in Copilot Studio instantly creates an Agent identity using a service principal:
However, when you rename your agent in Copilot Studio, it does not rename the agent identity in Entra. Furthermore, Entra currently greys out the properties once created, preventing you from editing them:
This is the same experience for agent IDs being created with service principals or the new Entra Agent ID.
To reconcile, you need the Agent Registry section in the Entra Admin Centre. Renames of agents do show correctly here (which is a good start), so easy to find what one you need.
When selecting an entry, Entra will present you with several GUIDs. If we look closely, part of the Source ID GUID relates to the Item ID we see elsewhere. In the example below, we’re trying to find a string beginning with f91e31c5.
Entra Admin Centre:
PPAC > Manage > Inventory:
CoE Toolkit > Power Platform Admin View > Bots:
We need to match the Agent Identity ID from the Agent Registry, with the Object ID from the Agent Identities to join the experience together in EAC:
You can also validate this by opening the Agent directly in Copilot Studio. With the agent open, go to Settings > Advanced and expand the Metadata section. Note the reference to Entra Agent ID:
You can apply a similar method for cross-checking identities created with a service principal. You can compare the Application ID in EAC to the Metadata of the agent in Copilot Studio. Note though, this is cross-checking the Agent identity in this scenario – I don’t think there’s an available validation for a service principal driven registry back to an agent:
Community plugs the gaps
I always like to bounce ideas off others – especially when I’m learning on the job as I have been during this post. I reached out to MVP & admin guru Valentin Mazhar for his thoughts on how we can reconcile agent Entra ID’s and service principals to agents.
Firstly, he reminded me that with service principals being created for agents, not only do we see these in the Entra Admin Centre, but in the Azure Admin Centre too:
The Application (client) ID here matches what we see in EAC:
Secondly, any agent metadata is stored mainly in two Dataverse tables in the relevant environment; bot and botcomponents. If we look at the bot table and expose the SynchronizationStatus column, we can see the same Application ID:
So, can we use the same technique to cross-check agents with an Entra Agent ID? YES!
As admins, we don’t want to be scuffling around in backend tables to do all this cross-checking and at time of writing, Microsoft haven’t given us a unified view. Thankfully, Valentin has created the Copilot Studio Monitor solution for us all to use. You can download it here and see his full write-up about it here.
One of the things I love most about the Power BI report Val has put together is seeing the agent, environment and applicationId all in one place. This isn’t something we can do in EAC or PPAC as yet:
I’m sure there’s the option to bring additional data into the report to show ‘Uses agent identity’ yes/no like the All agent identities view in EAC.
If you’re not following Valentin on LinkedIn, go and do that now. Keep an eye on his PowerTricks site where he uploads other excellent blogs and admin-focused tools for others to download and use.
ALM awareness
If you deploy an agent to a downstream environment that has the Entra Agent Identity feature enabled, an Entra ID will instantly assign to the agent.
As you’d expect really. But more for awareness, you’ll then have multiple entries in the Agent Registry for each version (ie across a Dev/Test/Prod scenario):
In this scenario though, the original service principal identity seemingly gets ‘upgraded’ to an Entra identity. There are no duplicate entries in the Agent Identities section, only in the Agent registry.
Perhaps a scenario here is to only enable the Agent Entra Identity feature for your Production environment(s). This will make life easier for any Entra-based governance & policies you may need to apply.
Turn it off, turn it back on again
As a quick test, I enabled the Entra Agent Identity feature and deployed an agent. Identity successfully created and registered in the Agent Registry.
I then disabled the feature to see what happened. It appears that the Entra Identity remains and all future agents in that environment revert to being assigned a service principal identity by default.
Microsoft 365 viewpoint
In Microsoft 365 Admin, we can navigate to All Agents and see a large list of agents. This only shows published agents though – any unpublished Copilot Studio agents will not show here.
Purely from the Entra Agent Identity feature perspective, we can see the Agent Blueprint as a published entry in MAC:
Clicking on this will take you to the Entra Admin Centre and show the agent identities created with that blueprint. In this example, these agents haven’t yet been published so not visible in MAC:
Future
I think this is going to be a good feature moving forward. The ability to manage and govern agent identities in Entra and add layers of protection & governance is going to be brilliant – especially for enterprise-grade agents.
From an admin perspective though, tying it all together in a single view remains a need. As I have done during research into this article, I’ve gone across Entra Admin Centre, Power Platform Admin Centre, Copilot Studio settings, CoE toolkit and Microsoft 365 Admin Centre; I dare say I’ve barely scratched the surface.
I’m keen to see how this evolves and hopefully, see the applicationId flow into the recently GA’d Power Platform Inventory in PPAC.
Thanks for reading. If you liked this article and want to receive more helpful tips about Power Platform / Agent governance, don’t forget to subscribe or follow me on socials 😊
