ASP.NET Community Standup: Simplifying Entra ID authentication with AI

Added: 2026-05-12

[00:00:00]Hey, hey, hey.

[00:00:38]Heat. Heat.

[00:01:08]Yeah.

[00:01:17]Heat.

[00:01:36]Heat.

[00:01:41]Heat. Heat. N.

[00:01:51]Heat. Heat. N.

[00:02:31]All right. Hello everyone and welcome to the ASP.NET Core community standup where we talk about the latest updates to.NET web development. I'm Daniel Roth, principal product manager for ASP.NET Core and Blazer on the.NET team. And thank you for being here. I apologize for the delay. We had a few little technical issues getting everyone set up, but I think we finally got everything uh sorted out. So, thank you for hanging hanging with us uh and for your patience. So, today we have a very cool topic. We're going to be talking about how you can set up security and authentication in your applications using enter ID uh via AI using AI to simplify all those you know details of getting authentication set up and also about how you could give some of your AI agents some some identities. So that sounds super interesting. You know what a amazing new world that we live in. Uh we have two very special guests here to to talk about this. Uh first of all we have Jean Mark Prior. He is the principal software engineer uh on the 1ES team at Microsoft the one engineering systems team and he helps secure Microsoft at scale using AI by reducing developer toil. Uh previously he was the architect behind the authentication libraries in Microsoft's identity and network access division. Uh recently uh he shipped the Aspire and enter ID skills uh and wrote the corresponding dev blogs post about them.

[00:03:52]Welcome Jean Mark. It's great to have you here.

[00:03:55]>> Thank you. Thank you Danielle. We also have Kyle Marsh here with us. He's part of the Microsoft security software development company team uh working with developers on Microsoft's identity data security and governance platforms. Uh today he's here to talk about Entra agent ID uh part of Microsoft's agent 365 offering. Welcome Kyle. It's great to have you on the show.

[00:04:17]>> Thanks. It's great to be here. Hey everybody.

[00:04:19]>> All right. So IDs for agents that's that's a thing. Like agents now get their own uh driver's licenses and things.

[00:04:26]So something like that >> world we live in >> actually it's a it's actually a key point we need to have um agents need different rules and policies than users do and yet sometimes agents act like users sometimes they act like applications we need to know what's coming into place take a simple case if I see a user a human user accessing a few hundred documents in a minute we immediately raise flags and say hey there's probably a compromise here because people don't read documents that fast. Something's going wrong. But if an agent read a couple hundred documents in a minute, we'd be going, I wonder why it's running so slow, right? It's a different set of thing of rules and detections and how we figure out is it is it risky behavior or not? What policies need to apply? We need agents to effectively raise their hand and say yes, I'm an agent by getting an agent ID. So different permissions, different characteristics, different, you know, security model around them. And I I mean I actually do kind of inherently love the idea that when you have some identity that you're interacting with that you can tell like wait, is this a human or is this like some some you know uh AI agent trying to to do something hopefully hopefully helpful. All right, cool. This sounds super interesting. Um how do you guys want to start? Where do where do you want to go first?

[00:05:46]Yeah, I I think I will start by showing how you can add Entra ID uh Entra ID to an an Aspire.

[00:05:56]I mean it's all inn net uh uh application. So both the blazer and the web API using an agent. So a live demo of doing that.

[00:06:07]>> Perfect. You want me to put your screen up? I can put your screen up. There we >> go. So we'll do O for identity for humans first.

[00:06:15]>> Yes. And then we'll talk about O I guess for for agents like how you get your agents to have an identity. Sounds great.

[00:06:21]>> Yeah, exactly. So here I have a an Aspire application. I use the starter the starter profile the starter template and I also added the Aspire skills which I'm not going to use. I have also added two other skills which are the intra ID skills and I gave the link at the end of the presentation.

[00:06:44]They are just text files and we'll get back to what they are doing but they they are basically adding entra ID to your bler app and your web API and they also provision the application the application in in um in the application in Ultra ID. So here what I want to do is first I I'm going to run it. So I'm I'm going to do net.

[00:07:18]So usual then if I I need to bring just this window we just open and I have my my front end and my back end. And if I uh if I look that uh if I navigate to the front end this is the usual starter kit. So if I go to weather, it calls the web API. But you see the web API is not authenticated. By default, you have no authentication. So if I go to the traces, I'll see that weather just called the web API, the API service with weather forecast. And there was no authentication at all. And what we want to do now is to to add authentication. So how do I how do I do that? Uh I can I will bring this window.

[00:08:08]What what happened here is the user me I open the weather page and that called the web API and then that return the JSON and that render the the page. What we now want to do is slightly more complicated. So is it big enough for everybody? Here we have we have something a little bit uh different here. So all the rest is almost the same but you start by your player user calls the page and then the page will check if the user is authenticated. We have this version of a user needs to be authenticated. If user is not signed in, we will redirect to entry id to have the dialogue of entering your I mean logging in signing giving your credential doing a multiffactor authentication and then uh entraid will call back the web uh the blazer application on the sign in ODC uh endpoint I mean like yeah endpoint and then that will create the get a token and create the off session so that you are signed in and Then at the same time it will acquire a token that will be used as a bearer token to call the the API and the the API will have to do the validation of the token. So that means it's going to go to entry ID to get some metadata and and then it will verify the scopes and only then does it return the JSON and the weather. So it's more complicated and if you want to do that by hand typically that that could take you a lot of time. I think I think even one of our viewers was commenting like there's so many steps my brain just goes blank. There is some complexity involved with authentication. I mean high level I know it was a lot of arrows but high level it's just the user you want the user to browse to the app.

[00:09:58]>> They you want them to log in. So you bounce them over to Entra as the as the place where they're actually going to do the the login. They get their authentication session established and then to call the API they need to get a token from from Entra to like make the API call. That's high level what was happening there. But yeah, there is there's some complexity when it gets to to O.

