Merge pull request #28338 from lieric-msft/lieric/managerapplications

Lieric/managerapplications

Author: Danipocket

api-reference/beta/api/agentidentityblueprint-get.md

@@ -107,6 +107,7 @@ Content-Type: application/json
     "disabledByMicrosoftStatus": null,
     "displayName": "My Agent Blueprint",
     "groupMembershipClaims": null,
+    "managerApplications": ["77504268-3426-435e-99c0-9bc8656bc20e"],
     "publisherDomain": "contoso.onmicrosoft.com",
     "signInAudience": "AzureADMyOrg",
     "tags": [],

api-reference/beta/api/agentidentityblueprint-update.md

@@ -50,6 +50,10 @@ PATCH /applications/{id}/microsoft.graph.agentIdentityBlueprint
 
 In the request body, supply the values for relevant fields that should be updated. Existing properties that aren't included in the request body maintains their previous values or be recalculated based on changes to other property values. For best performance you shouldn't include existing values that haven't changed.
 
+| Property | Type | Description |
+|:---------|:-----|:------------|
+| displayName | String | The display name for the agent identity blueprint. |
+| managerApplications | Guid collection | A collection of application IDs for applications designated as managers of this agent identity blueprint. Manager applications can create agent blueprint principals, agent identities, and agent users for their managed blueprints without requiring high-privileged permissions such as `AgentIdentityBlueprintPrincipal.ReadWrite.All`. Currently, only Microsoft first-party application IDs can be set as values. Maximum of 10 values. Not nullable. |
 
 ## Response
 
@@ -59,7 +63,9 @@ For information about errors returned by agent identity APIs, see [Agent identit
 
 ## Examples
 
-### Request
+### Example 1: Update the displayName of an agent identity blueprint
+
+#### Request
 
 The following example shows a request.
 # [HTTP](#tab/http)
@@ -84,7 +90,7 @@ Content-Type: application/json
 ---
 
