ASP.NET Community Standup: Simplifying Entra ID authentication with AI

A delayed start, then straight into AI-authenticated everything

Daniel Roth opened with a quick apology for setup hiccups, then framed the real theme: using AI to take the pain out of Entra ID authentication — and, more intriguingly, giving AI agents identities of their own. Kyle Marsh immediately made the distinction feel concrete: if a human reads hundreds of docs in a minute, that’s suspicious; if an agent does it, you wonder why it’s so slow.

Jean-Marc’s live demo: taking an Aspire starter app from zero auth to real auth

Jean-Marc Prieur started with a plain Aspire app: Blazor front end, Web API back end, weather page working, no authentication anywhere. He used GitHub Copilot CLI with two Entra “skills” — really Markdown recipe files — to tell the agent to add Entra ID auth and provision the app in a test tenant.

What the AI actually changed under the hood

The cool part wasn’t just that files changed — it was that the right files changed in the right order. Copilot detected the app shape, added Microsoft.Identity.Web, updated program.cs for auth/authorization, inserted config into appsettings.json, wired the Blazor app to acquire tokens automatically, and generated the app registrations in Entra using Microsoft Graph.

Two app registrations, one sane developer experience

Daniel paused the demo to explain the usual headache: one app registration for the web app, another for the API, plus redirect URLs, scopes, client IDs, and permissions between them. Jean-Marc pointed out that doing this manually used to take him roughly a day when he was new to the space; here, the skill handled the whole choreography, then filled in the actual tenant and client IDs after provisioning.

The payoff: sign-in appears, traces tell the whole story

After rerunning the app, the weather page triggered a sign-in flow instead of calling the API anonymously. Once signed in, the Aspire traces showed the exact sequence: token request to login.microsoftonline.com, API call with bearer token, then the API retrieving OpenID configuration metadata to validate the token before serving data. Daniel’s reaction was basically the point of Aspire in one sentence: auth gets much less intimidating when you can see it.

Where the skills live, and why they’re more portable than the demo suggests

Jean-Marc said the Entra skills currently live in the Microsoft.Identity.Web repo under a skills section, alongside a blog post walkthrough. Even though he used Copilot CLI because he likes working in the terminal, both he and Daniel stressed that the skills are just standard recipe-style artifacts and should work across agents and IDEs, including VS Code.

Kyle’s bigger shift: Entra Agent ID and the “blueprint” model

Kyle then switched from human auth to agent auth, and this is where the architecture got interesting. Since “everything is an agent now,” Microsoft introduced an agent identity blueprint: a specialized application object in Entra that can hold credentials, define inheritable permissions, and require a human sponsor — the person you call when the agent misbehaves.

Building agent identities, then controlling them like real enterprise assets

Kyle showed a local .NET app calling Microsoft Graph to create a blueprint, assign certificate credentials, expose agent scopes, and mark Microsoft Graph permissions as inheritable — including mail read/send and profile access. He then created an individual agent ID from that blueprint, had a user named Megan consent, and demonstrated the agent reading Megan’s profile and email on her behalf. The enterprise angle was the punchline: once agents “raise their hand” with Agent ID, admins can inspect sign-in logs, audit behavior, and even disable a specific agent or an entire blueprint if it goes rogue.

Two warning labels for existing Entra developers

The final stretch was practical and slightly cautionary. Kyle highlighted Entra’s eventual consistency model — with at least nine replicas, a successful write can be followed by a failed read unless you retry — and said developers using app-only permissions need proper resiliency. He also flagged stricter conditional access enforcement under Microsoft’s Secure Future Initiative: if your app over-requests scopes or doesn’t propagate claims challenges and MFA requirements correctly, things can start breaking fast.