Ixxerja permezz ta’

Agent 365 CLI setup command reference

Important

You need to be part of the Frontier preview program to get early access to Microsoft Agent 365. Frontier connects you directly with Microsoft’s latest AI innovations. Frontier previews are subject to the existing preview terms of your customer agreements. As these features are still in development, their availability and capabilities may change over time.

Set up your Agent 365 environment with granular control over each step. This command manages the initial setup workflow for Agent 365 blueprints.

Minimum role required: Azure Contributor + Agent ID Developer

Note

The role you hold determines how much of the setup completes in a single run. Global Administrator can complete all steps at once. Agent ID Administrator and Agent ID Developer can complete all steps except OAuth2 permission grants (admin consent), which require a separate step by a Global Administrator. To learn more about the handoff workflow, see setup admin.

Syntax

a365 setup [command] [options]

Options

Option Description
-?, -h, --help Show help and usage information. 
# 0. Check prerequisites (optional)
a365 setup requirements

# 1. Create infrastructure (or skip if infrastructure exists)
a365 setup infrastructure

# 2. Create blueprint
a365 setup blueprint

# 3. Configure MCP permissions
a365 setup permissions mcp

# 4. Configure bot permissions
a365 setup permissions bot

# 5. Configure CopilotStudio permissions (if needed)
a365 setup permissions copilotstudio

# 6. Configure custom permissions (if needed)
a365 setup permissions custom

Or run all steps at once:

# Full setup (includes infrastructure)
a365 setup all

# Skip infrastructure if it already exists
a365 setup all --skip-infrastructure

If you're running as Agent ID Administrator or Agent ID Developer (not Global Administrator), a365 setup all completes all steps except OAuth2 permission grants. After it finishes, a Global Administrator must complete the grants:

# Non-admin path: run setup, then hand off to Global Administrator
a365 setup all

# Global Administrator completes OAuth2 grants
a365 setup admin --config-dir "<path-to-config-folder>"

setup requirements

Validate prerequisites for Agent 365 setup. Runs modular requirement checks and provides guidance for any problems it finds.

a365 setup requirements [options]

This command runs the following steps:

  • Checks all prerequisites needed for Agent 365 setup.
  • Reports any problems with detailed resolution guidance.
  • Continues checking all requirements even if some checks fail.
  • Provides a summary of all checks at the end.

requirements options

Option Description
-c, --config <config> Configuration file path. The default is a365.config.json.
-v, --verbose Shows detailed output for all checks.
--category <category> Runs checks for a specific category only, such as Azure, Authentication, or Configuration.
-?, -h, --help Show help and usage information.

setup infrastructure

Create Azure infrastructure.

Minimum required permissions: Azure Subscription Contributor or Owner

a365 setup infrastructure [options]

infrastructure options

Option Description
-c, --config <config> Configuration file path. The default is a365.config.json.
-v, --verbose Show detailed output.
--dry-run Show what the command would do without executing it.
-?, -h, --help Show help and usage information.

setup blueprint

Create agent blueprint (Entra ID application registration).

Minimum required permissions: Agent ID Developer role

a365 setup blueprint [options]

blueprint options

Option Description
-c, --config <config> Configuration file path. The default is a365.config.json.
-v, --verbose Show detailed output.
--dry-run Show what the command would do without executing it.
--no-endpoint Don't register messaging endpoint (blueprint only).
--endpoint-only Register messaging endpoint only. Requires existing blueprint.
-?, -h, --help Show help and usage information.

setup permissions

Configure OAuth2 permission grants and inheritable permissions.

Minimum required permissions: Global Administrator

a365 setup permissions [command] [options]

Options

Option Description
-?, -h, --help Show help and usage information.

Subcommands

Subcommand Description
mcp Configure MCP server OAuth2 grants and inheritable permissions.
bot Configure Messaging Bot API OAuth2 grants and inheritable permissions.
custom Applies custom API permissions to your agent blueprint that go beyond the standard permissions required for agent operation.
copilotstudio Configures OAuth2 permission grants and inheritable permissions for the agent blueprint to invoke Copilot Studio copilots via the Power Platform API.

setup permissions mcp

Configure MCP server OAuth2 grants and inheritable permissions.

Minimum required permissions: Global Administrator

a365 setup permissions mcp [options]

This command:

  • Reads ToolingManifest.json from the deploymentProjectPath specified in a365.config.json.
  • Grants OAuth2 delegated permission grants for each MCP server scope to the agent blueprint.
  • Configures inheritable permissions so agent instances can access MCP tools.
  • Is idempotent and safe to run multiple times.

