Note
Access to this page requires authorization. You can try signing in or .
Access to this page requires authorization. You can try .
Add-EntraPermissionsToInheritToAgentIdentityBlueprintPrincipal
Opens admin consent page in browser for Agent Identity Blueprint Principal to inherit permissions.
Syntax
Default (Default)
Add-EntraPermissionsToInheritToAgentIdentityBlueprintPrincipal
[-AgentBlueprintId <String>]
[-Scopes <String[]>]
[-Roles <String[]>]
[-RedirectUri <String>]
[-State <String>]
[<CommonParameters>]
Description
The Add-EntraPermissionsToInheritToAgentIdentityBlueprintPrincipal cmdlet launches the system browser with the admin consent URL for the Agent Identity Blueprint Principal. This allows the administrator to grant delegated permissions (scopes) and/or application roles that the blueprint can inherit and pass to agent identities. The consent URL is built using the v2.0 admin consent endpoint. Uses the stored AgentBlueprintId from the last New-EntraAgentIdentityBlueprint call if no explicit ID is provided. If no stored ID is available, the cmdlet prompts interactively for the Agent Identity Blueprint ID. If neither -Scopes nor -Roles are provided, the cmdlet prompts interactively for scopes.
Examples
Example 1: Open admin consent page using stored blueprint ID
Connect-Entra -Scopes 'AgentIdentityBlueprint.UpdateAuthProperties.All'
New-EntraAgentIdentityBlueprint -DisplayName "My Blueprint" -SponsorUserIds @("user1@contoso.com")
Add-EntraPermissionsToInheritToAgentIdentityBlueprintPrincipal
This example opens the admin consent page in the browser for the Agent Identity Blueprint that was just created. The cmdlet will prompt for permission scopes if not provided.
Example 2: Open admin consent page with specific scopes
Connect-Entra -Scopes 'AgentIdentityBlueprint.UpdateAuthProperties.All'
Add-EntraPermissionsToInheritToAgentIdentityBlueprintPrincipal -Scopes @("user.read", "mail.read", "calendars.read")
This example opens the admin consent page with specific permission scopes (user.read, mail.read, calendars.read).
Example 3: Open admin consent page with specific blueprint ID and scopes
Connect-Entra -Scopes 'AgentIdentityBlueprint.UpdateAuthProperties.All'
Add-EntraPermissionsToInheritToAgentIdentityBlueprintPrincipal -AgentBlueprintId "7c0c1226-1e81-41a5-ad6c-532c95504443" -Scopes @("user.read")
This example opens the admin consent page for a specific Agent Identity Blueprint by providing the blueprint ID and requested scopes.
Example 4: Open admin consent page with application roles
Connect-Entra -Scopes 'AgentIdentityBlueprint.UpdateAuthProperties.All'
Add-EntraPermissionsToInheritToAgentIdentityBlueprintPrincipal -Roles @("Mail.Read", "User.Read.All")
This example opens the admin consent page requesting application role (app-only) permissions instead of delegated scopes.
Example 5: Open admin consent page with both scopes and roles
Connect-Entra -Scopes 'AgentIdentityBlueprint.UpdateAuthProperties.All'
Add-EntraPermissionsToInheritToAgentIdentityBlueprintPrincipal -Scopes @("user.read") -Roles @("Mail.Read")
This example opens the admin consent page requesting both delegated scopes and application roles in a single consent flow.
Parameters
-AgentBlueprintId
The Application ID (AppId) of the Agent Identity Blueprint to grant consent for. If not provided, uses the stored ID from the last blueprint creation. If no stored ID is available, prompts interactively.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-RedirectUri
The redirect URI after consent. Defaults to "https://entra.microsoft.com/TokenAuthorize".
Parameter properties
| Type: | System.String |
| Default value: | https://entra.microsoft.com/TokenAuthorize |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-Roles
The application roles (app-only permissions) to request consent for. These are included in the consent URL as the role parameter. Can be used together with -Scopes to request both delegated and app-only permissions.
Parameter properties
| Type: | System.String[] |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-Scopes
The delegated permission scopes to request consent for. If neither -Scopes nor -Roles is provided, the cmdlet prompts interactively for scopes with a default suggestion of user.read.
Parameter properties
| Type: | System.String[] |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-State
State parameter for the consent request. Defaults to a random value.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Inputs
None
Outputs
System.Object
Returns a PSCustomObject with the following properties:
- AgentBlueprintId - The Application ID of the Agent Identity Blueprint.
- TenantId - The tenant ID where consent is being granted.
- RequestedScopes - Array of delegated permission scopes requested.
- RequestedRoles - Array of application roles requested.
- RedirectUri - The redirect URI used in the consent flow.
- State - The state parameter used in the consent request.
- ConsentUrl - The full admin consent URL that was opened in the browser.
- Action - The action taken (e.g., "Browser Launched").
- Timestamp - When the consent flow was initiated.
Notes
This cmdlet opens the default system browser to the admin consent page. An administrator must complete the consent process in the browser.
This cmdlet requires the following Microsoft Graph permission:
- AgentIdentityBlueprint.UpdateAuthProperties.All
The cmdlet does not make any Microsoft Graph API calls directly. It constructs a consent URL using the v2.0 admin consent endpoint (https://login.microsoftonline.com/{tenantId}/v2.0/adminconsent) and launches it in the system browser via Start-Process.
If no Agent Identity Blueprint ID is stored and none is provided as a parameter, the cmdlet prompts interactively for the ID.
If neither -Scopes nor -Roles is provided, the cmdlet prompts interactively with a default suggestion of user.read.
Related Links
Feedback
Was this page helpful?