|
1 | | -When you build an agent in Microsoft Foundry, it runs within the Foundry Agent Service infrastructure. Publishing your agent promotes it from a development asset into a managed Azure resource with a dedicated endpoint, independent identity, and governance capabilities. While this module focuses on Microsoft 365 integration, understanding all available publishing destinations helps you choose the right approach for your scenario. |
| 1 | +When you build an agent in Microsoft Foundry, it runs within the Foundry Agent Service infrastructure. Publishing promotes your agent from a development asset into a managed Azure resource with a dedicated endpoint, independent identity, and governance capabilities. |
2 | 2 |
|
3 | 3 | ## Understanding agent applications |
4 | 4 |
|
5 | | -When you publish an agent, Microsoft Foundry creates an **Agent Application** resource. This resource provides: |
| 5 | +When you publish an agent, Microsoft Foundry creates an **Agent Application** resource with: |
6 | 6 |
|
7 | 7 | - **Dedicated invocation URL**: A stable endpoint that remains consistent as you update agent versions |
8 | 8 | - **Agent identity**: A distinct Microsoft Entra identity separate from your development project |
9 | | -- **Governance capabilities**: Registration in the Entra Agent Registry for discovery and management |
10 | 9 | - **User data isolation**: Inputs and interactions from one user aren't available to other users |
11 | 10 |
|
12 | | -The Agent Application acts as a routing layer that directs traffic to specific agent deployments. When you publish a new agent version, traffic automatically routes to the updated deployment without changing the public endpoint. |
| 11 | +The Agent Application acts as a routing layer. When you publish a new agent version, traffic automatically routes to the updated deployment without changing the public endpoint. |
13 | 12 |
|
14 | | -## Available publishing channels |
| 13 | +## Publishing to Microsoft 365 |
15 | 14 |
|
16 | | -Microsoft Foundry agents can publish to multiple destinations. Each channel serves different use cases and audiences. |
17 | | - |
18 | | -### Microsoft 365 Copilot and Teams |
19 | | - |
20 | | -The primary focus of this module, Microsoft 365 integration enables your agent to appear within Teams and Copilot. Publishing to M365: |
| 15 | +The primary focus of this module is Microsoft 365 integration, which enables your agent to appear within Teams and Copilot. Publishing to M365: |
21 | 16 |
|
22 | 17 | - Creates an Azure Bot Service resource that routes messages between M365 and your agent |
23 | 18 | - Generates a Microsoft 365 publishing package for distribution |
24 | 19 | - Registers a Microsoft Entra ID application for authentication |
25 | 20 | - Makes your agent discoverable in the Teams agent store |
26 | 21 |
|
27 | | -This channel is ideal when your users already work in Microsoft 365 and you want to bring AI capabilities directly into their existing workflow. |
28 | | - |
29 | | -### Web application preview |
30 | | - |
31 | | -The web application preview provides a browser-based interface for demonstrating and testing your agent with stakeholders. This channel: |
32 | | - |
33 | | -- Requires no client installation |
34 | | -- Provides instant sharing via URL |
35 | | -- Works well for demos and user acceptance testing |
36 | | -- Allows non-technical stakeholders to evaluate your agent |
37 | | - |
38 | | -Use the web preview when you need to showcase your agent before committing to a production deployment. |
39 | | - |
40 | | -### Stable API endpoint |
41 | | - |
42 | | -Every published agent exposes a stable REST API endpoint that enables programmatic access. The endpoint uses an OpenAI-compatible protocol, making it familiar to developers. This channel is useful when you want to: |
43 | | - |
44 | | -- Embed your agent in existing applications |
45 | | -- Build custom client experiences |
46 | | -- Integrate with automation workflows |
47 | | -- Create scheduled or batch interactions with your agent |
48 | | - |
49 | | -The stable endpoint URL follows this pattern: |
50 | | - |
51 | | -`https://{accountName}.services.ai.azure.com/api/projects/{projectName}/applications/{applicationName}/protocols/openai` |
52 | | - |
53 | | -### Custom applications |
54 | | - |
55 | | -For deeper integration, you can embed your agent into existing applications using the stable endpoint and SDK integration. This approach provides: |
56 | | - |
57 | | -- Full control over the user interface |
58 | | -- Integration with existing authentication systems |
59 | | -- Custom conversation management |
60 | | -- Branded experiences that match your application |
61 | | - |
62 | | -Custom application integration works well for software vendors who want to add AI capabilities to their products. |
63 | | - |
