Agent blueprint and instance setup

The agentic authentication flow enables an agent to act with its own identity. In this flow:

• The agent authenticates using its own credentials (agent blueprint credentials)
• The agent operates independently with its own assigned permissions
• The agent has its own identity, separate from any user
• This flow is ideal for autonomous agent operations that don't require user context

Use cases:

• Autonomous agent operations (scheduled tasks, monitoring)
• Sending emails or creating meetings from the agent's mailbox
• Creating and managing agent-owned resources
• Background processing without user interaction

Create your agentic identity

To develop and test your agent with agentic authentication, you need to create the agent identity and register it with Microsoft 365. This identity allows you to test your agent's capabilities like tooling, observability, and notifications as you build them.

The agent creation process involves three key steps:

1. Configure - Initialize the Agent 365 CLI configuration
2. Setup - Create Azure resources and agent blueprint
3. Publish and create instance - Publish agent and create an agent instance through Microsoft Teams

Prerequisites

Before you begin, ensure you have the following:

• Agent 365 CLI - See Agent 365 CLI installation

Required permissions:

• Valid tenant user with one of the following roles:
  • Global Administrator
  • Agent ID Administrator
  • Agent ID Developer
• Access to an Azure subscription with permissions to create resources

Step 1: Configure the Agent 365 CLI

The a365 config init command creates a365.config.json, the central configuration file used by all Agent 365 CLI commands. The CLI provides an interactive wizard with Azure CLI integration and smart defaults to minimize manual input.

Authenticate with Azure

Before initializing configuration, authenticate with Azure using the az login command:

az login

Select the appropriate subscription when prompted. The configuration wizard uses Azure CLI to query available subscriptions, resource groups, and app service plans.

Initialize configuration

Run the following command to start the interactive configuration wizard:

a365 config init

The wizard uses Azure CLI integration and smart defaults to minimize manual input. You'll be prompted for:

The wizard automatically generates related resource names, identities, and validates your project type.

Availability limitation

At this time the only supported Azure regions are:

• centralindia
• westeurope
• westus

If you select a different region, or if you manually edit the location property in the a365.config.json file, you will see the following error when you try to create an agent blueprint.

The selected region ('{location}') is not supported by the Agent 365 CLI. Choose a supported region and ensure your web app name ('{webAppName}') is globally unique

Learn more about the Configuration file structure

Verify configuration

Use the a365 config display command to display your configuration to verify all values are correct:

a365 config display

Step 2: Create agent blueprint

The a365 setup command creates Azure resources and registers your agent blueprint. The blueprint defines your agent's identity, permissions, and infrastructure requirements. This step establishes the foundation for deploying and running your agent in Azure.

Run setup

Execute the setup command:

a365 setup

The setup process performs these operations:

1. Creates Azure infrastructure (if it doesn't already exist):

   • Resource group
   • App Service Plan with specified SKU
   • Azure Web App with managed identity enabled

2. Registers agent blueprint:

   • Creates the agent blueprint in your Microsoft Entra tenant
   • Creates Microsoft Entra application registrations
   • Configures the agent identity with required permissions

3. Configures API permissions:

   • Sets up Microsoft Graph API scopes
   • Configures Messaging Bot API permissions
   • Applies inheritable permissions for agent instances

4. Updates configuration files:

   • Saves generated IDs and endpoints to a365.generated.config.json
   • Records managed identity and resource information

Verify setup

After setup completes successfully, you should see a summary showing all completed steps. Verify the created resources:

1. View generated configuration:

   a365 config display -g
   

   Confirm these values are present:

   • agentBlueprintId - Your agent blueprint's application ID
   • agentBlueprintObjectId - Blueprint's Microsoft Entra ID
   • managedIdentityPrincipalId - System-assigned managed identity principal ID

2. Review Azure resources in Azure Portal:

   Verify the following resources were created:

   • Resource Group:

     • Go to Resource Groups → Select your resource group
     • Verify it contains your App Service Plan and Web App

   • App Service Plan:

     • Go to App Services > App Service Plans
     • Find your plan and verify the pricing tier matches your configuration SKU

   • Web App:

     • Go to App Services > Web Apps
     • Find your web app, then go to Settings > Identity > System assigned
     • Verify status is On
     • Note the Object (principal) ID matches managedIdentityPrincipalId

3. Verify Microsoft Entra applications in Azure Portal:

   Go to Azure Active Directory > App registrations > All applications:

   • Search for your agent blueprint by the agentBlueprintId
   • Open the application and select API permissions
   • Verify permissions are granted with green checkmarks:
     • Microsoft Graph (delegated and application permissions)
     • Messaging Bot API permissions
   • All permissions should show "Granted for [Your Tenant]"

Step 3: Publish and create an agent instance

The a365 publish command publishes your agent to the Microsoft 365 admin center, making it available for creating agent instances within your organization.

Publish your agent

Run the following command:

a365 publish

What it does:

1. Updates manifest - Updates manifest.json with agent blueprint ID
2. Customization pause - Allows you to customize version, names, descriptions, and icons
3. Creates package - Packages your agent as manifest.zip
4. Uploads to admin center - Publishes to Microsoft 365 admin center
5. Configures identity - Creates federated identity for Teams integration
6. Assigns permissions - Applies necessary Graph permissions

Expected output:

You'll see progress messages for:

• Manifest extraction and updates
• Customization prompt (press Enter after reviewing)
• Package creation
• Upload to admin center
• Identity and permission configuration

Create an agent instance in Microsoft Teams

After publishing, complete the onboarding by creating an agent instance:

1. Open Microsoft Teams
2. Navigate to the Apps section
3. Search for your published agent
4. Click "Add" to create an agent instance

For detailed hiring instructions, see Onboard agents.

Optional: Deploy to Azure

If you're hosting your agent on Azure Web App (not using other hosting):

a365 deploy

This step is only needed if you created Azure infrastructure during setup.

Verify agent availability

You can view your published agent here: Microsoft 365 Admin Center - Agents

Next steps

Your agent identity is now registered and ready. Next:

1. Add tooling capabilities - Enable Microsoft 365 tools (recommended for testing authentication)
2. Test your agent - Validate with Agent Playground