You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
|**Key-based**<sup>*</sup>| Agent authenticates by passing a shared [function access key](./function-keys-how-to.md) in the request header. This method is the default authentication for HTTP endpoints in Functions. | Use during development or when the MCP server doesn't require Microsoft Entra authentication. | None | Yes |
44
+
|**Key-based** (default)| Agent authenticates by passing a shared [function access key](./function-keys-how-to.md) in the request header. This method is the default authentication for HTTP endpoints in Functions. | Use during development or when the MCP server doesn't require Microsoft Entra authentication. | None | Yes |
45
45
|**Microsoft Entra**| Agent authenticates using either its own identity (*agent identity*) or the shared identity of the Foundry project (*project managed identity*). | Use agent identity for production scenarios, but limit shared identity to development. |[Disable key-based authentication](functions-mcp-tutorial.md?tabs=mcp-extension#disable-key-based-authentication) and [configure built-in server authorization and authentication](functions-mcp-tutorial.md?tabs=mcp-extension#enable-built-in-server-authorization-and-authentication). | Project managed (shared) identity |
46
46
|**OAuth identity passthrough**| Agent prompts users to sign in and authorize access, using the provided token to authenticate. | Use in production when each user must authenticate with their own identity and user context must be persisted. |[Disable key-based authentication](functions-mcp-tutorial.md?tabs=mcp-extension#disable-key-based-authentication) and [configure built-in server authorization and authentication](functions-mcp-tutorial.md?tabs=mcp-extension#enable-built-in-server-authorization-and-authentication). | Yes |
47
47
|**Unauthenticated access**| Agent makes unauthenticated calls. | Use during development or when your MCP server accesses only public information. |[Disable key-based authentication](functions-mcp-tutorial.md?tabs=mcp-extension#disable-key-based-authentication). | Yes |
48
48
49
-
<sup>*</sup>Default for Functions-hosted MCP servers.
50
-
51
49
To learn more about the MCP server authentication options that the Foundry Agent Service supports, see [Set up authentication for MCP tools](/azure/ai-foundry/agents/how-to/mcp-authentication?view=foundry&preserve-view=true).
52
50
53
51
## Get the remote MCP server endpoint
@@ -90,17 +88,19 @@ For more information, see [Work with access keys in Azure Functions](function-ke
90
88
91
89
### [Microsoft Entra](#tab/entra)
92
90
93
-
Both **Agent Identity** and **Project Managed Identity** use Microsoft Entra authentication. Currently, Functions only supports **Project managed identity**, which requires your server to use built-in authentication and authorization.
91
+
Both **Agent Identity** and **Project Managed Identity** use Microsoft Entra authentication. Currently, Functions only supports **Project managed identity**, which requires your server to use [built-in authentication and authorization](../app-service/configure-authentication-provider-aad.md).
94
92
95
-
1. Connect a user-assigned managed identity from your function app to your Foundry project. If you don't have a user-assigned managed identity, [first create one](../app-service/overview-managed-identity.md#add-a-user-assigned-identity).
93
+
1. If your function app doesn't have a user-assigned managed identity, [first create one](../app-service/overview-managed-identity.md#add-a-user-assigned-identity).
94
+
95
+
1. Connect the user-assigned managed identity from your function app to your Foundry project:
96
96
97
97
1. In the [Azure portal](https://portal.azure.com), search for `Foundry`. In Microsoft Foundry, select your Foundry resource from **All resources**.
98
98
99
99
1. In **Resource management** > **Identity** > **User assigned**, select **+ Add**. Select the user-assigned managed identity used by your function app, and then select **Add**.
100
100
101
101
1. Select the newly added identity and copy the **Client ID** value.
102
102
103
-
1.Use the client ID of the identity to make it an allowed client application in your [function app's Entra app registration](functions-mcp-tutorial.md?tabs=mcp-extension#configure-protected-resource-metadata-preview):
103
+
1.Add the user-assigned managed identity as an allowed client application in your [function app's Entra app registration](functions-mcp-tutorial.md?tabs=mcp-extension#configure-protected-resource-metadata-preview):
104
104
105
105
1. Go to your function app resource in the [Azure portal](https://portal.azure.com).
106
106
@@ -110,7 +110,7 @@ Both **Agent Identity** and **Project Managed Identity** use Microsoft Entra aut
110
110
111
111
1. In your provider, set **Client application requirement** to **Allow requests from specific client applications** and select the edit button next to **Allowed client applications**.
112
112
113
-
1. Add the client ID of your managed identity, and select **OK** and then **Save**.
113
+
1. Add the client ID of your user-assigned managed identity, and select **OK** and then **Save**.
114
114
115
115
1. Get the **Application ID URI** from your function app's Entra app registration, which you need to complete the Entra authentication registration in your agent:
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments