Нотатка
Доступ до цієї сторінки потребує авторизації. Можна спробувати ввійти або змінити каталоги.
Доступ до цієї сторінки потребує авторизації. Можна спробувати змінити каталоги.
Agent 365 CLI
Provides options to query Microsoft Entra ID for agent information including scopes, permissions, and consent status. You can check the configuration and consent status for both agent blueprints and agent instances.
Minimum role required: Directory Reader
Syntax
a365 query-entra [command] [options]
Options
| Option | Description |
|---|---|
-?, -h, --help |
Show help and usage information |
query-entra blueprint-scopes
List the delegated and application permissions declared by the agent blueprint application.
a365 query-entra blueprint-scopes [options]
This command retrieves and displays the delegated scopes and app role assignments granted on the blueprint service principal in Microsoft Entra ID. This result matches what you see on the API permissions blade in the Entra admin center for the blueprint application.
blueprint-scopes options
| Option | Description |
|---|---|
-n, --agent-name <name> |
Agent base name. When you provide this option, you don't need a config file. |
--tenant-id <tenantId> |
Azure AD tenant ID. Overrides autodetection. Use with --agent-name. |
-?, -h, --help |
Show help and usage information. |
query-entra inheritance
Verify that the blueprint's inheritable permissions are configured correctly and that agent identities will actually inherit them.
a365 query-entra inheritance [options]
This command checks two things for each resource configured on the blueprint:
- The blueprint's
inheritablePermissionsentry useskind=allAllowedfor both scopes and roles (the required configuration). - The blueprint service principal has actual permission grants for that resource (without grants, there's nothing to inherit even if the config is correct).
For each resource, the command reports:
Scopes: OK—kind=allAllowedis set and delegated permissions are granted on the blueprint SP.Scopes: WARN— kind=allAllowed` is set but no delegated permissions are granted, or the entry uses a legacy enumerated form.Roles: OK—kind=allAllowedis set and app role assignments are granted on the blueprint SP.Roles: WARN—same conditions as Scopes WARN, for app roles.Effective inheritance: OK—both sides areallAllowedand at least one grant exists. Agent identities created from this blueprint will inherit permissions for this resource.Effective inheritance: NONE—configuration is correct but no grants exist on the blueprint SP. Runa365 setup permissionsas Global Administrator to add grants.Effective inheritance: BROKEN—the entry doesn't useallAllowedon one or both sides. Runa365 setup permissionsto reconcile.
The command exits with code 1 if any resource has a status other than Effective inheritance: OK. Use this command to confirm that a blueprint is ready before creating agent identities, or to diagnose why agent identities aren't receiving expected permissions.
inheritance options
| Option | Description |
|---|---|
-n, --agent-name <name> |
Agent base name. When you provide this option, you don't need a config file. |
--tenant-id <tenantId> |
Azure AD tenant ID. Overrides autodetection. Use with --agent-name. |
-?, -h, --help |
Show help and usage information. |
Tip
If Effective inheritance: NONE appears for one or more resources, the most common cause is a missing wids optional claim on the client app. Run a365 setup requirements to detect and repair it automatically.
query-entra instance-scopes
List configured scopes and consent status for the agent instance.
a365 query-entra instance-scopes [options]
This command retrieves and displays the configured scopes and their consent status for the agent instance application in Microsoft Entra ID.
instance-scopes options
| Option | Description |
|---|---|
-n, --agent-name <name> |
Agent base name. When you provide this option, you don't need a config file. |
--tenant-id <tenantId> |
Azure AD tenant ID. Overrides autodetection. Use with --agent-name. |
-v, --verbose |
Enable verbose logging. |
-?, -h, --help |
Show help and usage information. |
Note
Reading tenant-wide OAuth2 permission grants requires the admin-only DelegatedPermissionGrant.Read.All scope. If you sign in without that scope, the command directs you to Microsoft Entra admin center to verify consent status rather than reporting "admin consent has not been granted".