[00:10:18]>> Um >> maybe AI can help Jean Mark. Maybe AI could assist.

[00:10:22]>> Exactly. Maybe AI can can help. So I will just run copilot.

[00:10:29]or copilot GitHub copilot CLI and uh I have open at the same time VS code so that we can see a bit what it does in term especially in in term of the the source control the changes here. So we we'll get back to that in a second. So uh I'm I'm in the folder Aspire on ID and I will tell him let's add contra ID to this app.

[00:10:59]uh let's let's provision the uh app in the this tenant which is a test tenant because as as you know Danielle and of course K at Microsoft you we cannot really provision a web API in our own tenant so I have another tenant so I just say that and then let's see what it does it will so copilot will detect the skills I was mentioning here I was mentioning that I have added some two entra skills. If we look at the uh the GitHub, this is the intra Aspire authentication which adds the code and this is the intra Aspire provisioning which adds the application and ties to the code. So here it it looks at the structure and it's it's going to say okay I'm trying to find out which kind of application I have and it detected that you have a blazer app and a web API. So that's no surprise. But if you had just the blazer, that would work as well. Here I'm going to say, okay, you you can do what you want here. Here I know should probably not do that, but I'm going to give him the permission to >> this is this is this is we know what what we do. So it's it's going to start making changes. I'm uh I'm I'm going to actually undo this one so that we have clear clear view of of the changes.

[00:12:31]Okay, it's already doing this one. It has added an uh the app settings.json for the service where it says okay I know that's a an ultra instance. I know the domain. I don't know the tenant ID client ID yet because I have not provisioned the application but let me uh let me do that.

[00:12:56]Then uh it will say uh it will it will look at oh okay look all the files we have we have more files here let me refresh >> I don't see I know you've mentioned the app registration a couple of times but for folks who may not be as familiar with the the off flow of using like an identity service like Entra to handle their authentication. Typically, you need to register the app with Entra to let it know like, hey, I want to I want to use you for my authentication purposes. This is my app. This is the URL where my app lives. So, you know where to send tokens to and where redirects should should go back to. Um, this whole process is basically setting up that app registration with Entra with your tenant so that that flow will actually work. The entra won't be like, I don't know what app this is. I'm not just going to like handle authentication for you. You have to register the app the app first.

[00:13:54]So uh uh and here here I will bring this uh this dialogue. I was I was asked to sign in to Microsoft graph because uh it's it's way quicker than uh when than than I I could talk to talk about it. So here I was asked to do a 2FA multiple factor authentication. So I'm using my phone at the moment to enter the number that was given. And here we go. The authentication is complete for this one.

[00:14:22]And that means Microsoft at the moment is going to provision the entry ID in the application in the tenant. It connected to the tenant. Meanwhile, let's have a look to the code. So for the service, we already saw this one. It has added Microsoft identity web with the latest version. That's what does most of the work still in the service.

[00:14:42]It has changed the the program.cs so that you your API becomes protected. It has added authentication and authorization and it required that the forecast weather forecast API is is authorized.

[00:15:00]That's for the that was for the web API.

[00:15:03]Now for the web app you have something similar except that there will be another client ID there will be another the tenant ID will be the same. There will be some credential here for simplicity a client secret but you can have certificates or thick plus MSI when you are deployed and uh you have a web API or web API and it's going to replace by the client ID of this web API once this web API will be created. uh in term of uh CS project you also have the Microsoft identity web. This is the same library that protects both and the program is slightly uh slightly bigger.

[00:15:42]One thing that you might appreciate if you if you know Aspire is uh the fact that we add the HTTP client and you know in Aspire you just say API service that's that's the name service and it will replace by by the URL of of where this service is running that does the magic of plugging the the authorization header with the token. So it acquires the token by itself. It does all the work that you otherwise would have to do. It take care of the cache token cache and then it it adds the authorization header. That's the the I would say the magic common and it gets the information from uh the the the app settings.json. So it in particular that would be the scopes here the scopes which are here which are what what is going to be done in the app registration. Then uh still for the blazer application there is a bit more because now we should have a login a login box appearing. We have this new user info. It will show the the user info. The main layout takes takes into account the user info. And in the weather reser page we we we are going to do a little bit more too in the sense that if the user is authenticate is is not authenticated we are going to bring a challenge and uh then we call the API and the the API could totally have an exception and I think Kyle you are going to talk about that later the API can have an exception which is for example MFA request MFA and that's going to be handled as well by this catch and then challenge handler on the exception. So meanwhile our app registration are are are in in progress. So what is it doing?

[00:17:37]CR admit concern. Do I have anything to say in no?

[00:17:42]So let's let's wait for it it to finish.

[00:17:48]So for the app registrations >> um like that is being handled through through what like how is it how is it able how is this still able to do the the app registration >> so it uses the graph API you know you have in in Microsoft graph you have a way of creating your application and now that you ask I have a little slide here so from this tenant it will have created the API app registration that's that's this one the client ID are not the one it will create because obviously that's that's from a previous run but that's an example of what you will have the information which will be important will be a client ID and it will have also an app ID URI when you request a scope to call your web API you typically say API the view ID of the of the application and then the name of the scope and this web API will also a scope also expose a scope which is access as user then the web app itself will have another app registration. It will have a redirect URL because that's where uh entra ID will call it back to give it the token. It will have some credential here a client secret and it will request an API permission on the web API so that it can call the web API with this particular scope. So that's basically the information which is being uh created by by the schema you see.

[00:19:15]>> Yeah. So there's actually so there's two app registrations, right? There's the app registration for the API and the app registration for the web app. Yes.

[00:19:22]>> And the web app one is one we were talking about earlier as well where like you need to they need like Entra needs to know where to redirect to and all those things.