 
-### Response
+#### Response
 
 The following example shows the response.
 <!-- {
@@ -94,3 +100,144 @@ The following example shows the response.
 HTTP/1.1 204 No Content
 ```
 
+### Example 2: Update managerApplications on an agent identity blueprint
+
+The `managerApplications` property is fully writable by both first-party (1P) and third-party (3P) callers on agent identity blueprints.
+
+#### Request
+
+The following example shows a request.
+
+<!-- {
+  "blockType": "request",
+  "name": "update_agentidentityblueprint_managerapplications"
+}-->
+```http
+PATCH https://graph.microsoft.com/beta/applications/graph.agentIdentityBlueprint/e5006f10-6462-4816-97ad-7f5a53204d11
+Content-Type: application/json
+
+{
+  "managerApplications": [
+    "77504268-3426-435e-99c0-9bc8656bc20e"
+  ]
+}
+```
+
+#### Response
+
+The following example shows the response.
+
+<!-- {
+  "blockType": "response"
+} -->
+```http
+HTTP/1.1 204 No Content
+```
+
+### Example 3: Attempt to add a non-first-party application as a manager
+
+Only Microsoft first-party application IDs can currently be set as values in the `managerApplications` collection.
+
+#### Request
+
+The following example shows a request attempting to add a non-first-party application.
+
+<!-- {
+  "blockType": "request",
+  "name": "update_agentidentityblueprint_managerapplications_non_first_party_error"
+}-->
+```http
+PATCH https://graph.microsoft.com/beta/applications/graph.agentIdentityBlueprint/e5006f10-6462-4816-97ad-7f5a53204d11
+Content-Type: application/json
+
+{
+  "managerApplications": [
+    "b43716e4-8cd1-4e88-b4ef-94611f4c6c46"
+  ]
+}
+```
+
+#### Response
+
+The following example shows the error response.
+
+<!-- {
+  "blockType": "response",
+  "truncated": true,
+  "@odata.type": "microsoft.graph.error"
+} -->
+```http
+HTTP/1.1 400 Bad Request
+Content-type: application/json
+
+{
+  "error": {
+    "code": "BadRequest",
+    "message": "Application b43716e4-8cd1-4e88-b4ef-94611f4c6c46 is not a Microsoft first-party application. Managers must be Microsoft first-party applications.",
+    "innerError": {
+      "date": "2026-01-09T18:19:01",
+      "request-id": "b67ef789-eb9c-4639-8847-4425f27c3c13",
+      "client-request-id": "7b3c375e-a647-4e57-9452-6a8539b2256f"
+    }
+  }
+}
+```
+
+### Example 4: Attempt to exceed the limit of 10 manager applications
+
+Applications are limited to a maximum of 10 manager applications.
+
+#### Request
+
+The following example shows a request attempting to set 11 manager applications.
+
+<!-- {
+  "blockType": "request",
+  "name": "update_agentidentityblueprint_managerapplications_exceed_limit_error"
+}-->
+```http
+PATCH https://graph.microsoft.com/beta/applications/graph.agentIdentityBlueprint/e5006f10-6462-4816-97ad-7f5a53204d11
+Content-Type: application/json
+
+{
+  "managerApplications": [
+    "030bd5f7-db55-4925-959e-5cd332851a0d",
+    "1bcc0f3a-18c2-44cb-851a-26e344c2b1bd",
+    "6ed7705a-21de-4de9-9e98-95d1a2b5caa5",
+    "1925068d-8f9f-4fe8-8d4f-af7d70dce238",
+    "383b3cea-2ad2-4ca9-8c86-7f66e507ee77",
+    "00f03cc4-3d1f-4b44-8bfa-fca7b181cbb9",
+    "9d089274-e6dc-4640-bae2-0c88b4dc89a3",
+    "8ea5293f-5d07-45dd-8333-64edfd907423",
+    "2a0c3ca6-102f-4f22-a19e-4e5d1d99337d",
+    "d40473a1-1d8c-4db9-bc87-1296c90e516b",
+    "d902c7bd-7fe6-486a-86e8-00da01936fba"
+  ]
+}
+```
+
+#### Response
+
+The following example shows the error response.
+
+<!-- {
+  "blockType": "response",
+  "truncated": true,
+  "@odata.type": "microsoft.graph.error"
+} -->
+```http
+HTTP/1.1 400 Bad Request
+Content-type: application/json
+
+{
+  "error": {
+    "code": "BadRequest",
+    "message": "The number of ManagerApplications exceeds the limit. A blueprint can have only 10 ManagerApplications values.",
+    "innerError": {
+      "date": "2026-01-09T18:19:01",
+      "request-id": "b67ef789-eb9c-4639-8847-4425f27c3c13",
+      "client-request-id": "7b3c375e-a647-4e57-9452-6a8539b2256f"
+    }
+  }
+}
+```

api-reference/beta/resources/agentidentityblueprint.md

@@ -82,6 +82,7 @@ This resource is an open type that allows additional properties beyond those doc
 |identifierUris|String collection| Also known as App ID URI, this value is set when an agent identity blueprint is used as a resource app. The identifierUris acts as the prefix for the scopes you reference in your API's code, and it must be globally unique across Microsoft Entra ID. Not nullable. Inherited from [application](../resources/application.md).|
 |info|[informationalUrl](../resources/informationalurl.md)|Basic profile information of the agent identity blueprint, such as it's marketing, support, terms of service, and privacy statement URLs. The terms of service and privacy statement are surfaced to users through the user consent experience. Inherited from [application](../resources/application.md).|
 |keyCredentials|[keyCredential](../resources/keycredential.md) collection|The collection of key credentials associated with the agent identity blueprint. Not nullable. Inherited from [application](../resources/application.md).|
+|managerApplications|Guid collection|A collection of application IDs for applications designated as managers of this agent identity blueprint. Manager applications can create agent blueprint principals, agent identities, and agent users for their managed blueprints — without requiring high-privileged permissions such as `AgentIdentityBlueprintPrincipal.ReadWrite.All`. Currently, only Microsoft first-party application IDs can be set as values. Maximum of 10 values. Not nullable. Returned by default.|
 |optionalClaims|[optionalClaims](../resources/optionalclaims.md)|Application developers can configure optional claims in their Microsoft Entra agent identity blueprints to specify the claims that are sent to their application by the Microsoft security token service. Inherited from [application](../resources/application.md).|
