Added agent id

Author: merill

src/MSIdentityTools.psd1

@@ -68,6 +68,24 @@
 
     # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
     NestedModules        = @(
+        '.\agentid\Add-MsIdClientSecretToAgentIdentityBlueprint.ps1'
+        '.\agentid\Add-MsIdInheritablePermissionsToAgentIdentityBlueprint.ps1'
+        '.\agentid\Add-MsIdPermissionToCreateAgentUsersToAgentIdentityBlueprintPrincipal.ps1'
+        '.\agentid\Add-MsIdPermissionsToInheritToAgentIdentityBlueprintPrincipal.ps1'
+        '.\agentid\Add-MsIdRedirectURIToAgentIdentityBlueprint.ps1'
+        '.\agentid\Add-MsIdScopeToAgentIdentityBlueprint.ps1'
+        '.\agentid\Connect-MsIdEntraAsUser.ps1'
+        '.\agentid\ConnectAsAgentIdentityBlueprint.ps1'
+        '.\agentid\Disconnect-MgGraphIfNeeded.ps1'
+        '.\agentid\Disconnect-MsIdEntraAgentID.ps1'
+        '.\agentid\Invoke-MsIdAgentIdInteractive.ps1'
+        '.\agentid\EnsureRequiredModules.ps1'
+        '.\agentid\Get-MSGraphServicePrincipalId.ps1'
+        '.\agentid\Get-SponsorsAndOwners.ps1'
+        '.\agentid\New-MsIdAgentIdentityBlueprint.ps1'
+        '.\agentid\New-MsIdAgentIdentityBlueprintPrincipal.ps1'
+        '.\agentid\New-MsIdAgentIDForAgentIdentityBlueprint.ps1'
+        '.\agentid\New-MsIdAgentIDUserForAgentId.ps1'
         '.\internal\Compress-Data.ps1'
         '.\internal\Confirm-JsonWebSignature.ps1'
         '.\internal\ConvertFrom-Base64String.ps1'
@@ -164,13 +182,21 @@
 
     # Functions to export from this module
     FunctionsToExport    = @(
+        'Add-MsIdClientSecretToAgentIdentityBlueprint'
+        'Add-MsIdInheritablePermissionsToAgentIdentityBlueprint'
+        'Add-MsIdPermissionToCreateAgentUsersToAgentIdentityBlueprintPrincipal'
+        'Add-MsIdPermissionsToInheritToAgentIdentityBlueprintPrincipal'
+        'Add-MsIdRedirectURIToAgentIdentityBlueprint'
+        'Add-MsIdScopeToAgentIdentityBlueprint'
         'Add-MsIdServicePrincipal'
         'Confirm-MsIdJwtTokenSignature'
+        'Connect-MsIdEntraAsUser'
         'ConvertFrom-MsIdAadcAadConnectorSpaceDn'
         'ConvertFrom-MsIdAadcSourceAnchor'
         'ConvertFrom-MsIdUniqueTokenIdentifier'
         'ConvertFrom-MsIdJwtToken'
         'ConvertFrom-MsIdSamlMessage'
+        'Disconnect-MsIdEntraAgentID'
         'Expand-MsIdJwtTokenPayload'
         'Export-MsIdAppConsentGrantReport'
         'Export-MsIdAzureMfaReport'
@@ -193,6 +219,11 @@
         'Get-MsIdUnmanagedExternalUser'
         'Grant-MsIdMcpServerPermission'
         'Invoke-MsIdAzureAdSamlRequest'
+        'Invoke-MsIdAgentIdInteractive'
+        'New-MsIdAgentIdentityBlueprint'
+        'New-MsIdAgentIdentityBlueprintPrincipal'
+        'New-MsIdAgentIDForAgentIdentityBlueprint'
+        'New-MsIdAgentIDUserForAgentId'
         'New-MsIdWsTrustRequest'
         'New-MsIdClientSecret'
         'New-MsIdSamlRequest'

src/MSIdentityTools.psm1

@@ -9,3 +9,37 @@ if ($PSVersionTable.PSVersion -lt [version]'7.0') {
 #Write-Warning 'It is recommended to update Microsoft Graph PowerShell SDK modules frequently because many commands in this module depend on them.'
 
