Merge pull request #92 from kylemar/main

merill · web-flow · commit a85548011ce6 · 2025-11-13T21:38:50.000+11:00
Fix issues.
diff --git a/src/MSIdentityTools.psd1 b/src/MSIdentityTools.psd1
@@ -81,6 +81,7 @@ NestedModules = @('.\agentid\Add-MsIdClientSecretToAgentIdentityBlueprint.ps1',
                '.\agentid\EnsureRequiredModules.ps1',
                '.\agentid\Get-MSGraphServicePrincipalId.ps1',
                '.\agentid\Get-SponsorsAndOwners.ps1',
+               '.\agentid\Get-MsIdAgentIdentity.ps1',
                '.\agentid\Get-MsIdAgentIdentityToken.ps1',
                '.\agentid\New-MsIdAgentIdentityBlueprint.ps1',
                '.\agentid\New-MsIdAgentIdentityBlueprintPrincipal.ps1',
@@ -208,6 +209,7 @@ FunctionsToExport = 'Add-MsIdClientSecretToAgentIdentityBlueprint',
                'New-MsIdAgentIdentityBlueprint',
                'New-MsIdAgentIdentityBlueprintPrincipal',
                'New-MsIdAgentIDForAgentIdentityBlueprint',
+               'Get-MsIdAgentIdentity',
                'Get-MsIdAgentIdentityToken',
                'New-MsIdAgentIDUserForAgentId', 'New-MsIdWsTrustRequest',
                'New-MsIdClientSecret', 'New-MsIdSamlRequest',
diff --git a/src/agentid/Add-MsIdPermissionToCreateAgentUsersToAgentIdentityBlueprintPrincipal.ps1 b/src/agentid/Add-MsIdPermissionToCreateAgentUsersToAgentIdentityBlueprintPrincipal.ps1
@@ -29,7 +29,7 @@ function Add-MsIdPermissionToCreateAgentUsersToAgentIdentityBlueprintPrincipal {
         [string]$AgentBlueprintId
     )
 
-    # Use provided ID or fall back to stored ID
+        # Use provided ID or fall back to stored ID
     if (-not $AgentBlueprintId) {
         if (-not $script:CurrentAgentBlueprintId) {
             throw "No Agent Blueprint ID provided and no stored ID available. Please run New-MsIdAgentIdentityBlueprint first or provide the AgentBlueprintId parameter."
@@ -50,15 +50,21 @@ function Add-MsIdPermissionToCreateAgentUsersToAgentIdentityBlueprintPrincipal {
     else {
         Write-Host "Connected to Microsoft Graph as: $($context.Account)" -ForegroundColor Green
     }
-
+    
     try {
         Write-Host "Adding permission to create Agent Users to Agent Identity Blueprint Principal..." -ForegroundColor Green
+        Write-Verbose "Retrieving Blueprint Service Principal ID from tenant..."
+        $blueprintServicePrincipal = Get-MgServicePrincipal -Filter "appId eq '$AgentBlueprintId'" -Select "id,appId,displayName"
 
-        # Check if we have the service principal ID from New-MsIdAgentIdentityBlueprintPrincipal
-        if (-not $script:CurrentAgentBlueprintServicePrincipalId) {
-            throw "No Agent Identity Blueprint Service Principal ID available. Please run New-MsIdAgentIdentityBlueprintPrincipal first."
-        }
+        if (-not $blueprintServicePrincipal) {
+            throw "Blueprint Service Principal not found in tenant"
+       }
+
+        # Cache the result
+        $script:CurrentAgentBlueprintServicePrincipalId = $blueprintServicePrincipal.Id
 
