This provisions Microsoft Entra's new Agent Identity system, which gives each AI agent instance its own service principal, audit trail, and independently scoped permissions via Microsoft Graph. You create a Blueprint (the agent type), then a BlueprintPrincipal (which isn't auto-created and will break if you skip it), then individual Agent Identity service principals for each running instance. The two-step fmi_path token exchange lets agents authenticate with distinct identities even when they share Blueprint credentials. Useful when you need per-agent permission grants, cross-tenant flows, or compliance logging that tracks which agent did what. The skill covers direct Graph API calls since there's no dedicated MCP server yet. Watch out for DefaultAzureCredential, it doesn't work here because Azure CLI tokens get hard-rejected.
npx skills add https://github.com/microsoft/azure-skills --skill entra-agent-id