 class SamlMessage : xml {}
+
+#region AgentID
+
+# Module-level variable to store the current Agent Blueprint ID
+$script:CurrentAgentBlueprintId = $null
+
+# Module-level variable to store the current Agent Blueprint Secret
+$script:CurrentAgentBlueprintSecret = $null
+
+# Module-level variable to store the current Agent Identity Blueprint Service Principal ID
+$script:CurrentAgentBlueprintServicePrincipalId = $null
+
+# Module-level variable to cache the Microsoft Graph Service Principal ID
+$script:MSGraphServicePrincipalId = $null
+
+# Module-level variable to store the last configured inheritable scopes
+$script:LastConfiguredInheritableScopes = $null
+
+# Module-level variable to store the current Agent Identity ID
+$script:CurrentAgentIdentityId = $null
+
+# Module-level variable to store the current tenant ID
+$script:CurrentTenantId = $null
+
+# Module-level variable to store the last client secret
+$script:LastClientSecret = $null
+
+# Module-level variable to track the last successful connection type
+$script:LastSuccessfulConnection = $null
+
+# Module-level variable to store the current Agent User ID
+$script:CurrentAgentUserId = $null
+
+#endregion AgentID

src/agentid/Add-MsIdClientSecretToAgentIdentityBlueprint.ps1

@@ -0,0 +1,72 @@
+<#
+.SYNOPSIS
+Adds a client secret to the current Agent Identity Blueprint
+
+.DESCRIPTION
+Creates an application password for the most recently created Agent Identity Blueprint using New-MgApplicationPassword.
+Uses the stored AgentBlueprintId from the last New-AgentIdentityBlueprint call.
+
+.PARAMETER AgentBlueprintId
+Optional. The ID of the Agent Identity Blueprint to add the secret to. If not provided, uses the stored ID from the last blueprint creation.
+
+.EXAMPLE
+New-MsIdAgentIdentityBlueprint -DisplayName "My Blueprint" -SponsorUserIds @("user1")
+Add-MsIdClientSecretToAgentIdentityBlueprint  # Uses the stored blueprint ID
+
+.EXAMPLE
+Add-MsIdClientSecretToAgentIdentityBlueprint -AgentBlueprintId "12345678-1234-1234-1234-123456789012"  # Uses specific ID
+#>
+function Add-MsIdClientSecretToAgentIdentityBlueprint {
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory = $false)]
+        [string]$AgentBlueprintId
+    )
+
+    # Use stored blueprint ID if not provided
+    if (-not $AgentBlueprintId) {
+        if (-not $script:CurrentAgentBlueprintId) {
+            Write-Error "No Agent Blueprint ID available. Please create a blueprint first using New-MsIdAgentIdentityBlueprint or provide an explicit AgentBlueprintId parameter."
+            return
+        }
+        $AgentBlueprintId = $script:CurrentAgentBlueprintId
+        Write-Host "Using stored Agent Blueprint ID: $AgentBlueprintId" -ForegroundColor Gray
+    }
+
+    # Ensure we're connected to Microsoft Graph
+    $context = Get-MgContext
+    if (-not $context) {
+        Write-Error "Not connected to Microsoft Graph. Please run Connect-MgGraph first."
+        return
+    }
+
+    try {
+        Write-Host "Adding secret to Agent Blueprint: $AgentBlueprintId" -ForegroundColor Yellow
+
+        # Create the password credential object
+        $passwordCredential = @{
+            displayName = "1st blueprint secret for dev/test. Not recommended for production use"
+            endDateTime = (Get-Date).AddDays(90).ToString("yyyy-MM-ddTHH:mm:ssZ")
+        }
+
+        # Add the secret to the application
+        $secretResult = Add-MgApplicationPassword -ApplicationId $AgentBlueprintId -PasswordCredential $passwordCredential
+
+        Write-Host "Successfully added secret to Agent Blueprint" -ForegroundColor Green
+        #Write-Host "Secret Value: $($secretResult.SecretText)" -ForegroundColor Red
+
+        # Add additional properties for easy access
+        $secretResult | Add-Member -MemberType NoteProperty -Name "Description" -Value "Not recommended for production use" -Force
+        $secretResult | Add-Member -MemberType NoteProperty -Name "AgentBlueprintId" -Value $AgentBlueprintId -Force
+
+        # Store the secret in module-level variables for use by other functions
+        $script:CurrentAgentBlueprintSecret = $secretResult
+        $script:LastClientSecret = $secretResult.SecretText
+
+        return $secretResult
+    }
+    catch {
+        Write-Error "Failed to add secret to Agent Blueprint: $_"
+        throw
+    }
+}

