Share via

Azure AI Foundry — Agent Application identity provisioning stuck at "Creating" in East US 2, blocks A2A orchestration with 401

EV Admin 10 Reputation points
2026-02-28T11:01:24.7266667+00:00

I'm setting up Agent-to-Agent (A2A) orchestration in Azure AI Foundry (New) and both of my published Agent Applications have their identity provisioning permanently stuck at "Creating".

Environment

  • Region: East US 2
  • API Version: 2025-10-01-preview

Problem

When I query the Agent Application resources via ARM API (GET .../applications/{name}?api-version=2025-10-01-preview), the top-level provisioningState shows "Succeeded", but the nested identity states are stuck:


"agentIdentityBlueprint": { "provisioningState": "Creating" },

"defaultInstanceIdentity": { "provisioningState": "Creating" }

The Entra ID service principals do exist and are enabled — the identities were created, but the provisioning state never transitioned to "Succeeded".

Impact

This blocks A2A tool calls. When my orchestrator agent tries to invoke a sub-agent via the a2a_preview tool, I get:


Error code: tool_user_error

Error message: 400 Failed to fetch agent card: Response status code does not indicate success: 401 (PermissionDenied)

I've verified:

  • RBAC is correct: Azure AI User role assigned on the Agent Application resources for both the orchestrator's agentic identity and the project managed identity
  • Direct endpoint calls work: Calling the Agent Application endpoint with a user bearer token returns 200 OK
  • Auth type doesn't matter: Tested with both AgenticIdentityToken and ProjectManagedIdentity connection types — same 401
  • Cannot modify or delete the stuck resources: PUT and DELETE operations return SystemError from managementfrontend in eastus2

Additional details

  • Two separate Agent Applications are affected, suggesting this is systemic in the region rather than resource-specific

Questions

  1. Is there a known issue with Agent Application identity provisioning in East US 2?
  2. Is there a way to re-trigger or unstick the identity provisioning?
  3. Would creating the Foundry resource in a different region (e.g., Sweden Central) avoid this issue?
Foundry Tools
Foundry Tools

Formerly known as Azure AI Services or Azure Cognitive Services is a unified collection of prebuilt AI capabilities within the Microsoft Foundry platform

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. kagiyama yutaka 1,165 Reputation points
    2026-02-28T11:07:13.8566667+00:00

    I think u’re hitting the eastus2 stamp drift… once the agent id freezes in “Creating” it won’t self‑heal, so just dup it into a clean region (swedencentral’s fine) and let support unstick the old backend for u.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.