Azure AI Foundry Agent Service
also known as Azure AI Agent Service, Microsoft Foundry Agent Service
Type: full-code · Vendor: Microsoft Azure · Language: API (multi-language SDKs: Python, .NET, JavaScript, Java, REST) · License: proprietary · Status: active · Status in practice: mature · First released: 2025-05-19
Fully managed Azure platform for building, deploying, and scaling AI agents that combine a Foundry-catalog model, instructions, and tools, with built-in identity, content safety, tracing, evaluation, and three agent shapes (prompt, workflow, hosted-container).
Description. Foundry Agent Service hosts and scales agents on Azure-managed runtime. An agent is a model from the Foundry catalog plus instructions plus tools; the service handles tool execution, conversation state, Microsoft Entra identity, content filters, virtual-network isolation, tracing into Application Insights, and a build-test-deploy-monitor lifecycle with immutable versioning. Three agent types coexist: prompt agents (configuration-only), workflow agents (declarative YAML or visual designer for sequential / group-chat / human-in-the-loop orchestrations), and hosted agents (your container running Microsoft Agent Framework, LangGraph, Semantic Kernel, or custom code, per-session VM-isolated). The catalog of built-in tools includes Web Search, Code Interpreter, File Search, Azure AI Search, Function calling, OpenAPI tools, Image Generation, Browser Automation, Computer Use, plus MCP and A2A as custom tool surfaces.
Agent loop shape. Managed agent runtime around a Foundry-catalog model. Prompt agents run a single-agent tool-use loop: model reasons over instructions, the service decides whether to call a built-in tool (web search, code interpreter, file search, MCP, OpenAPI, function call), executes, observes, continues. Workflow agents bind that loop into a declarative graph of nodes (agent invocation, if/else, for-each, human-in-the-loop, group chat) defined in YAML or the visual designer. Hosted agents replace the inner loop with user code in a per-session VM-isolated sandbox that calls Foundry models, Toolbox MCP, and the Responses / Invocations / Activity / A2A protocols. Every run is traced, versioned, and gated by content filters and Entra identity.
Primary use cases
- no-code prompt agents in the Foundry portal
- declarative multi-step workflows that orchestrate agents and business logic
- containerized custom-code agents (Agent Framework / LangGraph / Semantic Kernel) on managed VMs
- enterprise tool integration via MCP, OpenAPI, and Azure connectors
- publishing agents to Microsoft 365, Teams, and the Entra Agent Registry
Key concepts
- Prompt / Workflow / Hosted agents (docs) — Three agent shapes: prompt (configuration-only), workflow (declarative orchestration), hosted (your container on managed runtime).
- Foundry tool catalog → tool-use (docs) — Built-in tools (web search, Code Interpreter, File Search, Azure AI Search, Functions) plus custom tools (MCP, OpenAPI, A2A) registered through the portal.
- Workflows → orchestrator-workers (docs) — Visual / YAML orchestration with sequential, group-chat, and human-in-the-loop patterns.
- Hosted agents → agent-resumption (docs) — Per-session VM-isolated containers with persistent $HOME and /files; Responses / Invocations / Activity / A2A protocols.
- Guardrails and content filters → prompt-injection-defense (docs) — Integrated content filters with cross-prompt-injection (XPIA) protection.
- Agent identity and tracing (docs) — Per-agent Microsoft Entra identity, RBAC, Application Insights tracing of every model call and tool invocation.
Patterns this full-code implements —
- ★★Agent Resumption
Hosted agents persist per-session $HOME and /files across idle / resume; sessions live up to 30 days with 15-minute idle timeout and automatic state restore.
- ★★Agentic RAG
File Search vector store and Azure AI Search are first-class built-in tools an agent calls to ground responses in private documents.
- ★★Approval Queue
Workflow agents support explicit human-in-the-loop nodes; MCP tool config exposes a require_approval flag (e.g. 'always').
- ★★Code Execution
Code Interpreter is a built-in tool that runs Python in a Microsoft-managed Hyper-V-isolated sandbox (Azure Container Apps dynamic sessions) for data analysis, math, and chart generation.
- ★★Eval Harness
Documented Evaluate step in the lifecycle; agent evaluators measure quality and safety regressions before publish.
- ★★Input/Output Guardrails
Integrated content filters on input and output; safety controls explicitly listed.
- ★★Model Context Protocol
Remote and local MCP servers are first-class tools; Toolbox exposes a curated bundle as a single MCP-compatible endpoint.
- ★★Multi-Model Routing
Agents bind to a model from the Foundry catalog and can be swapped without changing agent code; many models supported including Azure OpenAI (GPT-4o, GPT-4.1, GPT-5) and Foundry Models sold by Azure…
- ★★Orchestrator-Workers
Workflow agents orchestrate multiple specialist agents; sequential / group-chat / branching are templated patterns.
- ★Prompt Injection Defense
Content filters explicitly mitigate cross-prompt-injection attacks (XPIA); backed by Azure AI Content Safety Prompt Shields which defends both User Prompt and Document (indirect) injection attacks.
- ★★Structured Output
Agent nodes can be configured to return JSON Schema output via the workflow visualizer or API; saved as a typed workflow variable for downstream nodes.
- ★Subagent Isolation
Hosted agents run in per-session VM-isolated sandboxes; sessions are isolated from each other. Code Interpreter sessions are isolated by a Hyper-V boundary in Azure Container Apps dynamic sessions.
- ★★Tool Use
Tools are the headline primitive: built-in (Web Search, Code Interpreter, File Search, Azure AI Search, Functions, OpenAPI) and custom (MCP, A2A, Toolbox).
- ★Computer Use
Computer Use and Browser Automation are listed built-in tools (both currently preview).
- ★★Supervisor
Connected agents (classic) and workflows (new) implement supervisor-style delegation: a main/primary agent routes tasks to purpose-built subagents via natural language, eliminating hand-coded routing…
Neighbourhood
Click any neighbour to follow the lineage. Scroll to zoom, drag to pan.
Alternatives & relatives
Listed as alternative by (2)
References
Provenance
- Last analyzed:
- Last updated:
- Verification status: verified