 |passwordCredentials|[passwordCredential](../resources/passwordcredential.md) collection|The collection of password credentials associated with the agent identity blueprint. Not nullable. Inherited from [application](../resources/application.md).<br/><br/>You can also add passwords after creating the agent identity blueprint by calling the [Add password](../api/agentidentityblueprint-addpassword.md) API.|
 |publisherDomain|String|The verified publisher domain for the agent identity blueprint. Read-only. Inherited from [application](../resources/application.md).|
@@ -160,6 +161,7 @@ The following JSON representation shows the resource type. Only a subset of all
       "@odata.type": "microsoft.graph.keyCredential"
     }
   ],
+  "managerApplications": ["Guid"],
   "passwordCredentials": [
     {
       "@odata.type": "microsoft.graph.passwordCredential"

api-reference/beta/resources/application.md

@@ -89,6 +89,7 @@ This resource supports:
 | isFallbackPublicClient | Boolean | Specifies the fallback application type as public client, such as an installed application running on a mobile device. The default value is `false`, which means the fallback application type is confidential client such as a web app. There are certain scenarios where Microsoft Entra ID can't determine the client application type. For example, the [ROPC](https://tools.ietf.org/html/rfc6749#section-4.3) flow where the application is configured without specifying a redirect URI. In those cases Microsoft Entra ID interprets the application type based on the value of this property.|
 | keyCredentials | [keyCredential](keycredential.md) collection | The collection of key credentials associated with the application. Not nullable. Supports `$filter` (`eq`, `not`, `ge`, `le`).|
 | logo | Stream | The main logo for the application. Not nullable. |
+| managerApplications | Guid collection | A collection of application IDs for applications designated as managers of this application. Manager applications can create service principals for the applications they manage. Currently, only Microsoft first-party application IDs can be set as values. Maximum of 10 values. Not nullable. Read-only for third-party (3P) callers; writes by 3P callers are rejected with a `400 Bad Request` error. Returned only on `$select`. |
 | nativeAuthenticationApisEnabled | nativeAuthenticationApisEnabled | Specifies whether the Native Authentication APIs are enabled for the application. The possible values are: `none`and `all`. Default is `none`. For more information, see [Native Authentication](/entra/external-id/customers/concept-native-authentication). |
 | notes | String | Notes relevant for the management of the application. |
 | oauth2RequiredPostResponse | Boolean | Specifies whether, as part of OAuth 2.0 token requests, Microsoft Entra ID allows POST requests, as opposed to GET requests. The default is `false`, which specifies that only GET requests are allowed. |
@@ -184,6 +185,7 @@ The following JSON representation shows the resource type.
   "isFallbackPublicClient": false,
   "keyCredentials": [{"@odata.type": "microsoft.graph.keyCredential"}],
   "logo": "Stream",
+  "managerApplications": ["Guid"],
   "nativeAuthenticationApisEnabled": "String",
   "notes": "String",
   "oauth2RequiredPostResponse": false,

changelog/Microsoft.DirectoryServices.json

@@ -1,5 +1,31 @@
 {
   "changelog": [
+    {
+      "ChangeList": [
+        {
+          "Id": "745059d3-8cd1-4100-a646-c3508fa939d9",
+          "ApiChange": "Property",
+          "ChangedApiName": "managerApplications",
+          "ChangeType": "Addition",
+          "Description": "Added the **managerApplications** property to the [agentIdentityBlueprint](https://learn.microsoft.com/en-us/graph/api/resources/agentIdentityBlueprint?view=graph-rest-beta) resource.",
+          "Target": "agentIdentityBlueprint"
+        },
+        {
+          "Id": "745059d3-8cd1-4100-a646-c3508fa939d9",
+          "ApiChange": "Property",
+          "ChangedApiName": "managerApplications",
+          "ChangeType": "Addition",
+          "Description": "Added the **managerApplications** property to the [application](https://learn.microsoft.com/en-us/graph/api/resources/application?view=graph-rest-beta) resource.",
+          "Target": "application"
+        }
+      ],
+      "Id": "745059d3-8cd1-4100-a646-c3508fa939d9",
+      "Cloud": "Prod",
+      "Version": "beta",
+      "CreatedDateTime": "2026-03-16T16:11:03.4585233Z",
+      "WorkloadArea": "Identity and access",
+      "SubArea": "Directory management"
+    },
     {
       "ChangeList": [
         {

concepts/whats-new-overview.md

@@ -199,6 +199,10 @@ Added support for protection policy offboarding status and timestamp tracking in
 
 Use the new cloud licensing APIs to manage tenant, user, and group licensing data for Microsoft 365 services. These APIs provide programmatic access to allotments, assignments, assignment errors, subscription lifecycles, and waiting members. For more information, see [Use the cloud licensing API in Microsoft Graph (preview)](/graph/api/resources/cloud-licensing-api-overview?view=graph-rest-beta&preserve-view=true).
 
+### Identity and access | Directory management
+
+Added the **managerApplications** property to the [application](/graph/api/resources/application?view=graph-rest-beta&preserve-view=true) and [agentIdentityBlueprint](/graph/api/resources/agentidentityblueprint?view=graph-rest-beta&preserve-view=true) resources to specify applications designated as managers of an application. On the base **application** resource, this property is read-only for third-party (3P) callers. On the **agentIdentityBlueprint** resource, manager applications can create agent blueprint principals, agent identities, and agent users for their managed agent blueprints without requiring high-privileged permissions such as `AgentIdentityBlueprintPrincipal.ReadWrite.All`.
+
 ### Files
 
 Added [driveItem: archive](/graph/api/driveitem-archive?view=graph-rest-beta&preserve-view=true) and [driveItem: unarchive](/graph/api/driveitem-unarchive?view=graph-rest-beta&preserve-view=true) to enable organizations to archive and unarchive [driveItem](/graph/api/resources/driveitem?view=graph-rest-beta&preserve-view=true) objects.