Linked Agent Identities Not Visible in Portal

[ivanja81]

Description

A365 CLI Version: v1.1.94-preview
Environment: Microsoft 365 developer tenant (single-tenant)

---

Issue 1: Linked Agent Identities Not Visible in Portal

What I See in Entra ID

Blueprint	Portal Shows	Actual Count (Graph Beta)
Blueprint A (created by Azure ML / AI Foundry)	1 linked (visible, clickable)	1
Blueprint B (created by A365 CLI)	"-" (dash, no identities)	3 (confirmed via Graph)
Blueprint C (created by A365 CLI)	2 linked (count shown, but list empty)	2

The Agent ID portal at Microsoft 365 Admin Center > Agents > Registry does not display the linked agent identities for blueprints created by the A365 CLI, even though the ServiceIdentity SPs exist and have valid agentIdentityBlueprintId linkage.

Evidence

All three agent identities linked to Blueprint B are confirmed via Graph Beta:

GET https://graph.microsoft.com/beta/servicePrincipals/{sp-id}

Identity1 → agentIdentityBlueprintId: <blueprint-b-app-id>
Identity2 → agentIdentityBlueprintId: <blueprint-b-app-id>
Identity3 → agentIdentityBlueprintId: <blueprint-b-app-id>

All three have @odata.type: #microsoft.graph.agentIdentity and servicePrincipalType: ServiceIdentity.

Root Cause Hypothesis: signInAudience Difference

The only meaningful difference between the working blueprint (A) and the non-working one (B) is:

Property	Blueprint A (works — Azure ML)	Blueprint B (broken — A365 CLI)
signInAudience	AzureADMyOrg	AzureADMultipleOrgs
createdByAppId	Azure Machine Learning App ID	A365 CLI App ID

Questions

1. Does the Agent ID portal filter linked identities by signInAudience? If so, this is a bug — AzureADMultipleOrgs blueprints should still show their linked identities.

2. Why does a365 setup blueprint create the app registration with signInAudience: AzureADMultipleOrgs? The Azure ML / AI Foundry path uses AzureADMyOrg. Should the CLI match this behavior?

Questions

3. Is there a rendering/pagination bug in the Agent ID portal list view? The count API returns 2 but the list API returns empty. These seem to be hitting different code paths. (see image)

---

Expected behavior

The Agent ID portal should display all linked agent identities regardless of the blueprint's signInAudience setting

• Tenant admins should be able to modify blueprint properties (e.g., signInAudience) via Graph API or CLI
• The portal's count and list views should be consistent

SDK Version

A365 CLI Version: v1.1.94-preview

Language/Runtime

Python

OS

Windows 11

How to Reproduce

Reproduction Steps

1. Create a blueprint using a365 setup blueprint (CLI creates it with signInAudience: AzureADMultipleOrgs)
2. Create one or more agent identities linked to that blueprint using a365 setup instance
3. Navigate to Microsoft 365 Admin Center > Agents > Registry
4. Observe: the linked identities either show as "-" (zero) or show a count but the list view is empty
5. Verify via Graph Beta that the identities exist with correct agentIdentityBlueprintId

Output

No response

Screenshots

Code of Conduct

• I agree to follow the Microsoft Open Source Code of Conduct.

[github-actions]

[AUTO-TRIAGE] Team Assistant Triage

This issue has been automatically analyzed and triaged.

AI Decision Reasoning: Type: Classified as 'bug' because the user reports unexpected behavior where linked agent identities are not visible in the portal despite being confirmed via Graph Beta.
Priority: Elevated to P1 due to security concern: The issue describes a potential security concern related to the visibility and filtering of linked agent identities in the portal, which could lead to unauthorized access or misconfiguration due to inconsistent behavior or filtering by signInAudience. This could expose sensitive service principal data or cause improper handling of identity linkage.
Copilot: Security issues require human review and should not be auto-fixed
Assignment: Security issue assigned to security lead. The issue describes a potential security concern related to the visibility and filtering of linked agent identities in the portal, which could lead to unauthorized access or misconfiguration due to inconsistent behavior or filtering by signInAudience. This could expose sensitive service principal data or cause improper handling of identity linkage.
Labels: Applied labels bug, P1, security based on issue type and priority

Labels and assignee have been applied based on this analysis.

[github-actions]

[AUTO-TRIAGE] Results

Classification: bug
Priority: P1
Confidence: 95.0%

Recommended Assignee: @sellakumaran

Analysis:
type rationale: Classified as 'bug' because the user reports unexpected behavior where linked agent identities are not visible in the portal despite being confirmed via Graph Beta.

priority rationale: Elevated to P1 due to security concern: The issue describes a potential security concern related to the visibility and filtering of linked agent identities in the portal, which could lead to unauthorized access or misconfiguration due to inconsistent behavior or filtering by signInAudience. This could expose sensitive service principal data or cause improper handling of identity linkage.

copilot rationale: Security issues require human review and should not be auto-fixed

assignment rationale: Security issue assigned to security lead. The issue describes a potential security concern related to the visibility and filtering of linked agent identities in the portal, which could lead to unauthorized access or misconfiguration due to inconsistent behavior or filtering by signInAudience. This could expose sensitive service principal data or cause improper handling of identity linkage.

labels rationale: Applied labels bug, P1, security based on issue type and priority

[SUGGESTION] Suggested Approach

1. Investigate the signInAudience property handling in the A365 CLI codebase. Specifically, check the logic in the src/Microsoft.Agents.A365.DevTools.Cli directory for how ServiceIdentity objects are created and linked to blueprints. Ensure that the signInAudience value is correctly set to AzureADMyOrg for single-tenant environments.
2. Add debugging logs to the CLI commands responsible for creating and linking agent identities (likely in src/Microsoft.Agents.A365.DevTools.Cli/Commands). Include logs for signInAudience, agentIdentityBlueprintId, and createdByAppId properties to verify their values during execution.
3. Test the Graph API integration in the CLI by creating a unit test in src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Integration. Validate that the linked agent identities created by the CLI are correctly returned with the expected signInAudience and agentIdentityBlueprintId properties.
4. Check the portal filtering logic by comparing the Graph API responses for blueprints created by Azure ML and the A365 CLI. If the portal does filter by signInAudience, update the CLI logic to default to AzureADMyOrg for single-tenant environments or provide a configuration option for users to set the signInAudience explicitly.
5. Update the documentation in docs/agent-identity.md to clarify how the signInAudience property impacts visibility in the Microsoft 365 Admin Center. Include troubleshooting steps for users encountering similar issues and examples of correct CLI usage.

---

Generated by TeamAssistant Auto-Triage powered by GitHub Models

[github-actions]

SLA Escalation Alert

This P2 issue has exceeded its SLA threshold.

Metric	Value
Priority	P2
SLA Threshold	72 hours
Time Since Update	82.8 hours
Current Assignees	@sellakumaran

Action: This issue is already assigned to a Tech Lead but remains unresolved.

Escalating to Engineering Manager @ajmfehr for visibility.

Tech Leads: @sellakumaran

---

Generated by AutoTriage SLA Escalation