Edit

Share via

Secure OpenAPI endpoints for Foundry Agent Service

This article shows you how to secure your App Service OpenAPI endpoints when they're called by Foundry Agent Service. When you add your App Service app as an OpenAPI tool in Microsoft Foundry, you can configure it to call your APIs anonymously without authentication, which is easier for development and testing. However, for production environments, you should use Microsoft Entra authentication with managed identity. This guide walks you through configuring managed identity authentication to enable secure, token-based communication between Microsoft Foundry and your app.

Prerequisites

Find your Microsoft Foundry project's managed identity IDs

You need both the object ID and the application ID of your Microsoft Foundry project's managed identity to configure App Service authentication. A system-assigned managed identity is automatically created for your Microsoft Foundry project when you create it. This identity is what Foundry Agent Service uses to authenticate with your app.

  1. In the Foundry portal, navigate to your project and select Overview.

  2. In the Project details section on the right, select the link next to Resource group to open the resource group in the Azure portal.

  3. In the resource group, find and select your Microsoft Foundry project resource.

  4. In the project resource's left menu, select Resource Management > Identity.

  5. Under System assigned, copy the value of Object (principal) ID for later.

  6. In the Azure portal, search for and select Microsoft Entra ID.

  7. In the search box, search for the object ID you copied and select it in the search results.

  8. On the Overview page, copy the value of Application ID.

    Note the Object ID is the same as the one shown in the system-assigned managed identity. You need both the application ID and the object ID for configuring App Service authentication.

Configure Microsoft Entra authentication for your app

  1. In the Azure portal, navigate to your App Service app.

  2. On your app's left menu, select Settings > Authentication, and then select Add identity provider.

  3. On the Add an identity provider page, select Microsoft as the Identity provider to create a new app registration.

  4. Under Additional checks, for Client application requirement, select Allow requests from specific client applications.

  5. Select the pencil widget and add the application ID that you copied in Find your Microsoft Foundry project's managed identity IDs.

  6. For Identity requirement, select Allow requests from specific identities.

  7. Select the pencil widget and add the object ID that you copied in Find your Microsoft Foundry project's managed identity IDs.

  8. For Tenant requirement accept the default value. If not, be sure to select the tenant where your Microsoft Foundry project (or rather its identity) is created.

  9. For Unauthenticated requests, select HTTP 401 Unauthorized: recommended for APIs.

  10. Select Add to create the identity provider.

    Screenshot showing the configuration of a new Microsoft authentication provider in the App Service.

Update the app registration Application ID URI

After enabling authentication, you need to update the app registration's Application ID URI to match your App Service app's URL.

  1. After the Microsoft provider configuration completes, select it in the Identity provider column to open the app registration page.

  2. In the left menu, select Manage > Expose an API.

  3. Next to Application ID URI, select Edit.

  4. Change the value to your App Service app's URL in the following format: https://<suffix>.azurewebsites.net.

    You can find the app's hostname on the Overview page in Default domain.

  5. Select Save.

Warning

If you delete your App Service app, you must also delete the app registration and clean up any authentication resources that reference the Application ID URI. Failing to do so creates a security vulnerability: if someone else creates an app with the same URL, they could potentially gain unauthorized access to resources that trust the orphaned app registration. Always remove app registrations and their associated permissions when decommissioning an app.

Configure the OpenAPI tool in Microsoft Foundry

Note

This section assumes you already completed one of the tutorials in the Prerequisites section, where you added your app as an OpenAPI tool in Microsoft Foundry using anonymous authentication. You now update the tool to use managed identity authentication.

  1. Back in the Foundry portal, select your agent.

  2. Find the OpenAPI tool and select it to edit.

  3. In the Define the schema for this tool page:

    1. Paste your OpenAPI schema. For more information, see How to use OpenAPI with Foundry Agent Service.

    2. For Authentication method, select Managed Identity.

    3. For Audience, enter your App Service app's URL. This URL must match the Application ID URI that you configured earlier.

    Tip

    Foundry Agent Service uses the system-assigned managed identity to authenticate with your app. Because you added the identity's client ID as an allowed client application and an allowed identity in your app's authentication provider configuration, the agent service is authorized to call your app's APIs.

  4. Review and save the tool.

Test the agent

  1. In the Foundry portal, select your agent and select Try in playground.

  2. Chat with the agent to test your OpenAPI endpoints. For example:

    • Show me all the tasks.
    • Create a task called "Buy groceries."
    • Update that task to "Buy groceries and cook dinner."

If the authentication is configured correctly, the agent successfully calls your app's APIs through the OpenAPI tool.

Related content

  • Last updated on