Promote agentUser and directory-deleteditems APIs from beta to v1.0

- Add agentUser resource and 18 API methods to v1.0
- Add RBAC include for agentUser write operations
- Update directory-deleteditems APIs (list, get, restore, delete) to support agentUser
- Remove beta disclaimers, update endpoints to /v1.0/, remove SDK snippets
- Update TOC mappings for both beta and v1.0
- Add changelog entries for DirectoryServices workload
- Update What's New overview for April 2026

Addresses GA promotion of agentUser resource with support for deleted items operations.

Author: tafra00

api-reference/beta/toc/toc.mapping.json

@@ -163,7 +163,7 @@
           ]
         },
         {
-          "name": "Agent user (preview)",
+          "name": "Agent user",
           "resources": [
             "agentUser"
           ]

api-reference/v1.0/api/agentuser-delete-manager.md

@@ -0,0 +1,81 @@
+---
+title: "Remove manager (for agentUser)"
+description: "Remove an agent user's manager."
+author: "yyuank"
+ms.reviewer: "iamut"
+ms.date: 4/27/2026
+ms.localizationpriority: medium
+ms.subservice: "entra-agent-id"
+doc_type: apiPageType
+---
+
+# Remove manager (for agentUser)
+
+Namespace: microsoft.graph
+
+Remove an [agentUser's](../resources/agentuser.md) manager.
+
+## Permissions
+
+Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions [only if your app requires it](/graph/permissions-overview#best-practices-for-using-microsoft-graph-permissions). For details about delegated and application permissions, see [Permission types](/graph/permissions-overview#permission-types). To learn more about these permissions, see the [permissions reference](/graph/permissions-reference).
+
+<!-- { "blockType": "ignored"  } // Note: Removing this line will result in the permissions autogeneration tool overwriting the table. -->
+|Permission type      | Least privileged permission | Higher privileged permissions |
+|:--------------------|:---------------------------|:-----------------------------|
+|Delegated (work or school account) | AgentIdUser.ReadWrite.IdentityParentedBy | AgentIdUser.ReadWrite.All, User.ReadWrite.All |
+|Delegated (personal Microsoft account) | Not supported. | Not supported.|
+|Application | AgentIdUser.ReadWrite.IdentityParentedBy | AgentIdUser.ReadWrite.All, User.ReadWrite.All |
+
+[!INCLUDE [rbac-agent-user-apis-write](../includes/rbac-for-apis/rbac-agent-user-apis-write.md)]
+
+## HTTP request
+
+<!-- {
+  "blockType": "ignored"
+}
+-->
+``` http
+DELETE /users/{usersId}/manager/{id}/$ref
+```
+
+## Request headers
+
+|Name|Description|
+|:---|:---|
+|Authorization|Bearer {token}. Required. Learn more about [authentication and authorization](/graph/auth/auth-concepts).|
+
+## Request body
+
+Don't supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `204 No Content` response code.
+
+## Examples
+
+### Request
+
+The following example shows a request.
+<!-- {
+  "blockType": "request",
+  "name": "delete_manager_from_agentuser"
+}
+-->
+``` http
+DELETE https://graph.microsoft.com/v1.0/users/{usersId}/manager/{id}/$ref
+```
+
+### Response
+
+The following example shows the response.
+<!-- {
+  "blockType": "response",
+  "truncated": true
+}
+-->
+``` http
+HTTP/1.1 204 No Content
+```
+
+

api-reference/v1.0/api/agentuser-delete-sponsors.md

@@ -0,0 +1,81 @@
+---
+title: "Remove sponsor (for agentUser)"
+description: "Remove a user or group from the sponsors of an agent user."
+author: "yyuank"
+ms.reviewer: "iamut"
+ms.date: 4/27/2026
+ms.localizationpriority: medium
+ms.subservice: "entra-agent-id"
+doc_type: apiPageType
+---
+
+# Remove sponsor (for agentUser)
+
+Namespace: microsoft.graph
+
+Remove an [agentUser's](../resources/agentuser.md) sponsor.
+
+## Permissions
+
+Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions [only if your app requires it](/graph/permissions-overview#best-practices-for-using-microsoft-graph-permissions). For details about delegated and application permissions, see [Permission types](/graph/permissions-overview#permission-types). To learn more about these permissions, see the [permissions reference](/graph/permissions-reference).
+
+<!-- { "blockType": "ignored"  } // Note: Removing this line will result in the permissions autogeneration tool overwriting the table. -->
+|Permission type      | Least privileged permission | Higher privileged permissions |
+|:--------------------|:---------------------------|:-----------------------------|
+|Delegated (work or school account) | AgentIdUser.ReadWrite.IdentityParentedBy | AgentIdUser.ReadWrite.All, User.ReadWrite.All |
+|Delegated (personal Microsoft account) | Not supported. | Not supported.|
+|Application | AgentIdUser.ReadWrite.IdentityParentedBy | AgentIdUser.ReadWrite.All, User.ReadWrite.All |
+
+[!INCLUDE [rbac-user-sponsors-apis-write](../includes/rbac-for-apis/rbac-user-sponsors-apis-write.md)]
+
+## HTTP request
+
+<!-- {
+  "blockType": "ignored"
+}
+-->
+``` http
+DELETE /users/{usersId}/sponsors/{id}/$ref
+```
+
+## Request headers
+
+|Name|Description|
+|:---|:---|
+|Authorization|Bearer {token}. Required. Learn more about [authentication and authorization](/graph/auth/auth-concepts).|
+
+## Request body
+
+Don't supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `204 No Content` response code.
+
+## Examples
+
+### Request
+
+The following example shows a request.
+<!-- {
+  "blockType": "request",
+  "name": "delete_sponsors_from_agentuser"
+}
+-->
+``` http
+DELETE https://graph.microsoft.com/v1.0/users/{usersId}/sponsors/{id}/$ref
+```
+
+### Response
+
+The following example shows the response.
+<!-- {
+  "blockType": "response",
+  "truncated": true
+}
+-->
+``` http
+HTTP/1.1 204 No Content
+```
+
+