+        Write-Verbose "Blueprint Service Principal found - ID: $script:CurrentAgentBlueprintServicePrincipalId, Display Name: $($blueprintServicePrincipal.DisplayName)"
+        
         $servicePrincipalId = $script:CurrentAgentBlueprintServicePrincipalId
         Write-Host "Using stored Agent Identity Blueprint Service Principal ID: $servicePrincipalId" -ForegroundColor Yellow
 
diff --git a/src/agentid/Add-MsIdScopeToAgentIdentityBlueprint.ps1 b/src/agentid/Add-MsIdScopeToAgentIdentityBlueprint.ps1
@@ -54,7 +54,7 @@ function Add-MsIdScopeToAgentIdentityBlueprint {
 
     # Prompt for missing parameters
     if (-not $AdminConsentDescription -or $AdminConsentDescription.Trim() -eq "") {
-        $defaultDescription = "Access AI as the current user"
+        $defaultDescription = "Allow the agent to act on behalf of the signed-in user"
         Write-Host "Default: $defaultDescription" -ForegroundColor Gray
         $userInput = Read-Host "Enter the admin consent description for the scope (press Enter for default)"
         if ($userInput -and $userInput.Trim() -ne "") {
@@ -66,7 +66,7 @@ function Add-MsIdScopeToAgentIdentityBlueprint {
     }
 
     if (-not $AdminConsentDisplayName -or $AdminConsentDisplayName.Trim() -eq "") {
-        $defaultDisplayName = "Access AI as user"
+        $defaultDisplayName = "Access agent on behalf of user"
         Write-Host "Default: $defaultDisplayName" -ForegroundColor Gray
         $userInput = Read-Host "Enter the admin consent display name for the scope (press Enter for default)"
         if ($userInput -and $userInput.Trim() -ne "") {
@@ -78,7 +78,7 @@ function Add-MsIdScopeToAgentIdentityBlueprint {
     }
 
     if (-not $Value -or $Value.Trim() -eq "") {
-        $defaultValue = "access_AI_as_user"
+        $defaultValue = "access_agent_as_user"
         Write-Host "Default: $defaultValue" -ForegroundColor Gray
         $userInput = Read-Host "Enter the scope value (used in token claims, press Enter for default)"
         if ($userInput -and $userInput.Trim() -ne "") {
diff --git a/src/agentid/EnsureRequiredModules.ps1 b/src/agentid/EnsureRequiredModules.ps1
@@ -10,7 +10,6 @@ function EnsureRequiredModules {
     param()
 
     $requiredModules = @(
-        'Microsoft.Graph.Authentication',
         'Microsoft.Graph.Applications',
         'Microsoft.Graph.Identity.SignIns',
         'Microsoft.Graph.Users',
diff --git a/src/agentid/Get-MsIdAgentIdentity.ps1 b/src/agentid/Get-MsIdAgentIdentity.ps1
@@ -0,0 +1,57 @@
+<#
+.SYNOPSIS
+Gets an Agent Identity by its ID
+
+.DESCRIPTION
+Retrieves an Agent Identity from Microsoft Graph using the provided Agent ID.
+Returns the agent identity object if found, or throws an error if not found.
+
+.PARAMETER AgentId
+The ID of the Agent Identity to retrieve.
+
+.EXAMPLE
+Get-MsIdAgentIdentity -AgentId "27a3cf14-5bdc-4814-bb13-8f1740ca9a4f"
+
+.EXAMPLE
+try {
+    $agent = Get-MsIdAgentIdentity -AgentId "27a3cf14-5bdc-4814-bb13-8f1740ca9a4f"
+    Write-Host "Agent found: $($agent.displayName)"
+} catch {
+    Write-Host "Agent not found or error occurred: $_"
+}
+#>
+function Get-MsIdAgentIdentity {
+    [CmdletBinding()]
+    param (
+        [Parameter(Mandatory = $true)]
+        [string]$AgentId
+    )
+
+    # Ensure we're connected to Microsoft Graph
+    $context = Get-MgContext
+    if (-not $context) {
+        Write-Error "Not connected to Microsoft Graph. Please run Connect-MgGraph first."
+        return
+    }
+
+    try {
+        Write-Verbose "Retrieving Agent Identity: $AgentId"
+        
+        # Call the Graph API to get the agent identity
+        $uri = "https://graph.microsoft.com/beta/servicePrincipals/microsoft.graph.agentIdentity/$AgentId"
+        $result = Invoke-MgRestMethod -Method GET -Uri $uri
+        
+        Write-Verbose "Successfully retrieved Agent Identity"
+        return $result
+    }
+    catch {
+        # Check if it's a 404 (not found) error
+        if ($_.Exception.Message -like "*404*" -or $_.Exception.Message -like "*NotFound*") {
+            Write-Error "Agent Identity with ID '$AgentId' not found."
+        }
+        else {
+            Write-Error "Failed to retrieve Agent Identity: $_"
+        }
+        throw
+    }
+}
diff --git a/src/agentid/Invoke-MsIdAgentIdInteractive.ps1 b/src/agentid/Invoke-MsIdAgentIdInteractive.ps1
@@ -17,12 +17,6 @@
 function Invoke-MsIdAgentIdInteractive {
     [CmdletBinding()]
     param()
-    # Example usage of the MSIdentityTools Agent Identity module
-    # Comprehensive demonstration of all Agent Identity Blueprint management functions
-    # Following the recommended workflow order
-
-    # Import the module
-    #Import-Module MSIdentityTools -Force -Verbose
 