Important

  • Before running this command, run a365 config display to verify that deploymentProjectPath points to the project folder containing the updated ToolingManifest.json. If the developer adds MCP servers on a different machine, share the updated ToolingManifest.json with the Global Administrator first. Running without the correct ToolingManifest.json doesn't add the new MCP server permissions to the blueprint.
  • Run this command after the developer runs a365 develop add-mcp-servers. Adding MCP servers to the manifest and granting permissions to the blueprint are two separate steps. After this command completes, the MCP server permissions are visible in the agent blueprint.

permissions mcp options

Option Description
-c, --config <config> Configuration file path. The default is a365.config.json.
-v, --verbose Show detailed output.
--dry-run Show what the command would do without executing it.
-?, -h, --help Show help and usage information.

setup permissions bot

Configure Messaging Bot API OAuth2 grants and inheritable permissions.

Minimum required permissions: Global Administrator

Prerequisites: Blueprint and MCP permissions (run a365 setup permissions mcp first)

Next step: Deploy your agent (run a365 deploy if hosting on Azure)

a365 setup permissions bot [options]

permissions bot options

Option Description
-c, --config <config> Configuration file path. The default is a365.config.json.
-v, --verbose Show detailed output.
--dry-run Show what the command would do without executing it.
-?, -h, --help Show help and usage information.

setup permissions custom

Applies custom API permissions to your agent blueprint that go beyond the standard permissions required for agent operation. By using this command, you grant your agent access to additional Microsoft Graph scopes, such as Presence, Files, and Chat, or to custom APIs registered in your organization's Microsoft Entra ID tenant.

Minimum required permissions: Global Administrator

Prerequisites: Run a365 setup blueprint first. Add custom permissions to a365.config.json by using a365 config permissions before running this command.

a365 setup permissions custom [options]

This command:

  • Configures OAuth2 delegated permission grants with admin consent for each configured resource.
  • Sets inheritable permissions so agent users can inherit access from the blueprint.
  • Reconciles Microsoft Entra with the current config by adding new permissions and removing any permissions that you deleted from the config.
  • Is idempotent and safe to run multiple times.

permissions custom options

Option Description
-c, --config <config> Configuration file path. The default is a365.config.json.
-v, --verbose Show detailed output.
--dry-run Show what the command would do without executing it.
-?, -h, --help Show help and usage information.

Configure custom permissions

Use a365 config permissions to add custom permissions to your config before running this command:

# Add Microsoft Graph extended permissions
a365 config permissions `
  --resource-app-id 00000003-0000-0000-c000-000000000000 `
  --scopes Presence.ReadWrite,Files.Read.All,Chat.Read

# Add custom API permissions
a365 config permissions `
  --resource-app-id <your-api-app-id> `
  --scopes CustomScope.Read,CustomScope.Write

# Apply all configured custom permissions
a365 setup permissions custom

During setup, the resource name is auto-resolved from Azure. You don't need to specify it in the config.

Remove custom permissions

To remove custom permissions from both the config and Microsoft Entra:

# Step 1: Remove from config
a365 config permissions --reset

# Step 2: Reconcile Microsoft Entra with updated config
a365 setup permissions custom

Integration with setup all

When your config includes custom permissions, running a365 setup all automatically configures them as part of a single batch permission phase. The full setup order is:

  1. Infrastructure
  2. Blueprint
  3. Permissions batch (MCP, Bot API, Custom blueprint permissions — all configured together)

setup permissions copilotstudio

Configures OAuth2 permission grants and inheritable permissions for the agent blueprint to invoke Copilot Studio copilots via the Power Platform API.

Minimum required permissions: Global Administrator

Prerequisites: Run a365 setup blueprint first.

a365 setup permissions copilotstudio [options]

This command:

  • Ensures the Power Platform API service principal exists in your tenant.
  • Creates an OAuth2 permission grant from the blueprint to the Power Platform API with the CopilotStudio.Copilots.Invoke scope.
  • Sets inheritable permissions so agent instances can invoke Copilot Studio copilots.

permissions copilotstudio options

Option Description
-c, --config <config> Configuration file path. The default is a365.config.json.
-v, --verbose Show detailed output.
--dry-run Show what the command would do without executing it.
-?, -h, --help Show help and usage information.