[00:19:28]>> The web API registration um that one's interesting, right? because then it's like um um like what what a when you request a token, you're basically requesting like what API do you want to be able to call with this token, I guess, is what that uh >> that that part of the scope the scope of the token is like what what it's allowed to do is is what those scopes are, right?

[00:19:48]>> The the scope is exactly what your client is is allowed to do in the web API. So here it's it's it's capable of acquiring accessing the web API on behalf of the user access as the user and the scope that you would typically have would be the concatenation of the app ID URL plus this this delegated scope in this case delegated means for a user you can also have app scopes when an app call a web API on behalf of itself. the um the fact that it used the graph API to do the app registrations is kind of kind of interesting to me. Like I know in the past when I've had to do this myself, I would use like one of the Azure CLI tools like the Azure CLI itself just to set up app registrations or maybe I go to the portal. I mean obviously the you're using you're using here GitHub copilot CLI so it probably going to the portal doesn't make any sense but I'm curious why the graph API versus the Azure CLI or doesn't really matter whichever works like >> it doesn't matter. It doesn't matter. We I I wrote the skill like that like using a graph API but and one of the reason is maybe as Azure CLA was not supporting for example some of the agent agent ID stuff when I was doing the the work I wanted to extend that to to agent identities but it doesn't matter a is fine to run you could you could totally choose to rewrite the school to to a >> yeah it's just that in the end everything comes to that graph API. You could use higher level tools, but they all get to the graph API eventually.

[00:21:21]>> I guess using the graph API directly also has the benefit that there's no like installation dependency like you didn't have to the user doesn't have to install the Azure CLI in order to use this skill. Is is that is that correct?

[00:21:31]Like is there is it's just making assuming own HTP calls to the graph API endpoint so that it doesn't need any additional software installed to do that. Actually, it does. It does use the PowerShell, but it install them if it's not there. The skill has some prerequisite and it does need.

[00:21:48]>> So, it's finished. It gives us client IDs which are different from the one I showed in the slide of course and it has also updated the app settings.json. So now you see we have real values here.

[00:21:59]That means it it it has done the work that you would have done in the portal and that would be pretty tedious because you need to do things in the right order and then uh you yeah you don't you don't want to forget any step. I know that for me when I joined IDNA that was just this scenario would have taken me one day maybe more when I was because when you don't know you don't know there is more duck now of course but so I'm going to do a net build of course the the skill has built everything so I know it builds already and then I'm going to go back to the host and net run so exactly the same as we had before. So I'm going to run uh we will have the Aspire dashboard soon.

[00:22:47]Okay, I bring it here.

[00:22:52]Then I'm going to go to my front end and this time you see you have a login and I'm not going to even uh press login.

[00:23:02]I'm just going to go to the the weather the weather page and it tells me you can sign in. So I'm signing in with an identity which exist in this tenant and you see uh it gets I'm I'm now signing I'm up here as signing and it got the data that was slightly more time because it had to do the token called the webi which verified the token and we can see it as well in the traces. So if I look at this trace, you see what happened is when we did when it did weather it went to login Microsoft9.com which is slash token which is to get the token and then when uh then it called the web API so it got it got the token etc. It called the web API and the first thing that the web API did is go to login microsoftonline.com maintenance well-known open ID configuration to get the the signing keys etc to to validate the token. So and then then he did his work and and here you so that's that's what I wanted to present. Uh uh >> I love that like like the fact you're using Aspire makes it so nice to see all the flows about what's happening. That's one of the great things about setting up Aspire with your app development experience. You get all those traces and the viewing and the dashboard. It's really nice.

[00:24:26]>> It is. It is really nice. And when when you when you talk about O like that, it's not like it's I mean a bit complicated. Seeing the the kind of sequence diagram is really nice.

[00:24:36]>> Um some people are asking about where do they get these these skills? like how do they if they want to how do they acquire what's the story there >> so I will I will leave a deck I think we have the links they are in Microsoft identity web so first there is a blog post an aspire blog post where I describe the whole thing but otherwise you go to Microsoft identity web g.com Microsoft identity web and then you go under skills and that's the two skills here the skills this one and this one and skills they are really MD files which which are done for engines. They are kind of recipes. An agent by default would not necessarily know very well how to do here. It's a bit more codified, but it's very human readable with code samples etc. So that's that's where you can get them. You typically don't know download them. There are two MD file.

[00:25:29]You put them wherever you want. For example, I put them here under GitHub as I said already. GitHub skills along with the Aspire skills and that's it.

[00:25:40]>> And I know that I think with with skills like they're often um set up like as a plugin, right? Like like like a lot of agent systems will have this this have this plug-in model like get a co-pilot I know has this where you can install a set of skills as a plugin from a I think they call it a marketplace which is usually just like a repository. Is that repo that you showed is that kind of set up as a as a marketplace where you can install those skills as a plugin or is that still >> No, no, it's not. That's uh I because we we still have not discussed where we want to put it. Do we want to put it in GitHub awesome compilot for example or I I need to discuss with Kyle because Kyle has skills too. There there is a um net skills repo now that I don't know if people have I think we have some uh we plan to to talk more about that in the in a future standup but net skills is a repo in the net or that has a bunch of you know net specific uh plugins with skills and agents custom agents and such for net scenarios. So maybe there I could talk to the folks that own that repo and see if that would be a good place.

[00:26:38]>> Yeah, let's work together Daniel on on where to find them a home.

[00:26:43]>> Fantastic. Um there were some other questions. Let's see. Uh let me bring up. So people were asking about getting built-in support for entra external ID.

[00:26:54]So I think with the flow you showed that was >> that works.