src/agentid/Add-MsIdInheritablePermissionsToAgentIdentityBlueprint.ps1

@@ -0,0 +1,140 @@
+<#
+.SYNOPSIS
+Adds inheritable permissions to Agent Identity Blueprints
+
+.DESCRIPTION
+Configures inheritable Microsoft Graph permissions that can be granted to Agent Identity Blueprints.
+This allows agents created from the blueprint to inherit specific Microsoft Graph permissions.
+
+.PARAMETER Scopes
+Optional. Array of Microsoft Graph permission scopes to make inheritable. If not provided, will prompt for input.
+Common scopes include: User.Read, Mail.Read, Calendars.Read, etc.
+
+.PARAMETER ResourceAppId
+Optional. The resource application ID. Defaults to Microsoft Graph (00000003-0000-0000-c000-000000000000).
+
+.EXAMPLE
+Add-MsIdInheritablePermissionsToAgentIdentityBlueprint  # Will prompt for scopes
+
+.EXAMPLE
+Add-MsIdInheritablePermissionsToAgentIdentityBlueprint -Scopes @("User.Read", "Mail.Read", "Calendars.Read")
+
+.EXAMPLE
+Add-MsIdInheritablePermissionsToAgentIdentityBlueprint -Scopes @("User.Read") -ResourceAppId "00000003-0000-0000-c000-000000000000"
+#>
+function Add-MsIdInheritablePermissionsToAgentIdentityBlueprint {
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory = $false)]
+        [string[]]$Scopes,
+
+        [Parameter(Mandatory = $false)]
+        [string]$ResourceAppId = "00000003-0000-0000-c000-000000000000"
+    )
+
+    # Prompt for ResourceAppId if not provided
+    if (-not $ResourceAppId -or $ResourceAppId.Trim() -eq "") {
+        Write-Host "Enter the Resource Application ID for the permissions." -ForegroundColor Yellow
+        Write-Host "Default: 00000003-0000-0000-c000-000000000000 (Microsoft Graph)" -ForegroundColor Gray
+
+        $resourceInput = Read-Host "Resource App ID (press Enter for Microsoft Graph default)"
+        if ($resourceInput -and $resourceInput.Trim() -ne "") {
+            $ResourceAppId = $resourceInput.Trim()
+        } else {
+            $ResourceAppId = "00000003-0000-0000-c000-000000000000"
+            Write-Host "Using default: Microsoft Graph" -ForegroundColor Cyan
+        }
+    }
+
+    # Determine resource name for display
+    $resourceName = switch ($ResourceAppId) {
+        "00000003-0000-0000-c000-000000000000" { "Microsoft Graph" }
+        "00000002-0000-0000-c000-000000000000" { "Azure Active Directory Graph" }
+        default { "Custom Resource ($ResourceAppId)" }
+    }
+
+    # Prompt for scopes if not provided
+    if (-not $Scopes -or $Scopes.Count -eq 0) {
+        Write-Host "Enter permission scopes to make inheritable for $resourceName." -ForegroundColor Yellow
+        if ($ResourceAppId -eq "00000003-0000-0000-c000-000000000000") {
+            Write-Host "Common Microsoft Graph scopes: User.Read, Mail.Read, Calendars.Read, Files.Read, etc." -ForegroundColor Gray
+        }
+        Write-Host "Enter multiple scopes separated by commas." -ForegroundColor Gray
+
+        do {
+            $scopeInput = Read-Host "Enter permission scopes (comma-separated)"
+            if ($scopeInput -and $scopeInput.Trim() -ne "") {
+                $Scopes = $scopeInput.Split(',') | ForEach-Object { $_.Trim() } | Where-Object { $_ -ne "" }