     # ===================================================================
     # PHASE 1: Create Agent Identity Blueprint
@@ -38,16 +32,15 @@ function Invoke-MsIdAgentIdInteractive {
     Write-Host "Agent Identity Blueprints and Agent Users" -ForegroundColor Yellow
 
     # Ensure required modules are available and connect as admin
-    Connect-MsIdEntraAsUser -Scopes @('AgentIdentityBlueprint.Create', 'AgentIdentityBlueprintPrincipal.Create', 'AppRoleAssignment.ReadWrite.All', 'Application.ReadWrite.All', 'User.ReadWrite.All')
-
+    Connect-MsIdEntraAsUser -Scopes @('AgentIdentityBlueprint.Create', 'AgentIdentityBlueprintPrincipal.Create', 'AppRoleAssignment.ReadWrite.All', 'Application.ReadWrite.All', 'User.ReadWrite.All') | Out-Null
 
     $bluePrintDisplayName = Read-Host "Enter a display name for the Agent Identity Blueprint (or press Enter for default)"
     if (-not $bluePrintDisplayName -or $bluePrintDisplayName.Trim() -eq "") {
         $bluePrintDisplayName = "Agent Identity Blueprint Example $blueprintNumber"
         Write-Host "Using default display name: $bluePrintDisplayName" -ForegroundColor Gray
     }
 
-    # Get current user as sponsor
+    # Get current user to suggest as sponsor
     try {
         $currentUserUpn = (Get-MgContext).Account
         # Get user's OID directly using their UPN
@@ -152,7 +145,7 @@ function Invoke-MsIdAgentIdInteractive {
         Write-Host "Configuring inheritable permissions..." -ForegroundColor Yellow
 
         # Step 4: Configure inheritable permissions (what permissions agent users will get)
-        $inheritablePerms = Add-MsIdInheritablePermissionsToAgentIdentityBlueprint -Scopes @("user.read", "mail.read", "calendars.read")
+        $inheritablePerms = Add-MsIdInheritablePermissionsToAgentIdentityBlueprint
         Write-Host "Configured inheritable permissions: $($inheritablePerms.InheritableScopes -join ', ')" -ForegroundColor Cyan
     }
     else {
@@ -176,19 +169,6 @@ function Invoke-MsIdAgentIdInteractive {
     # Store the result for later use
     $hasAgentIDUsers = ($userResponse -eq "y" -or $userResponse -eq "yes")
 