api-reference/v1.0/api/agentuser-delete.md

@@ -0,0 +1,90 @@
+---
+title: "Delete agentUser"
+description: "Delete an agentUser object."
+author: "yyuank"
+ms.reviewer: "iamut"
+ms.date: 4/27/2026
+ms.localizationpriority: medium
+ms.subservice: "entra-agent-id"
+doc_type: apiPageType
+---
+
+# Delete agentUser
+
+Namespace: microsoft.graph
+
+Delete an [agentUser](../resources/agentuser.md) object.
+
+## Permissions
+
+Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions [only if your app requires it](/graph/permissions-overview#best-practices-for-using-microsoft-graph-permissions). For details about delegated and application permissions, see [Permission types](/graph/permissions-overview#permission-types). To learn more about these permissions, see the [permissions reference](/graph/permissions-reference).
+
+<!-- { "blockType": "ignored"  } // Note: Removing this line will result in the permissions autogeneration tool overwriting the table. -->
+|Permission type      | Least privileged permission | Higher privileged permissions |
+|:--------------------|:---------------------------|:-----------------------------|
+|Delegated (work or school account) | AgentIdUser.ReadWrite.IdentityParentedBy | AgentIdUser.ReadWrite.All, User.DeleteRestore.All, User.ReadWrite.All |
+|Delegated (personal Microsoft account) | Not supported. | Not supported.|
+|Application | AgentIdUser.ReadWrite.IdentityParentedBy | AgentIdUser.ReadWrite.All, User.DeleteRestore.All, User.ReadWrite.All |
+
+> [!IMPORTANT]
+> The calling user must be assigned at least one of the following [Microsoft Entra roles](/entra/identity/role-based-access-control/permissions-reference?toc=%2Fgraph%2Ftoc.json):
+> - User Administrator
+> - Privileged Authentication Administrator
+> - Agent ID Administrator
+> 
+> To delete users with privileged administrator roles in delegated scenarios, the app must be assigned the *Directory.AccessAsUser.All* delegated permission, and the calling user must have a higher privileged administrator role as indicated in [Who can perform sensitive actions](../resources/users.md#who-can-perform-sensitive-actions).
+>
+> In app-only scenarios, the *User.ReadWrite.All* application permission isn't enough privilege to delete users with privileged administrative roles. The agent must be assigned a higher privileged administrator role as indicated in [Who can perform sensitive actions](../resources/users.md#who-can-perform-sensitive-actions).
+
+## HTTP request
+
+<!-- {
+  "blockType": "ignored"
+}
+-->
+``` http
+DELETE /users/microsoft.graph.agentUser/{userId}
+```
+Note: An agent user can be deleted through the standard users' endpoint as well: DELETE /users/userId. No special odata type needs to be specified in the request. 
+
+## Request headers
+
+|Name|Description|
+|:---|:---|
+|Authorization|Bearer {token}. Required. Learn more about [authentication and authorization](/graph/auth/auth-concepts).|
+
+## Request body
+
+Don't supply a request body for this method.
+
+## Response
+
+If successful, this method returns a `204 No Content` response code.
+
+## Examples
+
+### Request
+
+The following example shows a request.
+<!-- {
+  "blockType": "request",
+  "name": "delete_agentuser"
+}
+-->
+``` http
+DELETE https://graph.microsoft.com/v1.0/users/microsoft.graph.agentUser/ba9a3254-9f18-4209-aeb3-9e42a35b5be4 
+```
+
+### Response
+
+The following example shows the response.
+<!-- {
+  "blockType": "response",
+  "truncated": true
+}
+-->
+``` http
+HTTP/1.1 204 No Content
+```
+
+