[00:26:57]>> Yeah. If you give a tenant which is an an if you give a tenant which is an external ID tenant that will just work because there is no no real difference between uh from the point of view of the SDK between external ID intra external ID and ID. So folks who don't know that what that that difference means like enter ID I think we normally think of as like an organization like your tenant represents the users in like the company Microsoft or whatever your company is or whatever your organization is and you're allowing them to access your apps and your services with external ID usually it's like it's more like the public internet style site right like you have a people can register as as users and um and and and use your web app kind of like you would if you were creating a a public facing consumer uh website and I think they often refer to as like CIM. I forget what the CIM stands for. It's like consumer identity.

[00:27:50]>> Consumer identity and access management.

[00:27:52]>> What's this C again?

[00:27:53]>> Customer.

[00:27:54]>> Customer identity access management.

[00:27:56]>> That's right.

[00:27:56]>> And CIM is an external ID are kind of synonyms. Is that right? They're kind of the same thing.

[00:28:02]>> Yeah. Well, the external ID for Entra is an example of a CM solution.

[00:28:08]>> Right.

[00:28:08]>> Right. So people need to have identity for their customers, right? I need to be able to go to some site and sign up set up an account and sign in as me and get my services. And that's where they're it it they're distinguished from people who work at your company, right? So we we call that a work a workforce tenant. Uh and then there's a tenant so that you can have customers access your services.

[00:28:32]>> Makes sense. Perfect. Okay, cool. So, but the same AI skill then would work with with both either slightly different user experience that you're setting up.

[00:28:40]>> Um, I know there's more stuff like with with external ID you set up specific flows, right? Like like do you sign in sign up?

[00:28:47]>> So, not it's now it's done server side.

[00:28:49]It used to be the case with B2C but it's no longer the case with external ID to my knowledge. So maybe uh yeah >> maybe Kyle things have changed in a few months but >> yeah no it you know the we had very different models between our two different generations of our product in that space. So we had uh Azure uh B TOC uh and uh now we have Entra external ID.

[00:29:14]Uh Azure B TOC did have a a tremendous ability at customization but it was very difficult to drive that customization and you had to do a tremendous amount of work to get it done. Uh and now really the the new external ID shares most of its a lot of its code with with Entra itself entra ID itself. So, a lot of this happens without having to do that very complicated, hey, I want to customize this thing to the to the nth degree kind of work.

[00:29:44]>> Okay, cool. Um, yeah, lots of other people chatting, but let's I think we can save some of those questions for a bit. Uh, that's great. Okay, so that's how you set up O >> using AI in your app. And oh, and I I wanted to also mention that I know you were using the GitHub copilot command line interface, the CLI, but those same skills would work like in Visual Studio Code or Visual like it's whatever a whatever agent code coding agent you prefer, those skills are kind of um they they they work across uh all those those coding agents.

[00:30:14]>> Yeah, totally. Skills are they are standard from the industry. So if Yeah, >> I love working in the CLI. That's my That's my coding agent of choice, but I know a lot of other people prefer to work in an IDE or work in Visual Studio Go, like whatever whatever makes you happy. So, that that should work as well.

[00:30:30]>> Yes.

[00:30:34]>> All right. Cool. Okay. Yeah, you can see the blog post there and check that out.

[00:30:38]We also have that in the URL list. So, Kyle, do you want to should we should switch gears now to talk about IDs for agents?

[00:30:45]>> Yeah. So, I'm going to talk about a few things that are new for Entra ID that are coming here. Of course, the the biggest new thing we have at the moment is agent ID. Um, and we built a very rich system here. Um, one of the things I I struggle with personally is that it seems like everything is called an agent, right? And we have, you know, co-pilot is an agent, but I go into copilot and I create an agent. It's like, well, wait a minute, which is the agent there? Well, they're both agents.

[00:31:12]Everything's an agent, right? But it actually has a an implication on the architecture that we need to have, right? So we need to have a world where agents create multiple instances of themselves if you will or create instances of agents. So I might have a top tier and have an agent like maybe I have copilot but it creates different agents within that agent. Now maybe those agents want to all do the same thing and therefore they should inherit all the same permissions. What is this agent allowed to do or to be used for?

[00:31:47]But maybe they don't. Maybe they should invent in inherit some things and maybe have specific permissions and others. So for example uh maybe I want to deploy an agent solution to my c to my users uh and all of you know all agents all instances of that agent they should be able to read someone's mail so they can you know summarize my mail for me but only some of the users will want to have the agent actually send mail on their behalf. we wouldn't want to give all of the agents the ability to send mail.

[00:32:18]We'd only want to give it to a few. So that really dictated an architecture that we had to come up with uh in terms of how can we support that kind of functionality. And the first thing we're going to look at here is kind of the the root of this new uh model we have for agent ID and agent identity. And we call it the agent identity blueprint. So I got a little uh tool I just wrote as a local.NET net app that I can use to create agents and and and you can see the code that that we would do to create this. So I need to sign in so that I I need to have a particular role in intra in order to be allowed to create an agent identity blueprint. So I have to be an either an agent ID developer or an agent ID administrator. So I'm going to sign in with one of those. I'm going to choose signing in with the broker so I don't have to actually type in any credentials. Now this goes to the the the the conversation we were just having earlier with John Mark. Well, we're using Microsoft Graph to create these objects, right? There are PowerShells, etc. But really, we'll just go ahead and call Microsoft Graph. And actually, we're going to call the same API here that Jean Mark is calling in his create my app registration for me, which is the applications API. Now we're going to have we're asking for a very specific type of application an agent identity blueprint. So this is saying I want to create an application object application registration in my tenant and I'm going to call out that this is a specific type only for be using agent identity blueprint. So I'm going to have an application in my tenant uh and it can do some things that a regular app can do. It won't be able to do some things a regular app can do and it will do some things that regular apps can't do. So it has its own unique identity if you will or type here. Uh but it is at its soul at the the heart and soul of it. It's an application. Now there's a unique property here a new uh property we have to have nowadays which is you know in an application we we had owners which we were looking at for it for the most part which you know who is administrating the IT parts of these this application but now we're bringing in the concept of a sponsor and for this we expect a human user who is responsible for the behavior of this agent here right so when you know if there's a issue with its behavior one way or the other who do we call. Right. So now we have this new concept of a sponsor. It could be users.