64 | | -### Azure Bot Service channels |
65 | | - |
66 | | -Through Azure Bot Service, your agent can connect to additional messaging platforms beyond Microsoft 365: |
67 | | - |
68 | | -| Channel | Description | |
69 | | -|---------|-------------| |
70 | | -| **Slack** | Reach users in Slack workspaces | |
71 | | -| **Telegram** | Connect through the Telegram messaging platform | |
72 | | -| **Twilio** | Enable SMS-based interactions | |
73 | | -| **Facebook** | Integrate with Facebook Messenger | |
74 | | -| **Line** | Connect to the Line messaging platform | |
75 | | -| **GroupMe** | Enable group chat interactions | |
76 | | -| **Direct Line Speech** | Support voice-based interactions | |
77 | | -| **Email** | Enable email-based conversations | |
78 | | - |
79 | | -These channels require additional configuration through the Azure Bot Service after publishing your agent. Each channel has specific connection requirements and may need platform-specific credentials or app registrations. |
80 | | - |
81 | | -## How publishing works |
82 | | - |
83 | | -The publishing process transforms your development agent into a production-ready service. Understanding this process helps you troubleshoot issues and plan deployments effectively. |
84 | | - |
85 | | -When you publish from the Foundry portal: |
86 | | - |
87 | | -1. **Agent Application creation**: The system creates an Agent Application resource with a dedicated URL |
88 | | -2. **Identity provisioning**: A distinct agent identity is created, separate from your project identity |
89 | | -3. **Deployment creation**: A deployment is created that references your specific agent version |
90 | | -4. **Channel configuration**: For M365 publishing, Azure Bot Service and Entra ID app registration are created automatically |
91 | | - |
92 | | -After initial publishing, you can update your agent and publish new versions. The stable endpoint remains consistent, so downstream consumers don't need to change their integrations. |
93 | | - |
94 | | -## Publishing approaches for Microsoft 365 |
95 | | - |
96 | | -This module focuses on Microsoft 365 integration, which offers two main approaches for publishing Foundry agents. |
97 | | - |
98 | 22 | ### Direct publishing from Foundry portal |
99 | 23 |
|
100 | | -The most straightforward approach is publishing directly from the Foundry portal. This option handles all the infrastructure setup automatically and requires minimal configuration. The publishing wizard: |
| 24 | +The most straightforward approach is publishing directly from the Foundry portal. The publishing wizard: |
101 | 25 |
|
102 | 26 | 1. Creates an Azure Bot Service resource in your subscription |
103 | 27 | 2. Registers a Microsoft Entra ID application |
104 | 28 | 3. Generates a Microsoft 365 publishing package |
105 | 29 | 4. Prepares your agent for distribution |
106 | 30 |
|
107 | | -This approach is ideal when you want to deploy quickly, test your agent in Teams or Copilot, or keep your agent logic entirely within Foundry. |
| 31 | +This approach is ideal when you want to deploy quickly or keep your agent logic entirely within Foundry. |
108 | 32 |
|
109 | 33 | ### Microsoft 365 Agents Toolkit |
110 | 34 |
|
111 | | -For complex scenarios, you can use the Microsoft 365 Agents Toolkit to create a proxy application that connects to your Foundry agent. This approach provides more control but requires additional development effort. |
112 | | - |
113 | | -The Agents Toolkit is covered in more detail later in this module as an optional advanced topic. Consider this approach when you need custom single sign-on (SSO), advanced middleware logic, multi-environment deployment pipelines, or detailed debugging capabilities. |
| 35 | +For complex scenarios, you can use the Microsoft 365 Agents Toolkit to create a proxy application that connects to your Foundry agent. Consider this approach when you need custom single sign-on (SSO), advanced middleware logic, or multi-environment deployment pipelines. The Agents Toolkit is covered later in this module as an optional advanced topic. |
114 | 36 |
|
115 | | -### Comparing the approaches |
116 | | - |
117 | | -| Feature | Direct publishing | Agents Toolkit | |
118 | | -|---------|-------------------|----------------| |
119 | | -| Setup complexity | Low | Higher | |
120 | | -| Bot Service provisioning | Automatic | Manual or automated | |
121 | | -| Best for | Rapid deployment, testing | Custom logic, managed infrastructure | |
122 | | -| Code required | None | Proxy application code | |
123 | | - |
124 | | -For most scenarios, direct publishing provides everything you need. |
125 | | - |
126 | | -## Publish scopes for Microsoft 365 |
| 37 | +### Publish scopes |
127 | 38 |
|
128 | 39 | When publishing to Microsoft 365, you choose between two distribution scopes: |
129 | 40 |
|
130 | | -### Shared scope |
