An Entra ID AI Agent using PowerShell

Last week inspired by Satya Nadella’s Microsoft Ignite Keynote I looked into the possiblity of creating an AI Agent for Entra ID. More specifically if I could create my own Entra ID AI Agent using PowerShell. The image below is what I had in mind.

Entra ID AI Agent using PowerShell

Sure enough I was pretty quickly able to do just that. This was primarily an extension of previous things I’d done with PowerShell and AI. And like those other projects it was bootstrapped by community libraries by Doug Finke. The latest versions of his AI Tools include the ability to create Autonomous Agents.

In this post I detail how I was able to quickly create an Entra AI Agent for Users and Groups. This could be extended to other Entra ID or Entra entities as well.

Prerequsites

To create an Entra ID AI Agent you will need:

  • Entra ID Tenant
    • Register an Entra ID Application
    • Assign Microsoft Graph permissions to the Entra ID Application
    • Generate a Client Secret for the Entra ID Application
  • Open AI Subscription
    • An Open AI API Key
  • PowerShell

Entra Application Registration

In the Azure Portal on your Entra ID Tenant create a new Application Registration. Configure it as Single Tenant access.

Assign it Application based permissions for the object types you will be using for the AI Agent to manage. In my example I’m starting with Users and Groups.

IMPORTANT: Also in my example I’m only using the AI Agent in discovery / reporting scenarios. So I’ve restricted permissions to Read. If you are looking to perform change operations or to create new objects you will need the appropriate readwrite permissions for the object types.

Finally generate a Client Secret for the Applicaiton Registration.

OpenAI API Key

Create a paid subscription for Open AI and generate an API Key. This will allow Open AI to be used for the AI Agent.

PowerShell

Finally in PowerShell you’re going to need a few supporting PowerShell Modules that can all be installed from the PowerShell Gallery. From an administrative PowerShell Session run:

Install-Module -Name PShell-AI
Install-Module -Name PSAI
Install-Module Microsoft.Graph

The PShell-AI and PSAI modules are from Doug Finke a fellow Microsoft MVP. The Microsoft.Graph module is the Microsoft Graph PowerShell SDK which is a set of modules that enable you to interact with the Microsoft Graph API.

I then generated two credential files using Get-Credential. One has the OpenAI API key in it and the other the Client ID and Client Secret for the Entra Application Registration.

# Enter your OpenAI API Key and export to a local file that is encrypted and secure to the user running the command and the computer it is run on.

# Use any text for the Username (e.g. OpenAIAPIKey) and the API Key as the password.

$cred = Get-Credential 
$cred | Export-Clixml .\openAIcred.xml   

# Create Entra ID Application Registration using app (application) permissions to Microsoft Graph API with Directory.Read.All, User.Read.All and Group.Read.All
# Enter the ClientID of the Application registration and the Client Secret created for the application registration as configured in the Azure Portal.

$entraIDcred = Get-Credential   
$entraIDcred | Export-Clixml .\entraIDAppCred.xml 

After that it is simply a case of importing the dependancy modules and providing the prompt for the AI Agent. Rather the import the entire Microsoft.Graph module I’m just importing hte Authentication, Users and Groups cmdlets. That makes the import quicker and uses less system resources. You will need to add additional cmdlets if you extend this beyond Users and Groups.

Import-Module -Name PShell-AI
Import-Module -Name PSAI
Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Users
Import-Module Microsoft.Graph.Groups

The AI Agent Prompt is

“An agent that performs Entra ID/Azure AD queries with PowerShell for User Accounts and Groups using the Microsoft.Graph PowerShell Module. There is no need to install the module, connect to MgGraph or disconnect, just the query to get the result.”

UPDATE line 40 with the TenantID of your Entra ID Tenant where you created your application registration.

The full script with Function is below. The Query-EntraID function is what creates the agent executes the request and runs the response. Entra is an alias for the function. There are a handful of examples for user and group based queries at the bottom.

Summary

Give it a go and extend it futher. If you go ReadWrite mode I strongly suggest not instantly executing the returned response. Modify my Query-EntraID function to just show the returned command and ensure it meets you needs first.