| title | Agent ID Administrator |
|---|---|
| description | Agent ID Administrator |
| ms.topic | include |
| ms.date | 01/26/2026 |
| ms.custom | include file, agent-id-ignite |
Assign the Agent ID Administrator role to users who need to do the following:
- Manage all aspects of agents in a tenant including identity lifecycle operations for agent blueprints, agent service principals, agent identities, and agentic users.
[!div class="mx-tableFixed"]
Actions Description microsoft.azure.serviceHealth/allEntities/allTasks Read and configure Azure Service Health microsoft.azure.supportTickets/allEntities/allTasks Create and manage Azure support tickets microsoft.directory/agentIdentities/appRoleAssignedTo/update Update agent identity role assignments. microsoft.directory/agentIdentities/basic/update Update basic properties of agent identities. microsoft.directory/agentIdentities/create Create agent identities. microsoft.directory/agentIdentities/delete Delete agent identities. microsoft.directory/agentIdentities/disable Disable agent identities. microsoft.directory/agentIdentities/enable Enable agent identities. microsoft.directory/agentIdentities/owners/update Add and remove owners to agent identities. microsoft.directory/agentIdentities/tag/update Update tags for agent identities. microsoft.directory/agentIdentityBlueprintPrincipals/appRoleAssignedTo/update Update agent identity blueprint principal role assignments. microsoft.directory/agentIdentityBlueprintPrincipals/basic/update Update basic properties of agent identity blueprint principals. microsoft.directory/agentIdentityBlueprintPrincipals/create Create agent identity blueprint principals. microsoft.directory/agentIdentityBlueprintPrincipals/delete Delete agent identity blueprint principals. microsoft.directory/agentIdentityBlueprintPrincipals/disable Disable agent identity blueprint principals. microsoft.directory/agentIdentityBlueprintPrincipals/enable Enable agent identity blueprint principals. microsoft.directory/agentIdentityBlueprintPrincipals/owners/update Add and remove owners to agent identity blueprint principals. microsoft.directory/agentIdentityBlueprintPrincipals/tag/update Update tags for agent identity blueprint principals. microsoft.directory/agentIdentityBlueprints/allProperties/read Read all properties and settings for agent identity blueprints. microsoft.directory/agentIdentityBlueprints/allProperties/update Update all properties and settings for agent identity blueprints. microsoft.directory/agentIdentityBlueprints/appRoles/update Modify app roles defined on agent identity blueprints. microsoft.directory/agentIdentityBlueprints/authentication/update Update authentication related settings for agent identity blueprints. microsoft.directory/agentIdentityBlueprints/audience/update Update the sign-in audience setting for agent identity blueprints. microsoft.directory/agentIdentityBlueprints/basic/update Update basic properties of agent identity blueprints. microsoft.directory/agentIdentityBlueprints/create Create agent identity blueprints. microsoft.directory/agentIdentityBlueprints/credentials/update Add and remove credentials to agent identity blueprints. microsoft.directory/agentIdentityBlueprints/delete Delete agent identity blueprints. microsoft.directory/agentIdentityBlueprints/owners/update Add and remove owners to agent identity blueprints. microsoft.directory/agentIdentityBlueprints/permissions/update Modify exposed permissions on agent identity blueprints. microsoft.directory/agentIdentityBlueprints/tag/update Update tags for agent identity blueprints. microsoft.directory/agentIdentityBlueprints/verification/update Update publisher verification setting for agent identity blueprints. microsoft.directory/agentUsers/assignLicense Manage agent user licenses microsoft.directory/agentUsers/basic/update Update basic properties on agent users microsoft.directory/agentUsers/create Add agent users microsoft.directory/agentUsers/delete Delete agent users microsoft.directory/agentUsers/disable Disable agent users microsoft.directory/agentUsers/enable Enable agent users microsoft.directory/agentUsers/invalidateAllRefreshTokens Force sign-out by invalidating agent user refresh tokens microsoft.directory/agentUsers/lifeCycleInfo/read Read lifecycle information of agent users, such as employeeLeaveDateTime microsoft.directory/agentUsers/lifeCycleInfo/update Update lifecycle information of agent users, such as employeeLeaveDateTime microsoft.directory/agentUsers/manager/update Update manager for agent users microsoft.directory/agentUsers/restore Restore deleted agent users microsoft.directory/agentUsers/revokeSignInSessions Revoke sign-in sessions for a agent user microsoft.directory/agentUsers/sponsors/update Update sponsors of agent users microsoft.directory/agentUsers/usageLocation/update Update usage location of agent users microsoft.directory/agentUsers/userPrincipalName/update Update User Principal Name of agent users microsoft.directory/auditLogs/allProperties/read Read all properties on audit logs, excluding custom security attributes audit logs. microsoft.directory/deletedItems.agentIdentityBlueprints/delete Permanently delete agent identity blueprints, which can no longer be restored microsoft.directory/deletedItems.agentIdentityBlueprints/restore Restore soft deleted agent identity blueprints to original state microsoft.directory/groups/hiddenMembers/read Read hidden members of Security groups and Microsoft 365 groups, including role-assignable groups microsoft.directory/groups.unified/createAsOwner Create Microsoft 365 groups, excluding role-assignable groups. Creator is added as the first owner. microsoft.directory/policies/standard/read Read basic properties on policies microsoft.directory/signInReports/allProperties/read Read all properties on sign-in reports, including privileged properties. microsoft.office365.serviceHealth/allEntities/allTasks Read and configure Service Health in the Microsoft 365 admin center microsoft.office365.supportTickets/allEntities/allTasks Create and manage Microsoft 365 service requests