[00:34:44]>> Kyle, get your agent under control. It's >> That's right. That's right. You can expect that call shortly. That's right.

[00:34:50]So we need to have that. That's a new element. So as we talk about a specific type, an agent identity blueprint requires a sponsored in order to be able to be created, which I didn't need to have in in a standard application. And what I'll get back is I'll get back an application. Right? So we see that what I get back is an application again of this very specific type. Now I can start doing things with this blueprint. And there's two things I need to do with the blueprint. First off, the blueprint is going to hold the credentials, the client credentials that are going to drive the identity that all of the agents that are going to be created from this this blueprint or child if you will to this blueprint, they're all going to effectively work off of this one set of client credentials. Uh the second thing is I'm going to use this blueprint to be a template for what all of the agents, these child agents are going to inherit.

[00:35:44]In other words, what can they be used for? What are their permissions? Uh so those kinds of things. We're going to do two things with the blueprint. So the first thing I'll do is I'll just assign some credentials to this blueprint. I have a certificate deployed here. So I prefer that over secrets. So I'll go ahead and just assign a blueprint that my credential. Now I have to start thinking about how am I going to use this this agent. Are my agents going to act on behalf of of users who are signed in. So this would be your classic chat experience. I sign into my chat experience and the agent is bound by what I can see. It doesn't try to read everybody's mail. It can only read my mail. Right? So if I want to have my agents act on behalf an in what we refer to as a interactive agent, well we do that same app registration again that John Mark did on his web API. We're going to say at the blueprint level I'm going to expose a scope so that the front end of my app of my agent solution the the chat experience can get a token to call the agent backend itself the actual uh agent or an LML the model etc. um and it will identify the user uh to that that agent so it the agent can then act on behalf of the user. So we're going to use that same process that that John Mark used. Uh we're just going to add uh a uh you might even see the the access as user except now we're going to access the agent as user. So we're going to set that as a as one of the properties on the blueprint. So now the agents I create with this blueprint, they can act on behalf of other of users. Now what will my agents be allowed to do? I could stop here and say, well, every agent will individually request its own permissions and say exactly what it wants to do. That's a model that that will work. But in this case, I'm going to go ahead and set up so that my agent will inherit permissions that have been granted to the blueprint. So here what I'm saying first is I want my Microsoft graph permissions to be inherited by my agents that I'm going to create from the blueprint. So this is another new concept that we didn't have before.

[00:37:56]Uh an application can have inheritable permissions. Now not every app only agent identity blueprints but these permissions can be inheritable. So I'm going to say in this case the resource ID this is Microsoft's graph's resource ID and I'm saying all of the delegated permissions which are scopes all of the application permissions which are called roles uh will be inheritable from graph.

[00:38:22]So that's the first step. I make my agent these the inheritance possible.

[00:38:28]And then I actually say and these are the specific permissions I want all of the agents from this resource from this blueprint to be to inherit. So uh I put some comments into the the JSON here that we don't send these on, but it just helps you remember what all the the code the the ids are required. So in this case I'm saying all of the agents can sign in and read the current user's profile. They can all read mail on behalf of the current user or re on behalf of themselves. Uh they can send mail. This is when I'm working with a a user or an agent's user object uh user account which are all possible with what we have. And then the one other thing I'm going to say is when an agent is working in fully autonomously not connected to an out to a user at at that instance uh what will that agent could be allowed to be able to do? What will it could be used for? Well, I'm going to say that these a this autonomous agent can read uh the full user profile of all the users in the tenant.

[00:39:30]So, I've set up a number of different things here. Uh I think I set I did uh I better make sure I actually sent uh these. Okay, I did do that ahead of time. Okay, great. Um, so now let me go ahead and actually get consent though I' I've asked for a bunch of things I'd like my agents to get. I'd like them to all be able to read mail and to send mail. Uh, but uh an admin has to say yes, that's okay. Right. So, I'll go ahead and consent to this uh blueprint here in in my tenant here. So, I'll sign in as an admin. First off, we get here that the the agent blueprint itself is being allowed in the tenant. And by uh by default, it always has the ability to create what we call an agent ID. That's the first thing that the blueprint or the they can be used for. The second thing is all of the agents that come from this blueprint can read all can read mail, can send mail, they can view the full program. This is the things we we put in our uh what we called our required resource access. So now I have a blueprint created uh in the tenant.

[00:40:36]It's been preconented to having my agents be able to read mail uh and send mail and uh and so on. So let's go ahead and we'll create an agent ID. So this allows me to to create an agent ID that's going to be connected to that blueprint. It's going to inherit from that blueprint. I'm going to use the credentials from that blueprint to to to drive this agent ID. Again, I need even at this level I need a sponsor. So this is a different sponsor than the person who's responsible for the agent overall.

[00:41:06]This is the individual who's responsible for this particular instance of that agent. Right? So within my agent platform, I get to create an agent and and I'll have uh you know who's who's the uh the sponsor for that individual agent from here. And then we can go ahead and I can get that agent ID. And I'll just go ahead and use this as an interactive agent. In other words, this would be my chat experience.

