Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
You need to be part of the Frontier preview program to get early access to Microsoft Agent 365. Frontier connects you directly with Microsoft’s latest AI innovations. Frontier previews are subject to the existing preview terms of your customer agreements. As these features are still in development, their availability and capabilities may change over time.
The Agent 365 CLI needs a custom client app registration in your Microsoft Entra ID tenant to authenticate and manage Agent Identity Blueprints.
This article breaks down the process into four main steps:
If you have problems, see the Troubleshooting section.
Prerequisites
Before you begin, make sure you have access to Microsoft Entra admin center and, if needed, one of the required admin roles to grant consent.
To register the app
By default, any user in the tenant can register applications in the Microsoft Entra admin center. However, tenant administrators can restrict this capability. If you can't register your app, contact your administrator.
To add permissions and grant consent
You need one of these admin roles for 4. Configure API permissions.
- Application Administrator: Recommended - can manage app registrations and grant consent
- Cloud Application Administrator: Can manage app registrations and grant consent
- Global Administrator: Has all permissions, but not required
Tip
Don't have admin access? You can complete steps 1-3 yourself, then ask your tenant administrator to complete step 4. Provide them your Application (client) ID from step 3 and a link to the Configure API Permissions section.
1. Register application
These instructions summarize the full instructions to create an app registration.
Select App registrations
Select New registration
Enter:
- Name: Enter a meaningful name for your app, such as
my-agent-app. App users see this name, and you can change it at any time. You can have multiple app registrations with the same name. - Supported account types: Accounts in this organizational directory only (Single tenant)
- Redirect URI: Select Public client/native (mobile & desktop) and enter
http://localhost:8400/
- Name: Enter a meaningful name for your app, such as
Select Register
The CLI requires three redirect URIs in total. The CLI automatically adds any that are missing when you run a365 config init or a365 setup requirements:
| URI | Purpose |
|---|---|
http://localhost:8400/ |
Microsoft Authentication Library (MSAL) interactive browser authentication |
http://localhost |
Microsoft Graph PowerShell SDK Connect-MgGraph |
ms-appx-web://Microsoft.AAD.BrokerPlugin/{client-id} |
Using Web Account Manager (WAM) |
See What the CLI auto-configures for details.
2. Set the redirect URI
- Go to Overview and copy the Application (client) ID value.
- Go to Authentication (preview) and select Add Redirect URI.
- Select Mobile and desktop applications and set the value to
ms-appx-web://Microsoft.AAD.BrokerPlugin/{client-id}, where{client-id}is the Application (client ID) value you copied. - Select Configure to add the value.
3. Copy Application (client) ID
From the app's Overview page, copy the Application (client) ID in GUID format. Enter this value when you use the a365 config init command.
Tip
Don't confuse this value with Object ID - you need the Application (client) ID.
4. Configure API permissions
Important
You need administrator privileges for this step. If you're a developer without admin access, send your Application (client) ID from Step 3 to your tenant administrator and have them complete this step.
In your app registration, go to API permissions.
Select Add a permission > Microsoft Graph > Delegated permissions.
Important
You must use Delegated permissions (not Application permissions). The CLI authenticates interactively - you sign in, and it acts on your behalf. To learn more, see Wrong permission type.
Add these six permissions one by one:
Permission Purpose AgentIdentityBlueprint.ReadWrite.AllManage Agent Blueprint configurations AgentIdentityBlueprint.UpdateAuthProperties.AllUpdate Agent Blueprint inheritable permissions Application.ReadWrite.AllCreate and manage applications and Agent Blueprints DelegatedPermissionGrant.ReadWrite.AllGrant permissions for agent blueprints Directory.Read.AllRead directory data for validation User.ReadWrite.AllCreate agent users, set usage location, and assign licenses For each permission:
- In the search box, type the permission name (for example,
AgentIdentityBlueprint.ReadWrite.All). - Check the checkbox next to the permission.
- Select Add permissions.
- Repeat for all six permissions.
- In the search box, type the permission name (for example,
Select Grant admin consent for [Your Tenant].
- Why is this required? Agent Identity Blueprints are tenant-wide resources that multiple users and applications can reference. Without tenant-wide consent, the CLI fails during authentication.
- What if it fails? You need Application Administrator, Cloud Application Administrator, or Global Administrator role. Ask your tenant admin for help.
Verify all permissions show green checkmarks under Status.
Security best practices
Review these guidelines to keep your app registration secure and compliant.
Do:
- Use single-tenant registration.
- Grant only the required delegated permissions.
- Audit permissions regularly.
- Remove the app when no longer needed.
Don't:
- Grant application permissions. Only use delegated.
- Share the client ID publicly.
- Grant other unnecessary permissions.
- Use the app for other purposes.
