Migrated AgentId commands from MSIdentityTools

[givinalis]

Changes

This pull request migrates the AgentId command set from the MSIdentityTools module into the entra-powershell repository. The migration consolidates management tools and provides a complete, production-ready implementation for creating and managing Agent Identity Blueprints and Agent Identities in Microsoft Entra ID. The key changes are:

• Added: 17 new cmdlets with complete implementation
• Integrated: 41 files including cmdlet code, helper functions, documentation, and tests
• Documentation: Full markdown help documentation for all cmdlets
• Tests: Comprehensive unit tests for core functionality

---

Detailed Breakdown of Migrated AgentId Commands

1. Core Blueprint Management

New-EntraBetaAgentIdentityBlueprint

• Creates a new Agent Identity Blueprint with sponsors and owners
• Supports user and group sponsors
• Stores blueprint ID in module state for subsequent operations
• Location: module/EntraBeta/Microsoft. Entra.Beta/Applications/

New-EntraBetaAgentIdentityBlueprintPrincipal

• Creates a service principal for the Agent Identity Blueprint
• Uses specialized graph.agentIdentityBlueprintPrincipal endpoint
• Enables permission assignments and role-based access
• Location: module/EntraBeta/Microsoft.Entra. Beta/Applications/

Get-EntraBetaAgentIdentity

• Retrieves an Agent Identity by its ID
• Provides error handling for not-found scenarios
• Location: module/EntraBeta/Microsoft.Entra. Beta/Applications/

2. Security & Permission Management

Add-EntraBetaClientSecretToAgentIdentityBlueprint

• Adds a 90-day client secret to the blueprint
• Stores secret in secure module variable
• Includes automatic retry logic (up to 10 retries)
• Location: module/EntraBeta/Microsoft.Entra.Beta/Applications/

Add-EntraBetaPermissionToCreateAgentUsersToAgentIdentityBlueprintPrincipal

• Grants AgentIdUser. ReadWrite. IdentityParentedBy permission
• Enables blueprint to create agent users
• Caches Microsoft Graph service principal ID
• Location: module/EntraBeta/Microsoft. Entra.Beta/Applications/

Add-EntraBetaInheritablePermissionsToAgentIdentityBlueprint

• Configures inheritable Microsoft Graph permissions
• Supports custom resource applications
• Stores configured scopes for subsequent use
• Location: module/EntraBeta/Microsoft. Entra.Beta/Applications/

Add-EntraBetaPermissionsToInheritToAgentIdentityBlueprintPrincipal

• Launches browser-based admin consent flow
• Supports OBO (On-Behalf-Of) scenarios
• Suggests scopes from previous configurations
• Location: module/EntraBeta/Microsoft. Entra.Beta/Applications/

3. Configuration & Customization

Add-EntraBetaScopeToAgentIdentityBlueprint

• Adds OAuth2 permission scopes to blueprint
• Configures scope display name and description
• Sets identifier URI (api://{blueprintId})
• Location: module/EntraBeta/Microsoft.Entra. Beta/Applications/

Add-EntraBetaRedirectURIToAgentIdentityBlueprint

• Adds web redirect URIs for authentication callbacks
• Preserves existing redirect URIs
• Prevents duplicate URI addition
• Location: module/EntraBeta/Microsoft. Entra.Beta/Applications/

4. Agent Identity & User Creation

New-EntraBetaAgentIDForAgentIdentityBlueprint

• Creates agent identities from blueprints
• Supports multiple sponsors and owners
• Uses blueprint credentials for authentication
• Location: module/EntraBeta/Microsoft. Entra.Beta/Applications/

New-EntraBetaAgentIDUserForAgentId

• Creates agent users parented to agent identities
• Auto-generates mailNickname from UPN
• Creates enabled accounts by default
• Location: module/EntraBeta/Microsoft. Entra.Beta/Users/

5. Token Management

Get-EntraBetaAgentIdentityToken

• Acquires access tokens using client credentials
• Supports three authentication modes:
  • AutonomousApp: App-only authentication
  • OBO: On-Behalf-Of flow
  • AutonomousUser: User-specific authentication
• Two-step token acquisition with FMI path
• Location: module/EntraBeta/Microsoft. Entra.Beta/Applications/

6. Interactive Workflow

Invoke-EntraBetaAgentIdInteractive

• Complete interactive wizard for Agent ID setup
• Guides through 7 phases of configuration
• Supports creating multiple agent identities
• Provides comprehensive workflow summary
• Location: module/EntraBeta/Microsoft. Entra.Beta/Applications/

7. Helper Functions

Connect-AgentIdentityBlueprint (Internal)

• Authenticates using stored blueprint credentials
• Manages connection context switching
• Location: module/EntraBeta/Microsoft.Entra. Beta/Applications/

Get-SponsorsAndOwners (Internal)

• Prompts and validates sponsors/owners
• Ensures at least one sponsor or owner is provided
• Location: module/EntraBeta/Microsoft. Entra.Beta/Applications/

[learn-build-service-prod]

Learn Build status updates of commit 1761895:

❌ Validation status: errors

Please follow instructions here which may help to resolve issue.

File	Status	Preview URL	Details
	❌Error		Details

• Line 0, Column 0: [Error: PSMD2Yaml_FileLoadFailed] Failed to load file: C:/LocalRun/W/nstj-s/module/mapping/monikerMapping.json. PackageRoot, ReferenceTocUrl, and ConceptualTocUrl are required for every moniker. PackageRoot should be a valid relative path to docset root.

For more details, please refer to the build report.

Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.

[KenitoInc]

A few points to note

1. Add license info
2. Cmdlets invoking beta/applications using POST or PATCH Http methods require Application.ReadWrite.All instead of Application.Read.All

[learn-build-service-prod]

Learn Build status updates of commit f3f6a65:

❌ Validation status: errors

Please follow instructions here which may help to resolve issue.

File	Status	Preview URL	Details
	❌Error		Details

• Line 0, Column 0: [Error: PSMD2Yaml_FileLoadFailed] Failed to load file: C:/LocalRun/W/rugb-s/module/mapping/monikerMapping.json. PackageRoot, ReferenceTocUrl, and ConceptualTocUrl are required for every moniker. PackageRoot should be a valid relative path to docset root.

For more details, please refer to the build report.

Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.