[00:41:32]Um, so I'll bring up another little window here. Well, the first thing I have to do, this agent is going to have to work on behalf of someone, right? So, my front end of my my agent solution where the user signs in and is is goes to to start their chat. They're going to sign in. Uh, so we'll we'll do that just here by sending a a standard authentication request. Uh, and this time we'll sign in as Megan here so that we can see something different. Megan is agreeing to use this agent, right? That was the blueprint we just created and uh this is our very basic permissions uh use the basic user information that we give to every every every app. So now we go ahead and we have uh that that token that identifies the user. This is where it gets a little bit interesting. In order to get a token for my agent, not my application, but this is an agent at this point to be able to act on behalf of Megan, the first thing I have to do is take the credential I used for my blueprint and create what's called a federated identity credential token for my agent IDs. Agent IDs only securely sign in with federated credentials. They don't have passwords. They don't have any, you know, there's no username and password. There's no thumbrint or what have you. uh they only sign in with these cryptographically secure uh federated identity credentials.

[00:42:54]Having gotten that and the token I got from Megan identifying herself that she's using the agent, I can take both of those tokens, the the the one that says it's it's uh it's Megan and the one that says I'm this is this agent and I can then request and get a token to call Microsoft Graph. And here we'll see that it inherited those permissions.

[00:43:22]So my agent that's working on behalf of Megan now can sign can see Megan's information can send mail for Megan and read mail of Megan's.

[00:43:33]>> Interesting. Yeah.

[00:43:34]>> And we can see that if I come here and I just say, well, who's the current user profile? So my app doesn't really care who the user is. It just says the MI API. Uh so I don't have to look up their ID. And I just say who's the current user? Well, Megan's the current user.

[00:43:49]And I get to because my agent is allowed to read mail. Fine. Give me give me Megan's email, please. Because that's what the agent was allowed to do. And if I come on all the way down to the bottom here, uh we'll see the two recipient of this particular message was in fact Megan.

[00:44:06]So, we're reading Megan's email because that's what was allowed. So, this is a a very quick introduction to the system.

[00:44:12]We we could talk about this works for autonomous agents. It works for something called an agents user account as well. There's a lot of capability uh built in here. So how would you develop for this? Well, we do the key part is that we really think the best way to do a lot of this development is with the agent 365 solution, agent 365 SDK and other tools. So the nice thing is that our friends in agent 365, let me go ahead and actually bring up something here. um they have uh got of course an an agent to help you walk through how to develop this model. So I open up my uh coding agent of choice and in this case I simply ask this question right. So if I open up uh so to what was uh pointed out earlier I can do it in whatever coding agent I want. I'll do this in Visual Studio Code and it will go off and start the process. Now, there's tools that might need to be uh uh uh brought on. There's the the conf settings. There's that blueprint that needs to be created. There's a bunch of things that could need to happen here.

[00:45:18]And this agent will step me through all of that all the way to did you install the tool you need to create a blueprint?

[00:45:24]Did you do this? Did you do that? So, here it is. And then, of course, it actually is told, well, the first thing is I have to find out what kind of agent you have. What are you building? It's gonna interview me as a on all of these steps. So in this case, I have an agent I just got some code for. So it isn't currently integrated. Uh and whether I'm doing my on behalf of will this agent that does this agent act on behalf of Megan like we just saw or does this agent just work on its own? Well, in this case, we'll say it's a on behalf of and then there's different capabilities within agent 365 that's built into their tools. First off, obviously I want to register this agent so it shows in the agent 365 uh agents list and registry and you can see it and more importantly I want to enable this this agent to fully participate in agent 365 observability and then once I give it this kind of things off it will go and say okay those are your goals let's go through the steps. So, I won't go through the steps here because we're a little short on time, but this is an easy way uh to get going. And at this point, it's going to go make sure I have the right versions and all the things I need. Uh in this case, the the agent 365 CLI tool is a.NET 8 desktop app. So, it wants to make sure I've got net here and so on, right? So, it will step me through everything I need uh to develop on this agent ID. So, I know I showed some stuff that looked a little complicated with all these blueprints and things uh but the agent there is going to walk me through that. Uh I will also point out by the way that uh on top of that we do have uh an AI guided uh just for enter ID agent ID as well. Uh and this is available. We actually will we we're currently putting ours to the conversation that happened just a little earlier. Uh there's the let's see uh there's the Microsoft skills GitHub repository. That's where we're putting ours at the moment. Uh this is a general, you know, Microsoft all up uh skills repository. Uh that uh so was this where we're putting the the the core entry on.

[00:47:31]>> Oh, there you go, John Mark. There's another place you could potentially uh could potentially put this. That might that might be a good location for the other skills, the o enablement skills.

[00:47:39]>> Yeah. One other couple of things I I wanted to bring up uh about Entra ID in general. Uh for those of you who have already built on Entra ID uh there are a couple of changes coming in that you should be aware of as they may impact your applications. Uh the first one is eventual consistency. So >> Entra is a is enormous system and on any particular instance of Entra there are for example at least nine replicas right so entra isn't I have a database full of you know user accounts it's I have a database in at least nine different places with all of those user accounts right so resiliency reliability is a huge factor here but that brings into play if you call a graph API to add something to Entra, right? You add a user or a group or something. Uh, oftentimes you may not get back to the same instance >> when you do a read right after it. So, I might add something and then I want to add some additional properties to it and I could get a a successful add response followed by an unsuccessful read response.

[00:48:54]>> Yeah. which which happened it happened the agent I don't know if you paid attention it had done a retry because it created the application but then the service principle when it tried to principle it say ah it doesn't exist so it knows and it retried yeah >> right so you you always have to this is always a possibility you should always know hey I got a successful ad you know I should retry that that that failure to read it's a standard pattern you should have but what what's happening here the change that's happening is while we're still going to try our best to when you're using a a token on behalf of a user, right, and doing that up. We're going to try our best to keep consistency, but that's not always going to happen. As Jean Mark pointed out, he he was a retry away from making it work, but we're not going to make as hard an effort in application only permissions.

[00:49:41]>> So, the probability or the possibility that they may come across this issue will go up.