What the CLI auto-configures
When you run a365 config init or a365 setup requirements, the CLI validates your app registration and might need to make changes. Before applying any changes, the CLI shows you a summary and asks for confirmation:
WARNING: The CLI needs to make the following changes to your app registration (<app-id>):
- Add redirect URI(s): http://localhost
- Enable 'Allow public client flows' (isFallbackPublicClient = true)
Do you want to proceed? (y/N):
To skip the confirmation prompt (for example, in a CI environment), use the --yes flag:
a365 config init --yes
The following table describes each change the CLI might make:
| Change | Reason |
|---|---|
Add redirect URI http://localhost |
Microsoft Graph PowerShell SDK requires this URI for browser authentication. Without it, OAuth2 grant operations fall back to a token that lacks the required delegated permissions and fail with 403. |
Add redirect URI http://localhost:8400/ |
MSAL requires this URI for interactive browser authentication. |
Add redirect URI ms-appx-web://Microsoft.AAD.BrokerPlugin/{id} |
Required for Web Account Manager (WAM), a Windows OS authentication broker. Learn more about Acquiring Device Bound Tokens. |
| Enable "Allow public client flows" | Required for device code authentication fallback on macOS, Linux, Windows Subsystem for Linux (WSL), headless environments, and as a Conditional Access Policy fallback on Windows. |
| Add missing permissions to app registration | Keeps the app registration in sync with newly required permissions after a CLI update. |
| Extend admin consent grant | Extends the existing OAuth2 permission grant to include any newly provisioned permissions. Requires DelegatedPermissionGrant.ReadWrite.All to be already consented. |
If you decline the prompt, the CLI doesn't modify your app registration. If changes are required for the CLI to function, you can configure them manually in Microsoft Entra admin center or re-run with --yes.
Next steps
After registering your custom client app, use it with the Agent 365 CLI in the Agent 365 development lifecycle:
Troubleshooting
This section describes how to troubleshoot errors with custom client app registration.
Tip
Agent 365 Troubleshooting Guide contains high-level troubleshooting recommendations, best practices, and links to troubleshooting content for each part of the Agent 365 development lifecycle.
CLI validation fails during configuration
Symptom: Running a365 config init command or a365 setup fails with validation errors about your custom client app.
Solution: Use this checklist to verify your app registration is correct:
# Run configuration to see validation messages
a365 config init
Expected result: CLI displays Custom client app validation successful.
If you don't get the expected result, verify each of the following checks:
| Check | How to Verify | Fix |
|---|---|---|
| ✅ Used correct ID | You copied Application (client) ID (not Object ID) | Go to app Overview in Microsoft Entra admin center |
| ✅ Delegated permissions | Permissions show Type: Delegated in API permissions | See Wrong permission type |
| ✅ All permissions added | See all permissions listed below | Follow Step 4 again |
| ✅ Admin consent granted | All show green checkmark under Status | See Admin consent granted incorrectly |
Required Delegated permissions:
Application.ReadWrite.AllAgentIdentityBlueprint.ReadWrite.AllAgentIdentityBlueprint.UpdateAuthProperties.AllDirectory.Read.AllDelegatedPermissionGrant.ReadWrite.AllUser.ReadWrite.All
Admin consent granted incorrectly
Symptom: Validation fails even though you added permissions.
Root cause: You didn't grant admin consent, or you granted it incorrectly.
Solution: In your app registration in Microsoft Entra admin center, go to API permissions and select Grant admin consent for [Your Tenant]. Verify all permissions show green checkmarks under Status.
Wrong permission type
Symptom: CLI fails with authentication errors or permission denied errors.
Root cause: You added Application permissions instead of Delegated permissions.
This table describes the different types of permissions.
| Permission Type | When to Use | How Agent 365 CLI Uses It |
|---|---|---|
| Delegated ("Scope") | User signs in interactively | Agent 365 CLI uses this - You sign in, CLI acts on your behalf |
| Application ("Role") | Service runs without user | Don't use - For background services/daemons only |
Why Delegated?
- You sign in interactively (browser authentication)
- CLI performs actions as you (audit trails show your identity)
- More secure - limited by your actual permissions
- Ensures accountability and compliance
Solution:
- Go to Microsoft Entra admin center > App registrations > Your app > API permissions
- Remove any application permissions. These permissions appear as Application in the Type column.
- Add the same permissions as Delegated permissions.
- Grant admin consent again.
App not found during validation
Symptom: CLI reports Application not found or Invalid client ID errors.
Solution:
Verify you copied the Application (client) ID in GUID format, not the Object ID:
- Go to Microsoft Entra admin center > App registrations > Your app > Overview
- Copy the value under Application (client) ID
- Format should be:
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Verify the app exists in your tenant:
# Sign in to the correct tenant az login # List your app registrations az ad app list --display-name "<The display name of your app>"