You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm building a Foundry-hosted agent (Python, agent-framework + agent-framework-foundry-hosting, Responses protocol) that needs to call a Microsoft Fabric Data Agent API on behalf of the end user.
The Fabric Data Agent API requires user identity authentication as service principal / managed identity tokens are explicitly rejected with HTTP 401 per Microsoft's documentation:
"Use user identity authentication. Service principal authentication isn't supported for the Fabric data agent."
The hosted container has a working managed identity (token acquisition from the MSI endpoint succeeds), but every call to the Fabric endpoint returns 401.
The natural solution is OAuth On-Behalf-Of (OBO): exchange the calling user's Bearer token for a Fabric-scoped token inside the container. But that requires the user's token to reach the container.
After inspecting both the platform behaviour and the SDK source:
The Foundry proxy terminates Authorization before it reaches the container. The POST /responses request arrives at the container with no Authorization, X-MS-Client-Principal, or X-MS-TOKEN-AAD-* headers. Confirmed both empirically (header inspection middleware on a live deployment) and in the _endpoint_handler.py source.
ResponseContext.client_headers only captures x-client-*-prefixed headers
Is there a supported or planned mechanism in the Foundry hosted agent platform to forward the calling user's identity to the container (either as a header, a token injected into the request context, or a platform-managed OBO flow)?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
I'm building a Foundry-hosted agent (Python, agent-framework + agent-framework-foundry-hosting, Responses protocol) that needs to call a Microsoft Fabric Data Agent API on behalf of the end user.
The Fabric Data Agent API requires user identity authentication as service principal / managed identity tokens are explicitly rejected with HTTP 401 per Microsoft's documentation:
"Use user identity authentication. Service principal authentication isn't supported for the Fabric data agent."
The hosted container has a working managed identity (token acquisition from the MSI endpoint succeeds), but every call to the Fabric endpoint returns 401.
The natural solution is OAuth On-Behalf-Of (OBO): exchange the calling user's Bearer token for a Fabric-scoped token inside the container. But that requires the user's token to reach the container.
After inspecting both the platform behaviour and the SDK source:
The Foundry proxy terminates Authorization before it reaches the container. The POST /responses request arrives at the container with no Authorization, X-MS-Client-Principal, or X-MS-TOKEN-AAD-* headers. Confirmed both empirically (header inspection middleware on a live deployment) and in the _endpoint_handler.py source.
ResponseContext.client_headers only captures x-client-*-prefixed headers
Is there a supported or planned mechanism in the Foundry hosted agent platform to forward the calling user's identity to the container (either as a header, a token injected into the request context, or a platform-managed OBO flow)?
Beta Was this translation helpful? Give feedback.
All reactions