Add missing Security Reader role to agent ID authorization doc

[zh54321]

This PR adds the missing Security Reader role to the list of allowed roles for agent identities in docs/agent-id/identity-professional/authorization-agent-id.md.

Validation

I validated that the Security Reader role can be assigned to an agent identity.

Role assignment in the portal:

POC

POC script:

$token                 = $tokens.access_token
$agentIdentityObjectId = "3ec25321-2ef8-437b-9e10-3ed95cb25693"
$securityReaderRoleId  = "5d6b6bb7-de71-4623-b4af-96380a352509"

$headers = @{ Authorization = "Bearer $token" }

# Step 1: Prove the object is an Agent Identity
Write-Host "[*] Step 1: Verify object is an Agent Identity" -ForegroundColor Cyan
$r = Invoke-RestMethod -Method GET `
    -Uri "https://graph.microsoft.com/beta/servicePrincipals/$agentIdentityObjectId/microsoft.graph.agentIdentity" `
    -Headers $headers
Write-Host "[+] Confirmed Agent Identity: $($r.displayName) ($($r.id))" -ForegroundColor Green

# Step 2: Assign Security Reader at tenant scope
Write-Host "[*] Step 2: Assign Security Reader" -ForegroundColor Cyan
$body = @{
    "@odata.type"      = "#microsoft.graph.unifiedRoleAssignment"
    roleDefinitionId   = $securityReaderRoleId
    principalId        = $agentIdentityObjectId
    directoryScopeId   = "/"
} | ConvertTo-Json

$assignment = Invoke-RestMethod -Method POST `
    -Uri "https://graph.microsoft.com/beta/roleManagement/directory/roleAssignments" `
    -Headers ($headers + @{ "Content-Type" = "application/json" }) `
    -Body $body
Write-Host "[+] SUCCESS - Assignment ID: $($assignment.id)" -ForegroundColor Green

[*] Step 1: Verify object is an Agent Identity
[+] Confirmed Agent Identity: My_AI_Roles_85 (3ec25321-2ef8-437b-9e10-3ed95cb25693)
[*] Step 2: Assign Security Reader
[+] SUCCESS - Assignment ID: t2trXXHeI0a0r5Y4CjUlCSFTwj74LntDnhA-2VyyVpM-1

[prmerger-automator]

@zh54321 : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change.

[learn-build-service-prod]

Learn Build status updates of commit 6a34dc6:

✅ Validation status: passed

File	Status	Preview URL	Details
docs/agent-id/identity-professional/authorization-agent-id.md	✅Succeeded

For more details, please refer to the build report.

[ttorble]

@rolyon

Can you review the proposed changes?

IMPORTANT: When the changes are ready for publication, adding a #sign-off comment is the best way to signal that the PR is ready for the review team to merge.

#label:"aq-pr-triaged"
@MicrosoftDocs/public-repo-pr-review-team

[Copilot]

Pull request overview

Updates the Microsoft Entra Agent ID authorization documentation to include the Security Reader role in the set of Microsoft Entra roles that can be assigned to agent identities.

Changes:

• Add Security Reader to the “Microsoft Entra roles allowed for agents” list.