Share via

Is delegated authentication via OAuth2 OBO (on-behalf-of) supported for Foundry Agents?

Hazelle F 0 Reputation points
2026-02-27T14:04:19.1033333+00:00
  1. Is delegated authentication via OAuth2 OBO (on-behalf-of) supported for Foundry Agents?
  2. What is the correct resource/scope and Entra API permission(s) that must be added and consented for the backend app registration to call Foundry Agents on behalf of the user?

I'm trying to use this library but need delegated authentication as Fabric agents which is connected to a planner agent doesn't support spn: https://learn.microsoft.com/en-us/python/api/overview/azure/ai-projects-readme?view=azure-python

Azure OpenAI Service
Azure OpenAI Service

An Azure service that provides access to OpenAI’s GPT-3 models with enterprise capabilities.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-02-27T14:04:36.8666667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more
    1. Delegated authentication via OAuth2 On-Behalf-Of (OBO) is supported for Foundry agents through the Agent ID platform. Agents can operate in an attended (delegated access or on-behalf-of) mode where the agent acts on behalf of a signed-in user using delegated permissions that the user grants. This is implemented using standard OAuth 2.0 OBO flows with agent-specific impersonation.

    Agent identity blueprints and agent identities support the jwt-bearer grant type specifically for OBO scenarios, and the platform supports background operations with user context via refresh_token grants. OBO flows using the /authorize endpoint and public client flows are not supported; all agents operate as confidential clients and redirect URIs are not used.

    1. For calling Foundry agents on behalf of a user from a backend application, the correct pattern is:
    • Use an agent identity blueprint and agent identities in Microsoft Entra ID.
    • Configure the agent application to use the supported grant types:
      • jwt-bearer for OBO token exchange.
      • client_credentials for app-only operations where needed.
      • refresh_token for background user-delegated operations.
    • Assign delegated permissions to the agent identity blueprint and, if required, enable delegated permission inheritance (InheritDelegatedPermissions) so agent identities can inherit those permissions when impersonation is used.

    The documentation in the provided context describes the supported grant types and OBO protocol behavior for agents but does not specify a concrete resource URI/scope string or a specific Entra API permission name for the Foundry Agents backend. Those values must be taken from the actual resource/API definition for the Foundry/Agents endpoint in the tenant (for example, the exposed API scopes of the Foundry/Agents resource) and then granted as delegated permissions to the backend app registration, with user consent as required.

    For Fabric data agents specifically, only user identity authentication is supported; Service Principal Name (SPN) authentication is not supported. Integration with Fabric data agents uses Identity Passthrough (On-Behalf-Of) authorization, where the agent uses the end user’s identity to query Fabric data and generate responses, ensuring access control based on the user’s permissions.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.