Agent Identity
When you create an agent, Azure automatically provisions identity resources. This page explains what gets created, why, and how connectors use these identities.
For how your agent gets permissions on Azure resources (RBAC roles, permission levels, OBO flow), see Agent Permissions.
What gets created
Two managed identities are created alongside your agent:
| Identity | What it is | What you do with it |
|---|---|---|
| User-assigned managed identity (UAMI) | A standalone identity resource in your resource group | Assign RBAC roles, select it when setting up connectors — this is the identity you manage |
| System-assigned managed identity | An internal identity used by the agent's infrastructure | Nothing — this is managed automatically and used for internal operations only |
The UAMI is the identity you work with. It appears in your resource group, you assign RBAC roles to it, and you select it when setting up connectors.
When you see a managed identity dropdown in the portal (for connectors, repositories, or other integrations), select your agent's UAMI. It's the identity that matches your RBAC role assignments.
Where your agent's UAMI is used
| Operation | Identity | Notes |
|---|---|---|
| Azure resource operations (ARM, CLI, diagnostics) | UAMI | The RBAC roles you assign determine what the agent can access |
| Communication connectors (Outlook, Teams) | UAMI + your OAuth credentials | You sign in via OAuth; the UAMI brokers authentication to the connector resource |
| Data connectors (Azure Data Explorer) | UAMI | Grant the UAMI permissions on the target Kusto cluster |
| Source code connectors (GitHub, Azure DevOps) | UAMI (for ADO managed identity) | ADO connector uses UAMI; GitHub uses OAuth |
| MCP connectors | Varies | You provide endpoint URL + credentials; optionally assign a managed identity for downstream Azure calls |
| Internal infrastructure | UAMI | Used automatically for the agent's internal operations |
| Key Vault | UAMI (preferred) or system-assigned | Falls back to system-assigned if no UAMI is specified |
How connectors use identity
Different connector types use identity differently. The key distinction is whether the connector needs to go through Azure Resource Manager (ARM) to reach the external service.
Communication connectors (Outlook, Teams)
When you set up a communication connector, two things happen:
- You sign in with your account via OAuth — this gives the connector your user credentials
- You select a UAMI from the identity dropdown — this identity is used to authenticate to the connector resource
The connector stores your OAuth token securely in a connector resource. Think of the connector resource as a secure bridge: it holds your credentials so the agent doesn't need direct access to them, and it uses the UAMI to broker the authentication when the agent sends an email or posts a Teams message on your behalf.
Data connectors (Azure Data Explorer / Kusto)
For Kusto connectors, the agent uses the UAMI directly to authenticate to your Azure Data Explorer cluster. No OAuth sign-in needed — just grant the UAMI the required permissions (like Viewer role) on the Kusto cluster.
Source code connectors (GitHub, Azure DevOps)
- Azure DevOps: Uses the UAMI for managed identity authentication. You select the UAMI from the identity dropdown and grant it access to your ADO organization.
- GitHub: Uses OAuth authentication — you sign in with your GitHub account. No managed identity needed for the GitHub connection itself.
Custom MCP connectors
MCP connectors use endpoint-based authentication. You provide the MCP server URL along with credentials (API key, Bearer token, or OAuth). You can optionally assign a managed identity for the MCP server to use when making downstream Azure API calls.
Finding your agent's UAMI
From the agent portal:
- Go to Settings → Azure settings
- The identity name appears in the Managed Identity field
- Click Go to Identity to open it in the Azure portal
From the Azure portal:
- Navigate to your agent's resource group
- Find the
id-*managed identity resource - Copy the Object (principal) ID — this is what you use for RBAC role assignments
From Azure CLI:
# List user-assigned identities on the agent resource
az resource show \
--resource-group <rg-name> \
--name <agent-name> \
--resource-type Microsoft.App/containerApps \
--query identity.userAssignedIdentities
Related
| Resource | Why it matters |
|---|---|
| Agent Permissions → | How to configure RBAC roles and permission levels for your agent |
| Connectors → | All connector types and how to set them up |
| User Roles → | What users can do with the agent |