Get-EntraBetaAgentIdentityToken
Acquires an access token for an agent identity using client credentials.
Syntax
Default (Default)
Get-EntraBetaAgentIdentityToken
[-BlueprintAppId <String>]
[-AgentIdentityAppId <String>]
[-BlueprintSecret <SecureString>]
[-Scope <String>]
[-Mode <String>]
[-UserToken <String>]
[-UserUpn <String>]
[<CommonParameters>]
Description
The Get-EntraBetaAgentIdentityToken cmdlet acquires an access token for an agent identity using client credentials. To create a new agent identity for this session, use Invoke-EntraBetaAgentIdInteractive. The token is returned as a string.
Examples
Example 1: Get token using stored session values
Connect-Entra -Scopes 'Application.ReadWrite.All'
# Create agent identity using interactive cmdlet
Invoke-EntraBetaAgentIdInteractive
# Get token using stored values from the session
$token = Get-EntraBetaAgentIdentityToken
This example retrieves an access token using the blueprint and agent identity created in the current session.
Example 2: Get token with specific parameters
Connect-Entra -Scopes 'Application.ReadWrite.All'
$secret = ConvertTo-SecureString "your-secret-here" -AsPlainText -Force
$token = Get-EntraBetaAgentIdentityToken -BlueprintAppId "12345..." -AgentIdentityAppId "87654..." -BlueprintSecret $secret -Scope "https://graph.microsoft.com/.default"
This example retrieves an access token by providing all required parameters explicitly.
Example 3: Get token for OBO (On-Behalf-Of) flow
Connect-Entra -Scopes 'Application.ReadWrite.All'
$userToken = "user-access-token"
$token = Get-EntraBetaAgentIdentityToken -BlueprintAppId "12345..." -AgentIdentityAppId "87654..." -Scope "https://graph.microsoft.com/.default" -Mode OBO -UserToken $userToken
This example retrieves an access token using the On-Behalf-Of (OBO) flow, where the agent acts on behalf of a user.
Example 4: Get token for AutonomousUser mode
Connect-Entra -Scopes 'Application.ReadWrite.All'
$token = Get-EntraBetaAgentIdentityToken -BlueprintAppId "12345..." -AgentIdentityAppId "87654..." -Scope "https://graph.microsoft.com/.default" -Mode AutonomousUser -UserUpn "user@contoso.com"
This example retrieves an access token in AutonomousUser mode, specifying a user UPN.
Parameters
-AgentIdentityAppId
The agent identity application ID. If not provided, the agent identity created in this session is used.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-BlueprintAppId
The blueprint application ID. If not provided, the blueprint created in this session is used.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-BlueprintSecret
The blueprint client secret. If not provided, the secret created in this session is used.
Parameter properties
| Type: | System.Security.SecureString |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-Mode
Authentication mode: AutonomousApp (default), OBO, or AutonomousUser.
Parameter properties
| Type: | System.String |
| Default value: | AutonomousApp |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-Scope
The scope to acquire a token for (e.g., User.Read). If not provided, the default scope is used (https://graph.microsoft.com/.default).
Parameter properties
| Type: | System.String |
| Default value: | https://graph.microsoft.com/.default |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-UserToken
User token for OBO mode (required when Mode is OBO).
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
-UserUpn
User UPN for AutonomousUser mode (required when Mode is AutonomousUser).
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Inputs
None
Outputs
System.String
Returns the access token as a string.
Notes
This cmdlet supports three authentication modes:
- AutonomousApp: App-only authentication (default)
- OBO: On-Behalf-Of flow where the agent acts on behalf of a user
- AutonomousUser: User-specific authentication