-    if ($hasAgentIDUsers) {
-        Write-Host "Configuring redirect URIs for Agent ID users..." -ForegroundColor Yellow
-
-        # Step 5: Add redirect URIs for OAuth2 flows
-        $redirectUri = Add-MsIdRedirectURIToAgentIdentityBlueprint
-        Write-Host "Added redirect URI: $($redirectUri.RedirectUri)" -ForegroundColor Cyan
-    }
-    else {
-        Write-Host "Skipping Agent ID user configuration (no redirect URIs needed)." -ForegroundColor Gray
-        $redirectUri = $null
-    }
-    Write-Host ""
-
     # ===================================================================
     # PHASE 6: Create and Configure Service Principal
     # ===================================================================
@@ -248,8 +228,16 @@ function Invoke-MsIdAgentIdInteractive {
         Write-Host "--- Creating Agent Identity #$agentCounter ---" -ForegroundColor Yellow
 
         # Step 9: Create Agent Identity from the blueprint
+
+        if ($useSponsor) {
+            Write-Host "Using current user as sponsor for Agent Identity." -ForegroundColor Gray
         $agentIdentity = New-MsIdAgentIDForAgentIdentityBlueprint -DisplayName "Agent Identity Example $agentCounter" `
-            -SponsorUserIds @("7c2f8f10-cba8-4a8d-9449-db4b76d1ef80")
+            -SponsorUserIds $SponsorUserIds
+        }
+        else {
+            Write-Host "No sponsor specified for Agent Identity." -ForegroundColor Gray
+        $agentIdentity = New-MsIdAgentIDForAgentIdentityBlueprint -DisplayName "Agent Identity Example $agentCounter"
+        }
         Write-Host "Created Agent Identity ID: $($agentIdentity.id)" -ForegroundColor Green
         $allAgentIdentities += $agentIdentity
 
@@ -265,6 +253,33 @@ function Invoke-MsIdAgentIdInteractive {
             $agentIDNeedsUser = ($userResponse -eq "y" -or $userResponse -eq "yes")
 
             if ($agentIDNeedsUser) {
+                Start-Sleep -Seconds 10 # Wait to for replication
+
+                # Verify Agent Identity was created successfully by retrieving it
+                Write-Host "Verifying Agent Identity creation..." -ForegroundColor Yellow
+                $retryCount = 0
+                $maxRetries = 5
+                $verificationSuccess = $false
+
+                while ($retryCount -lt $maxRetries -and -not $verificationSuccess) {
+                    try {
+                        $verifiedAgent = Get-MsIdAgentIdentity -AgentId $agentIdentity.id
+                        Write-Host "Agent Identity verified successfully" -ForegroundColor Green
+                        $verificationSuccess = $true
+                    }
+                    catch {
+                        $retryCount++
+                        if ($retryCount -lt $maxRetries) {
+                            Write-Host "Verification attempt $retryCount failed. Waiting 10 seconds before retry..." -ForegroundColor Yellow
+                            Start-Sleep -Seconds 10
+                        }
+                        else {
+                            Write-Error "Failed to verify Agent Identity after $maxRetries attempts: $_"
+                            throw
+                        }
+                    }
+                }
+
                 Write-Host "Creating Agent Users as requested..." -ForegroundColor Yellow
                 # Get current tenant's domain for UPN
                 $tenantDomain = (Get-MgOrganization).VerifiedDomains | Where-Object { $_.IsDefault -eq $true } | Select-Object -First 1 -ExpandProperty Name
diff --git a/website/docs/commands/docusaurus.sidebar.js b/website/docs/commands/docusaurus.sidebar.js
@@ -32,6 +32,7 @@ module.exports = [
     'commands/Get-MsIdAdfsSampleApp',
     'commands/Get-MsIdAdfsWsFedToken',
     'commands/Get-MsIdAdfsWsTrustToken',
+    'commands/Get-MsIdAgentIdentity',
     'commands/Get-MsIdApplicationIdByAppId',
     'commands/Get-MsIdAuthorityUri',
     'commands/Get-MsIdAzureIpRange',
