cleanup blueprint orphans agent instances (identity SP + agentic user)

[pratapladhani]

Description

a365 cleanup blueprint deletes the blueprint Entra ID application and messaging endpoint, but does not check for or clean up any agent instances (agent identity service principal + agentic user) that were created from that blueprint.

This leaves orphaned resources in Entra ID that cannot be cleaned up by a365 cleanup instance (see related issue).

Steps to Reproduce

1. a365 setup all — creates blueprint + deploys infrastructure
2. a365 publish — publishes blueprint to MOS catalog
3. Admin activates blueprint, user creates instance → agent identity SP + agentic user created
4. a365 cleanup blueprint — deletes blueprint app, federated credentials, and messaging endpoint
5. Agent identity SP and agentic user remain in Entra ID with no parent blueprint

Expected Behavior

cleanup blueprint should either:

• Option A: Detect active instances and warn/refuse to delete until instances are cleaned up first
• Option B: Cascade cleanup — delete instances (identity SP + agentic user) before deleting the blueprint
• Option C: At minimum, warn the user that orphaned instances will remain

Actual Behavior

Blueprint is deleted silently. The agent identity SP (servicePrincipalType: ServiceIdentity) and agentic user remain in Entra ID. These orphaned resources:

• Still appear in GET /beta/servicePrincipals/microsoft.graph.agentIdentity
• Still appear in GET /beta/agentUsers
• Cannot be cleaned up via a365 cleanup instance (separate bug — AgenticAppId/AgenticUserId are never populated)
• Must be manually deleted via Graph API or Entra portal

Code Reference

CleanupCommand.cs CreateBlueprintCleanupCommand handler deletes:

1. Federated credentials
2. Blueprint application (via agentBlueprintService.DeleteAgentBlueprintAsync)
3. Messaging endpoint

But does not query for or delete:

• Agent identity SP (would need GET /beta/servicePrincipals filtered by blueprint parent)
• Agentic user (linked via identityParentId to the identity SP)

Impact

Users who run cleanup blueprint are left with orphaned Entra ID resources they cannot easily discover or remove. This is especially problematic in demo tenants where multiple blueprint create/delete cycles occur.

Suggested Fix

Before deleting the blueprint, query for instances:

GET /beta/servicePrincipals/microsoft.graph.agentIdentity

Filter results where the parent matches the blueprint being deleted. For each instance, delete the agentic user first (via DELETE /beta/agentUsers/{id} or az ad user delete), then the identity SP.

[github-actions]

[AUTO-TRIAGE] Team Assistant Triage

This issue has been automatically analyzed and triaged.

AI Decision Reasoning: Type: Classified as 'bug' because the issue describes unexpected behavior where orphaned resources are left behind after running the cleanup blueprint command, which is not the intended functionality.
Priority: Elevated to P1 due to security concern: The issue describes a situation where orphaned resources (agent identity service principals and agentic users) remain in Entra ID after a blueprint cleanup, which could lead to unauthorized access or misuse of these resources if they are not properly managed or deleted. This poses a potential security risk due to the exposure of residual resources that are no longer tied to a parent blueprint.
Copilot: Security issues require human review and should not be auto-fixed
Assignment: Security issue assigned to security lead. The issue describes a situation where orphaned resources (agent identity service principals and agentic users) remain in Entra ID after a blueprint cleanup, which could lead to unauthorized access or misuse of these resources if they are not properly managed or deleted. This poses a potential security risk due to the exposure of residual resources that are no longer tied to a parent blueprint.
Labels: Applied labels bug, P1, security based on issue type and priority

Labels and assignee have been applied based on this analysis.

[github-actions]

[AUTO-TRIAGE] Results

Classification: bug
Priority: P1
Confidence: 95.0%

Recommended Assignee: @pontemonti

Analysis:
type rationale: Classified as 'bug' because the issue describes unexpected behavior where orphaned resources are left behind after running the cleanup blueprint command, which is not the intended functionality.

priority rationale: Elevated to P1 due to security concern: The issue describes a situation where orphaned resources (agent identity service principals and agentic users) remain in Entra ID after a blueprint cleanup, which could lead to unauthorized access or misuse of these resources if they are not properly managed or deleted. This poses a potential security risk due to the exposure of residual resources that are no longer tied to a parent blueprint.

copilot rationale: Security issues require human review and should not be auto-fixed

assignment rationale: Security issue assigned to security lead. The issue describes a situation where orphaned resources (agent identity service principals and agentic users) remain in Entra ID after a blueprint cleanup, which could lead to unauthorized access or misuse of these resources if they are not properly managed or deleted. This poses a potential security risk due to the exposure of residual resources that are no longer tied to a parent blueprint.

labels rationale: Applied labels bug, P1, security based on issue type and priority

[SUGGESTION] Suggested Approach

1. Update CleanupCommand.cs in the CreateBlueprintCleanupCommand handler to query for agent instances (identity service principal and agentic user) associated with the blueprint before deleting the blueprint. Use the Graph API endpoints (GET /beta/servicePrincipals and GET /beta/agentUsers) to identify these resources and ensure they are cleaned up.
2. Implement a cascade cleanup mechanism in the agentBlueprintService.DeleteAgentBlueprintAsync method to delete agent instances (identity SP and agentic user) before removing the blueprint. This can be achieved by adding a new method in AgentBlueprintService.cs to handle instance cleanup and invoking it during blueprint deletion.
3. Add a validation step in CleanupCommand.cs to detect active instances tied to the blueprint and either warn the user or refuse deletion unless instances are cleaned up first. This can be done by checking the response from the Graph API queries and providing appropriate feedback to the user.
4. Enhance the test coverage in src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands by adding unit tests for the CreateBlueprintCleanupCommand handler to verify that orphaned agent instances are either cleaned up or flagged correctly during the blueprint cleanup process.
5. Update the documentation in docs to include a detailed explanation of the a365 cleanup blueprint command behavior, particularly regarding orphaned resources. Provide examples of how users can manually clean up agent instances using the Graph API or Entra portal if needed.

---

Generated by TeamAssistant Auto-Triage powered by GitHub Models

[github-actions]

SLA Escalation Alert

This P1 issue has exceeded its SLA threshold.

Metric	Value
Priority	P1
SLA Threshold	48 hours
Time Since Update	55.4 hours
Current Assignees	@pontemonti

Action: This issue is already assigned to a Tech Lead but remains unresolved.

Escalating to Engineering Manager @tmlsousa for visibility.

Tech Leads: @sellakumaran, @pontemonti

---

Generated by AutoTriage SLA Escalation

[github-actions]

SLA Escalation Alert

This P1 issue has exceeded its SLA threshold.

Metric	Value
Priority	P1
SLA Threshold	48 hours
Time Since Update	63.0 hours
Current Assignees	@gwharris7

Action: Adding Tech Lead @sellakumaran as assignee for immediate attention.

cc: @ajmfehr

---

Generated by AutoTriage SLA Escalation