Blueprint created by a365 setup all has zero owners, I'm unable to configure in Teams Developer Portal #245
Description
Description
After completing the full setup flow for the Copilot Studio sample agent (a365 config init → a365 setup all → a365 deploy app → a365 publish), I was unable to configure the blueprint in the Teams Developer Portal. The portal returned:
Unable to update agent blueprint backend configuration
User '<user-id>' is not the owner of agent blueprint with ID '<blueprint-id>'.
I confirmed the blueprint had zero owners:
az rest --method GET \
--url "https://graph.microsoft.com/beta/applications/<blueprint-object-id>/owners"
# Returns: { "value": [] }
I had Global Administrator on the tenant. Standard approaches to add ownership all failed:
Attempt | Result
az ad app owner add | "Agent Blueprints are not supported on the API version used in this request." (uses Graph v1.0; blueprints require beta)
az rest to Graph beta owners/$ref | "Agent APIs do not support Directory.AccessAsUser.All" (Azure CLI's built-in app always includes this scope)
Graph PowerShell SDK (Connect-MgGraph) | Silently failed to connect
Deleting and recreating blueprint via a365 cleanup blueprint + a365 setup all --skip-infrastructure | Blueprint recreated with zero owners again
I was eventually able to solve it by:
- Activating and assigning the Agent ID Developer (adb2368d-a9be-41b5-8667-d96778e081b0) and Agent ID Administrator (db506228-d27e-4b7d-95e5-295956d6615f) Entra directory roles to my user (these are separate from Global Admin)
- Enabling public client flows on the a365 CLI's client app (az ad app update --id --is-fallback-public-client true)
- Using Python MSAL with the a365 CLI's own client app (from a365.config.json) to acquire a token with AgentIdentityBlueprint.ReadWrite.All scope and calling the Graph beta owners endpoint
- Neither the Agent ID roles nor this ownership step are mentioned anywhere in the sample README or prerequisites. I suspect a365 setup all should be adding the creating user as an owner automatically, and the Agent ID roles should be listed as prerequisites.
Expected behavior
Running a365 setup all should result in the creating user being an owner of the blueprint, allowing them to configure it in the Teams Developer Portal without manual intervention.
SDK Version
a365 CLI v1.1.33-preview
Language/Runtime
Node.js 22.16.0, npm 10.9.2 Sample: nodejs/copilot-studio/sample-agent
OS
Windows 11
How to Reproduce
- Clone the repo: git clone https://github.com/microsoft/Agent365-Samples.git
- cd nodejs/copilot-studio/sample-agent
- npm install
- Create .env from .env.template with Copilot Studio credentials
- a365 config init — configure with tenant, subscription, resource group
- a365 setup all — creates infrastructure, blueprint, and permissions
- a365 deploy app
- a365 publish
- Navigate to https://dev.teams.microsoft.com/tools/agent-blueprint/<BLUEPRINT_APP_ID>/configuration
- Attempt to set Agent Type = Bot Based and Bot ID = <BLUEPRINT_APP_ID>
- Error: User is not the owner of agent blueprint
- Verify with:
az rest --method GET \ --url "https://graph.microsoft.com/beta/applications/<blueprint-object-id>/owners"
Output
Owner list is empty.
Screenshots
No response
Code of Conduct
- I agree to follow the Microsoft Open Source Code of Conduct.