This repository contains samples demonstrating how to use Agent Identities in Microsoft Entra ID with Microsoft Identity Web. Agent Identities enable AI agents to securely access downstream services using either autonomous (app-only) or user-delegated tokens.
A comprehensive sample showcasing how an AI agent orchestrates multiple downstream APIs using:
- Autonomous Agent Identity (Order API - read operations)
- Agent User Identities with user context (Shipping & Email APIs - write operations)
- .NET Aspire for distributed tracing, logging, and service orchestration
- In-memory stores for quick setup without external dependencies
Perfect for: Microsoft Ignite 2025 - 30-minute hands-on lab
Agent Identities are a new capability in Microsoft Entra ID that enable AI agents to:
- Autonomous Agent Identity - Acquire app-only tokens for operations that don't require user context.
- Agent User Identity - Acquire tokens with user context for operations requiring user identity (e.g., sending emails, participating in Teams channels)
This allows developers to build AI agents that can securely call downstream APIs with the appropriate level of authorization.
✅ Secure by design - Tokens are validated by Microsoft Entra ID
✅ Flexible authorization - Mix app-only and user-delegated patterns
✅ Audit trail - All operations are logged with proper identity context
✅ Works with existing APIs - No changes needed to downstream services
- .NET 9 SDK (for .NET samples)
- Visual Studio 2022 or VS Code
- (Optional) Azure subscription for cloud deployment
- (Optional) Microsoft 365 Developer account if you want to try Graph API integration with Teams/Mails
# Clone the repository
git clone https://github.com/Azure-Samples/ms-identity-agent-identities.git
# Navigate to a sample
cd ms-identity-agent-identities/dotnet/CustomerServiceAgent
# Install .NET aspire if needed
dotnet workload install aspire
# Build and run
dotnet build
dotnet run --project src/CustomerServiceAgent.AppHost- Agent Identities Official Documentation - Detailed guide on Agent Identities
- Microsoft Identity Web - The library powering these samples
- .NET Aspire - Cloud-native application orchestration
- Microsoft Graph SDK - Integrate with Microsoft 365
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately. Simply follow the instructions provided by the bot.
See CONTRIBUTING.md for more information.
This project is licensed under the MIT License - see the LICENSE.md file for details.
For questions or issues:
- GitHub Issues - Create an issue
- Microsoft Q&A - Ask on Microsoft Q&A
- Stack Overflow - Tag your question with
azure-adandmicrosoft-identity-web
- Microsoft Entra ID Documentation
- Azure Identity Samples
- Microsoft Identity Platform
- Office 365 Developer Program
Target: Microsoft Ignite 2025 (November)
Maintained by: Microsoft Identity Team