[00:49:48]So if you have an application that's using app only permissions, you need to make sure that you have your retry your your you know your logic in place to say I added it, it came back and failed. I'm just going to end because everything's wrong. You have to make sure that you're having you know resiliency to this eventual consistency which is a cornerstone of how we put things together.

[00:50:11]>> That sounds like something that um Aspire should be able to help out with.

[00:50:14]Like I know Aspire has built-in resiliency features for like that sort of retry logic. Um so I think it would just the service defaults that Aspire sets up I suspect would uh would would would aid with that by default.

[00:50:26]>> It does. It does the entry ID sample was using Aspire the original from November and that worked very well for this particular case too.

[00:50:34]>> Yeah, exactly. Kyle, the the sample app that you were showing in Visual Studio Code, um that app looked like like I know you were talking about like setting up the identities for for the agents, but I was just kind of curious what what the agents are in that app that that I I see like Microsoft agents in here. Like is this built with like Microsoft agent framework and and >> yeah, yeah, it is a Microsoft agent framework uh sample.

[00:50:58]>> Not very sophisticated, very very simple. Um I I just if I don't put have something here that's an agent like code, it'll say oh you only want to do this because it won't it won't step through how can I add this to your agent. It'll say you didn't give me a project. All you want to do is register like it'll do the you know just set up right so I I needed to have something there. for someone who wants to try this out like like if you're building an agent yourself with innet uh like using Microsoft agent framework u using foundry as your your model host potentially even building a hosted agent there and then setting up authentication setting set setting up identities and like you know sort I guess these uh inherited or delegated permissions for those identities that would then be done with uh uh in conjunction with the agent 365 SDK. Is that right?

[00:51:49]>> That's right. So, and this this that particular agent that we looked at will get you through. So, you built an agent somewhere. It doesn't matter if you do Microsoft technology for your agent or not, right? Sure. We're always happy to see you run Foundry and and agent framework, but if you're running Wangchain on some other cloud, okay, that's fine. Um, the agent 365 that that agent that we just looked at will help you make sure you get the configuration done that you do need. It'll help you add the agent 365 code into your agent.

[00:52:23]Agent 365 in and of itself is not an agent platform. There's no hosting models or anything like that. It's a control plane above that.

[00:52:34]>> So what it does for example is add your calls to observability.

[00:52:39]>> Right? So what'll happen there is the one one of the great features of agent 365 is be able to see hey what are all my agents up to well in order to get the the best possible data on that we're asking agents to call to the agent 365 observability APIs that will then properly that we can then show all the the activity uh and that agent that that we just looked at will help you get that no matter where you've written your core agent project.

[00:53:06]Yeah. And and K, there was a question in the chat. If your agent is doing havoc, can you call the agent buster? Do we have an agent buster? A big button to stop an agent this >> actually. So, uh, yeah, for an agent that's actually fully adopted agent ID, >> right? They're going to use these agent identities I just showed you to do their token acquisition in order to access a resource and do whatever it is they're trying to do, good or bad. Well, if I do that, I can go to, for example, I can I meant to show this, but I can come to my uh I can come to Entra and I'll refresh here. We just created an agent ID, right? So, one of the things I could do is I could pick it right here. This is at the agent ID level and I could disable this agent.

[00:53:55]>> So, I can no longer acquire tokens or I could have done that at the blueprint level. So, here's my blueprint. I could have disabled my blueprint as well, right? So I've got an ability to stop these tok these agents from progressing and accessing those resources because I can come into Entra and I can control this. They there's a there's an ability to do some of this in agent 365 as well.

[00:54:17]But I can come into this blueprint. I can see for example that what we did earlier uh we only had the one agent ID.

[00:54:24]Uh I could come into this agent ID and I could look at its signin logs. We might have waited long enough to to have activity here. So this would be a a user sign in. So there was our Megan who used this agent, right? So I can see all of this because the agent raised its hand.

[00:54:42]I'm using an agent ID and therefore it comes into signing and auditing and all of the other controls that we would have for from Entra.

[00:54:50]>> So yeah. So if your enterprise says okay, I'm scared of agents. I cannot control. Actually with Ultra ID, you have a way of controlling what happens with agents.

[00:54:59]>> That's right. So they can come in here and if they if this agent is causing a trouble, Mr. War this guy, fine. Come in and disable uh you can you can uh come to my overview and I can uh disable this this agent. There we are right up top, right? I can see what this agent's been doing. You just saw the the sign-in logs, etc. So I have all of that capability here.

[00:55:21]>> Nice. Pretty cool.

[00:55:23]>> Kyle, that the app that you were showing earlier, the the I think it was like a a desktop app for like showing all the requests to the graph APIs. Is that something that you actually make available for people to play around with or is it just like a a sort of your personal >> It's been personal, but I'm just finishing the cleanup of it because I used it to do a lot of testing and uh ex as I does this work is this how we're supposed to do it? I did a lot of experimenting. So, it has a lot of this sort of you know I'll just write this code right here because it's like what you know can I call it this way? Can I call it that way? So, I got to clean up like there's a lot of like failed attempts at this would work and not work and so on. So, as soon as I get it all cleaned up, I'll I'll put it out.

[00:56:01]>> And for someone who's like, you know,.NET developers is mostly this crowd, like if they wanted to get started trying to build uh their own agent and then set up uh identities for it correctly using uh enter agent ID, like where would you point them as the initial starting point? Like where where would they go first?

[00:56:18]>> So, today the first place they should look is see if agent 365 really would work for them. So I' I'd go to that agent, the the that AI guided setup, if you will. Uh if that didn't work, then I'd go to the entra a agent specifically. So I have two tiers, right? Um I could just do agent ID, but I may not participate in fully in what a lot of companies are going to be looking for, which is agent 365 participation.

[00:56:43]>> So that's the u the skills that are in that u that skills. So for example, the ability of making sure your agent was fully reporting its activities through that observability API, right? So that the or company, you know, not only can they see things like sign-in logs, they can get much more deep activity logs, activity uh tracing from uh the observability APIs. So that's why we would really encourage that direction.