Use this command when your agent needs to invoke Copilot Studio copilots at runtime or call Power Platform APIs that require CopilotStudio permissions.

setup all

Perform all setup steps to set up your Agent 365 environment

a365 setup all [options]

Runs the complete Agent 365 setup, all steps in sequence.

Includes: Infrastructure, Blueprint, and Permissions.

The steps that complete depend on your role:

Step Global Administrator Agent ID Administrator Agent ID Developer
Prerequisites check Yes Yes Yes
Azure infrastructure Yes Yes Yes
Agent blueprint creation Yes Yes Yes
Inheritable permissions Yes Yes Yes
OAuth2 permission grants (admin consent) Yes Requires GA step Requires GA step

When you run a365 setup all without Global Administrator, the CLI:

  1. Completes all steps it can (infrastructure, blueprint creation, and inheritable permissions).
  2. Generates per-resource admin consent URLs and saves them to a365.generated.config.json.
  3. Displays next steps showing how a Global Administrator can complete the OAuth2 grants using either a365 setup admin or the generated consent URLs.

Tip

If you're a Global Administrator, a365 setup all completes everything in a single run with no handoff needed.

Minimum required permissions:

  • Azure Subscription Contributor or Owner (for infrastructure)
  • Agent ID Developer role (for blueprint creation)
  • Global Administrator (for OAuth2 permission grants — if not available, use setup admin handoff)

setup all options

Option Description
-c, --config <config> Configuration file path. The default is a365.config.json.
-v, --verbose Show detailed output.
--dry-run Show what the command would do without executing it.
--skip-infrastructure Skip Azure infrastructure creation (use if infrastructure already exists). This option still creates: Blueprint and Permissions.
--skip-requirements Skip requirements validation check. Use with caution: setup might fail if prerequisites aren't met.
-?, -h, --help Show help and usage information.

setup admin

Completes the OAuth2 permission grants (admin consent) that require Global Administrator. Run this command after an Agent ID Administrator or Agent ID Developer runs a365 setup all.

Minimum required permissions: Global Administrator

a365 setup admin [options]

When to use setup admin

Use this command when:

  • After an Agent ID Administrator or Agent ID Developer runs a365 setup all.
  • The setup summary shows that OAuth2 grants are pending and instructs the Global Administrator to run this command.
  • You want to re-run consent grants after changing permissions in the config.

Typical handoff workflow

# Step 1: Agent ID Admin or Developer runs setup
a365 setup all

# The CLI displays next steps, for example:
# "ACTION REQUIRED — Global Administrator must complete OAuth2 grants"
# "Option 1: a365 setup admin --config-dir '<path-to-config-folder>'"
# "Option 2: Share the consent URL displayed above with your Global Administrator"

# Step 2: Agent ID Admin shares config folder with Global Administrator
# (contains a365.config.json and a365.generated.config.json)

# Step 3: Global Administrator completes the grants
a365 setup admin --config-dir "<path-to-config-folder>"

This command:

  • Loads the agent config from the specified directory or the current directory by default.
  • Reads the agent blueprint ID and configured resource permissions from the generated config.
  • Creates AllPrincipals OAuth2 permission grants for all configured resources, including:
    • Microsoft Graph (delegated scopes)
    • Agent 365 Tools (MCP server scopes)
    • Messaging Bot API
    • Observability API
    • Power Platform API
    • Any custom permissions defined in your config
  • Displays a confirmation prompt before making changes. Use --yes to bypass the prompt.

Warning

OAuth2 grants created by this command are tenant-wide (consentType=AllPrincipals). This configuration means all users in the tenant can use the agent's delegated permissions. Review the listed scopes carefully before confirming.

setup admin options

Option Description
-d, --config-dir <dir> Directory containing a365.config.json and a365.generated.config.json. Defaults to current directory.
-v, --verbose Show detailed output.
--dry-run Show what the command would do without executing it.
--skip-requirements Skip requirements validation check. Use with caution.
-y, --yes Skip confirmation prompt and proceed automatically.
-?, -h, --help Show help and usage information.

Instead of running a365 setup admin, the Global Administrator can open the combined consent URL that a365 setup all saves to a365.generated.config.json. This URL covers all required resources in a single browser visit.

# Display the generated config to find the consent URL
a365 config display -g
# Look for: combinedAdminConsentUrl
  • Last updated on