| 41 | +| Scope | Description | Best for | |
| 42 | +|-------|-------------|----------| |
| 43 | +| **Shared** | Available immediately without admin approval. Appears under **Your agents** in Teams. | Personal testing, small team pilots | |
| 44 | +| **Organization** | Available to everyone in your tenant under **Built by your org**. Requires admin approval. | Production deployments | |
131 | 45 |
|
132 | | -Shared scope makes your agent available immediately without administrative approval. The agent appears under **Your agents** in the Teams agent store. Use this scope for personal testing, sharing with a small team via direct link, or pilot programs before broader rollout. |
| 46 | +## Other publishing channels |
133 | 47 |
|
134 | | -### Organization scope |
| 48 | +While this module focuses on M365, Foundry agents can also publish to: |
135 | 49 |
|
136 | | -Organization scope makes your agent available to everyone in your Microsoft 365 tenant under **Built by your org** in the agent store. This scope requires administrative approval in the Microsoft 365 admin center and compliance with your organization's app policies. Use this scope for production deployments intended for broad organizational use. |
| 50 | +- **Web application preview**: Browser-based interface for demos and stakeholder testing |
| 51 | +- **Stable API endpoint**: REST API for embedding in custom applications |
| 52 | +- **Azure Bot Service channels**: Slack, Telegram, Twilio (SMS), Facebook, and others |
| 53 | + |
| 54 | +These options are useful when you need to reach users outside Microsoft 365 or embed your agent in custom applications. |
137 | 55 |
|
138 | 56 | ## Agent identity and permissions |
139 | 57 |
|
140 | | -When you publish an agent, the system creates a distinct agent identity separate from your development project identity. This distinction is important because: |
| 58 | +When you publish an agent, the system creates a distinct agent identity. This matters because: |
141 | 59 |
|
142 | 60 | - The agent authenticates to Azure resources using its own identity |
143 | | -- Role-based access control (RBAC) permissions must be assigned to the published agent identity |
144 | | -- Tools that access Azure resources need permissions reconfigured after publishing |
145 | | - |
146 | | -If your agent uses tools that connect to Azure services like Azure AI Search or Azure Cosmos DB, grant the published agent's identity appropriate permissions. Development-time permissions on your project identity don't transfer automatically. |
| 61 | +- Development-time permissions on your project identity don't transfer automatically |
| 62 | +- Tools that access Azure services need permissions reconfigured after publishing |
147 | 63 |
|
148 | | -## Choosing the right channel |
149 | | - |
150 | | -Consider these factors when selecting a publishing channel: |
151 | | - |
152 | | -| If you need... | Consider... | |
153 | | -|----------------|-------------| |
154 | | -| Integration with existing Teams/Copilot workflow | Microsoft 365 Copilot and Teams | |
155 | | -| Quick demos for stakeholders | Web application preview | |
156 | | -| Embedding in custom applications | Stable API endpoint | |
157 | | -| Reaching users on third-party platforms | Azure Bot Service channels | |
158 | | -| Full branding control | Custom application integration | |
159 | | - |
160 | | -For enterprise scenarios where users already work in Microsoft 365, Teams and Copilot integration typically provides the best user experience. The remaining units in this module focus on this primary scenario while acknowledging that the same agent can be published to other channels as needed. |
| 64 | +If your agent uses tools that connect to services like Azure AI Search, grant the published agent's identity appropriate permissions. |
161 | 65 |
|
162 | 66 | ## Prerequisites for publishing |
163 | 67 |
|
164 | | -Before publishing an agent, ensure you have: |
| 68 | +Before publishing an agent to M365, ensure you have: |
165 | 69 |
|
166 | | -- **Azure AI Project Manager** role on your Foundry project (to publish agents) |
167 | | -- **Azure AI User** role on the agent application scope (to invoke published agents) |
| 70 | +- **Azure AI Project Manager** role on your Foundry project |
| 71 | +- **Azure AI User** role on the agent application scope |
168 | 72 | - An Azure subscription where you can create Azure Bot Service resources |
169 | 73 | - Permissions to register applications in Microsoft Entra ID |
170 | | -- The **Microsoft.BotService** resource provider registered in your subscription |
171 | | - |
172 | | -For Microsoft 365 publishing specifically, your tenant also needs to allow custom apps and bots for users to access your published agent. |
| 74 | +- A Microsoft 365 tenant that allows custom apps and bots |
0 commit comments