[00:57:08]>> All right.

[00:57:09]>> Uh I wanted to raise one more. I'll try to do quickly here. We've been making some changes to our conditional access implementation. Uh what that means is quite often uh customers will set rules around under which conditions is this API or is this resource allowed to be accessed. Uh and we have a particular way where uh what a lot of uh developers may not have known is it when the customer put a a conditional access policy on depending upon how they set it, we would occasionally not have requested an MS MFA for example. As Jean Mark mentioned earlier, hey, you know, maybe when they ask access to weather, somebody would have said, oh, I need an MFA here, >> right? Um, and the problem there is that you have to do that claims challenge, right? So, my middle tier API says, oh, I can't get my token and it's telling me that user interaction is required. So, I have to send that message back to the front end again. So, Jean Mark mentioned it. It's built into our platform, Microsoft Identity Web and and the the the the agent that he showed the code he added would handle it automatically. In fact, he showed the code. This is something we need to make sure of. If you find your your customers are coming back and saying, "Hey, I can't get to your app." It's because we may be asking when you go to acquire a token, right?

[00:58:31]We may be asking for an MFA. So, one interesting way to to to to make sure that your application is only minimally going to be impacted by this type of thing, if you're not calling Microsoft Graph, do not ask for user.

[00:58:50]>> Because if you just everybody like we default it to be fair when I start an API registration, we put an a reasoner read. Well, it doesn't need user. It's not going to try to use read the current user, but it would re mean that we would say, "Oh, it's trying to do a user read.

[00:59:06]We better get an MFA here." So instead, if if you're doing that kind of thing, don't put in that kind of app registration or just use, for example, one of the the core open ID connect uh pro uh permissions, one of these four, email, offline access, open ID or profile. And if because I'm not going to call graph, I'll use this and I'll cut down on those MFAs and make sure you handle claim challenges as John Mark already showed.

[00:59:35]>> Gotcha. Okay, that makes sense. So this and this is part of the like just the security posture tightening from the security, right?

[00:59:43]>> Uh I think if you find if if I go to the blog post, notice we're we're we're mentioning it as it was part of our secure future initiative u that was going on. It's been going on at Microsoft for a while now as we look to make sure everything is as tight as we can get it. This is a hey, you know what? We're going to make sure we do apply conditional access policies in these situations.

[01:00:03]>> Awesome.

[01:00:04]>> And that can break a lot of apps because the web API needs to send back a W authenticate header which needs to be processed by the application by the client application and if it's a middle you need to propagate back to the soact.

[01:00:19]So, we'll include this uh this this blog post and the consistency blog post in the uh the Euro list for the uh the the standup today. So, folks want to learn more about this this change, uh be sure to to check that out.

[01:00:31]>> All right, I know we're we're pretty much at time, but there were two just really quick questions I wanted to throw up on the screen if that's okay.

[01:00:37]>> One was um I think John Mark, I think this was for you, like will probably for both like will these skills equally apply to just an MVC frontend app and I assume the answer is yes.

[01:00:47]>> Well, I think that would work. Yeah, that will work for the MV it's rather more complex for Blazer because things change. So they they will do well with Blazer and we had to introduce some code. The code the MVC code was well known by agent for a long time. So that will work. Yes.

[01:01:04]>> Okay. Cool. And then um there was some people that were talking about Azure. I know we mentioned Azure DBTC when we were talking about entra ID uh external ID in the the chat. Um and that is is it correct to say that Entra external ID um used to be Azure ADB TOC or are they separate services?

[01:01:22]>> They're separate services but Entra external ID is replacing Azure ADB TOC in the marketplace. I believe today you can't get a brand new purchase of Azure ADB TOC right obviously customers who have it and are using it that that's okay. We're not, you know, but uh we're not uh selling it to new installations, if you will.

[01:01:44]>> So, one replaces the other. It's not it's not that we just rebranded it or renamed it. It's actually one of the >> No, they're very different technologies under the covers. Um and uh because we just are the the the Azure AD B TOC code uh while originally branched from a very very early version of a Azure AD itself uh didn't keep up and so on. So uh the new external ID is is is effectively a much closer they're they're kept closer with entra ID itself >> if people are using Azure ADB TC today should they consider a modernization migration on their on their usage >> at some point but we're not we're not suggesting everybody do it right away I mean uh you know there's these are often big and complicated and and very valuable solutions that people have built on this you know it's it's maybe how all of my customers sign into my service >> right so sorry go ahead >> I would say it's it's more if you're using B2C and then you are looking for some feature which were only available in as onra ID then that's the right moment to do the because because indeed external identity and entra ID are very I mean all the the features that you have in ID they are they are available as well in external ID I think kind of >> yeah it and that was part part of the reason things like BO and other kinds of supports are possible because of the move.

[01:03:11]>> Yeah. People wanted some features which are in ID but they wanted to to do some business to customer. So there was a bit of sometimes you had some dead ends. So now with external ID this is the same technology and it has the same pictures.

[01:03:28]>> Yeah. And so space is saying thank you for the clarification. Yeah. But it's it's sometimes hard to keep track of all the rebrandings on our site as well. So don't don't feel bad.

[01:03:38]>> All right, Kyle and Jean Mark, that was great. Thank you for sharing all these uh sharing your expertise uh uh in this space. Obviously, it's a very important space. We want our apps to be secure. We want people to be able to uh to have trust in the in the software and also as we move into that AI uh world with agents that they have uh ways to manage and and and appropriately handle those as as well. So, thank you so much for for joining us. Yeah, thank you. Thank you for inviting us.

[01:04:04]>> All right, everyone. Thank you so much.

[01:04:06]We'll see you next time. And with that, happy coding. See y'all later.