+            }
+        } while (-not $Scopes -or $Scopes.Count -eq 0)
+    }
+
+    # Check if we have a stored Agent Blueprint ID
+    if (-not $script:CurrentAgentBlueprintId) {
+        Write-Error "No Agent Blueprint ID available. Please create a blueprint first using New-MsIdAgentIdentityBlueprint."
+        return
+    }
+
+    # Ensure we're connected to Microsoft Graph
+    $context = Get-MgContext
+    if (-not $context) {
+        Write-Error "Not connected to Microsoft Graph. Please run Connect-MgGraph first."
+        return
+    }
+
+    try {
+        Write-Host "Adding inheritable permissions to Agent Identity Blueprint..." -ForegroundColor Yellow
+        Write-Host "Agent Blueprint ID: $($script:CurrentAgentBlueprintId)" -ForegroundColor Gray
+        Write-Host "Resource App ID: $ResourceAppId ($resourceName)" -ForegroundColor Cyan
+        Write-Host "Scopes to make inheritable:" -ForegroundColor Cyan
+        foreach ($scope in $Scopes) {
+            Write-Host "  - $scope" -ForegroundColor White
+        }
+
+        # Build the request body
+        $Body = [PSCustomObject]@{
+            resourceAppId = $ResourceAppId
+            inheritableScopes = [PSCustomObject]@{
+                "@odata.type" = "microsoft.graph.enumeratedScopes"
+                scopes = $Scopes
+            }
+        }
+
+        $JsonBody = $Body | ConvertTo-Json -Depth 5
+        Write-Debug "Request Body: $JsonBody"
+
+        # Use Invoke-MgRestMethod to make the API call with the stored Agent Blueprint ID
+        $apiUrl = "https://graph.microsoft.com/beta/applications/microsoft.graph.agentIdentityBlueprint/$($script:CurrentAgentBlueprintId)/inheritablePermissions"
+        Write-Debug "API URL: $apiUrl"
+        $result = Invoke-MgRestMethod -Method POST -Uri $apiUrl -Body $JsonBody -ContentType "application/json"
+
+        Write-Host "Successfully added inheritable permissions to Agent Identity Blueprints" -ForegroundColor Green
+        Write-Host "Permissions are now available for inheritance by agent blueprints" -ForegroundColor Green
+
+        # Store the scopes for use in other functions
+        $script:LastConfiguredInheritableScopes = $Scopes
+
+        # Create a result object with permission information
+        $permissionResult = [PSCustomObject]@{
+            AgentBlueprintId = $script:CurrentAgentBlueprintId
+            ResourceAppId = $ResourceAppId
+            ResourceAppName = $resourceName
+            InheritableScopes = $Scopes
+            ScopeCount = $Scopes.Count
+            ConfiguredAt = Get-Date
+            ApiResponse = $result
+        }
+
+        return $permissionResult
+    }
+    catch {
+        Write-Error "Failed to add inheritable permissions: $_"
+        if ($_.Exception.Response) {
+            Write-Host "Response Status: $($_.Exception.Response.StatusCode)" -ForegroundColor Red
+            if ($_.Exception.Response.Content) {
+                Write-Host "Response Content: $($_.Exception.Response.Content)" -ForegroundColor Red
+            }
+        }
+        throw
+    }
+}