View and manage agent identity blueprints in your tenant

The Microsoft Entra admin center allows you to view all agent identity blueprint principals in your tenant. You can search, filter, sort, and manage blueprint principals including their credentials, permissions, and owners.

Navigate to the agent identity blueprint list

1. Sign in to the Microsoft Entra admin center.
2. Browse to Entra ID > Agents > Agent blueprints.
3. Select a blueprint principal to open its management page.

Search and filter blueprints

1. Enter the name or object ID of the blueprint principal in the search box.
2. To look up a blueprint by its Blueprint Application ID, select Add filters and add the Blueprint App ID filter.
3. You can further refine the list using filters based on various criteria.

Select viewing options

To customize your view, select Choose columns to configure which columns are shown. The available columns are:

View linked agent identities

View the agent identities that were created from a blueprint.

1. From the blueprint's management page, select Linked agent identities from the left menu.
2. The list shows each linked identity with its Name, Status, View Access link, and Owners and Sponsors.
3. Select an identity name to navigate to its detail page.
4. Use Add filters to refine the list.

View granted permissions

Review the permissions assigned to a blueprint principal, organized by consent type.

1. From the blueprint's management page, select Granted permissions under Access.
2. Select the Admin consent tab to view permissions granted through administrator consent, or select the User consent tab to view permissions granted through user consent.
3. The list shows the API name, Claim value, Permission, Type, Granted through, and Granted by for each permission entry.

View the manifest

To view or edit the raw JSON manifest for the agent identity blueprint, select Manifest under Developer settings from the blueprint's management page.

Manage credentials

Configure the credentials that agent identities use to authenticate. The credentials page has three tabs for different credential types.

Upload a certificate

1. From the blueprint's management page, select Credentials under Developer settings.
2. Select the Certificates tab.
3. Select Upload certificate.
4. Browse to and select the certificate file, and optionally add a description.
5. Select Add.

Create a client secret

1. From the blueprint's management page, select Credentials under Developer settings.
2. Select the Client secrets tab.
3. Select New client secret.
4. Enter a Description for the secret.
5. Select an expiration period under Expires. For custom expiration, set the Start and End dates.
6. Select Add.
7. Copy the secret Value immediately. The value isn't displayed again after you leave the page.

Add a federated credential

Federated credentials use workload identity federation to establish trust between Microsoft Entra and external identity providers without storing secrets. For more information about these scenarios and how workload identity federation works, see Workload identity federation.

Take the following steps to add a federated credential for an agent identity blueprint principal.

1. From the blueprint's management page, select Credentials under Developer settings.
2. Select the Federated credentials tab.
3. Select Add credential.
4. Under Federated credential scenario, select a scenario:
   • Managed Identity — Configure a managed identity to get tokens and access resources across tenants.
   • GitHub Actions deploying Azure resources — Configure a GitHub workflow to get tokens and deploy to Azure.
   • Kubernetes accessing Azure resources — Configure a Kubernetes service account to get tokens and access Azure resources.
   • Other issuer — Configure an identity managed by an external OpenID Connect provider.
5. Complete the required fields for the selected scenario.
6. Select Add.

Manage owners and sponsors

Owners and sponsors help establish governance for your blueprint. From the Owners and sponsors page in the left menu, you can manage ownership for both the agent blueprint and the agent blueprint principal.

For detailed steps on adding, removing, and managing owners and sponsors, see Add and manage owners and sponsors for agent identities and blueprints.

View audit and sign-in logs

You can view logs for both the agent blueprint principal and the blueprint itself from the blueprint's management page.

Agent blueprint principal activity

The agent blueprint principal supports both audit and sign-in logs:

• To view administrative actions taken on the blueprint principal, select Audit logs from the left menu under Agent blueprint principal activity.
• To view sign-in activity for the blueprint principal, select Sign-in logs from the left menu under Agent blueprint principal activity. For more information, see view sign-in logs for agents.

Agent blueprint activity

The agent blueprint supports only audit logs:

• To view administrative actions related to the blueprint configuration, select Audit logs from the left menu under Agent blueprint activity.

Disable an agent identity blueprint principal

To disable an agent identity blueprint principal, select the Disable button in the command bar at the top of the blueprint's overview page. A confirmation dialog appears warning that existing agent identities created from this blueprint will no longer be able to authenticate. Confirm the action to proceed.