Loading source
Pulling the file list, source metadata, and syntax-aware rendering for this listing.
Source from repo
Build and deploy AI applications on Azure AI Foundry using Microsoft's model catalog and AI services
Files
Skill
Size
Entrypoint
Format
Open file
Syntax-highlighted preview of this file as included in the skill package.
foundry-agent/create/references/foundry-tool-catalog.md
1# Foundry Tool Catalog β Project Connections for Remote Tools2Reference for wiring a **remote tool** (catalog tile or generic MCP server) into a Foundry project as a `RemoteTool` project connection, so a toolbox can attach to it.4> π¦ **Toolbox creation gate:** before creating a toolbox/connection, you MUST read the boundary rules in [create-hosted.md β Toolbox creation boundary](../create-hosted.md#toolbox-creation-boundary) and follow them, then continue with the rest of this file.6Three catalog backends cooperate: the **asset-gallery** index discovers connectors, the Logic Apps **managedApis** GET supplies OAuth metadata, and the Logic Apps **apiOperations** GET supplies the operation list and input schemas. Skip these calls only for fully BYO `generic_mcp` servers β every catalog-MCP or connector-namespace flow needs all three.8> π For the toolbox MCP endpoint, protocol, and testing, see [toolbox-reference.md](toolbox-reference.md).10> π For prompt-agent MCP wiring (without a toolbox), see [tool-mcp.md](tool-mcp.md).11## When to use this reference13Use when the user mentions any of:15- *Build β Tools β Connect a tool* (any subtab β Configured, Catalog, Custom)17- "Tool connection", "Remote MCP", "Catalog tile", "Custom Β· Preview"18- A specific catalog tile (GitHub, Box, Pipedrive, monday.com, Microsoft Learn, β¦)19- `RemoteTool` connection, `gateway_connector`, `catalog_MCP`, `generic_mcp`20- **Connector Namespace** / managed MCP server (powered by the Connector Namespace)21- "Bring my own OAuth App" (BYO `client_id` + `client_secret`) for a catalog connector22- Discovering connector operations (`x-ms-operations` / Logic Apps `apiOperations`) or trigger support (`x-ms-trigger`) via the catalog APIs23Do **not** use for: non-tool connections (Azure OpenAI, AI Search account, Storage), or general toolbox CRUD beyond the attach-and-verify recipe below.25## Inputs to gather upfront27Before generating any PUT body, ask the user in one batched question for:291. **Subscription id**312. **Resource group**323. **Cognitive Services account name** (the Foundry account)334. **Project name** (under the account)345. **Connection name** β lowercase, `[a-z0-9-]`, β€ 24 chars (e.g. `box-1`, `gh-byo`)356. **Tool scenario in plain language** β e.g. "list my files in Box", "create issues on GitHub". Map this onto operations from the connector's `apiOperations` catalog for `gateway_connector`, or onto the catalog MCP server's `tools/list` for `catalog_MCP` / BYO.367. **Toolbox name** to attach into for verification (defaults to `default-tb`)378. **Secrets** (BYO `clientId` / `clientSecret`, `CustomKeys` header value, β¦) β ask the user to **type these directly into the terminal**, never via tooling that echoes them38The caller's AAD `oid` / `tid` (needed only for the consent-link step) are auto-discovered via `az ad signed-in-user show --query id -o tsv` and `az account show --query tenantId -o tsv`. For a service-principal caller, use `az ad sp show --id <appId>` instead. These values can also be read from the `oid` / `tid` claims on the ARM bearer token; the gateway validates the caller principal owns them.40## ARM endpoint (shared by every variant)42```44PUT https://management.azure.com/subscriptions/{sub}/resourceGroups/{rg}45/providers/Microsoft.CognitiveServices/accounts/{acct}46/projects/{proj}/connections/{name}?api-version=2025-04-01-preview47```48### Preflight RBAC50Caller needs **Azure AI Developer** or **Cognitive Services Contributor** on the project scope. Run this before the first PUT to surface 403s early:52```pwsh54$oid = az ad signed-in-user show --query id -o tsv55$projId = "/subscriptions/$sub/resourceGroups/$rg/providers/Microsoft.CognitiveServices/accounts/$acct/projects/$proj"56az role assignment list --assignee $oid --scope $projId --all `57--query "[?roleDefinitionName=='Azure AI Developer' || roleDefinitionName=='Cognitive Services Contributor'].roleDefinitionName" -o tsv58```59Empty output β caller lacks the required role; expect `403 AuthorizationFailed` on PUT until granted.61### Common request template63```pwsh65$tok = az account get-access-token --resource "https://management.azure.com" --query accessToken -o tsv66$h = @{ Authorization = "Bearer $tok"; "Content-Type" = "application/json" }67$uri = "https://management.azure.com/subscriptions/$sub/resourceGroups/$rg/providers/Microsoft.CognitiveServices/accounts/$acct/projects/$proj/connections/${connName}?api-version=2025-04-01-preview"68Invoke-WebRequest -Method PUT -Headers $h -UseBasicParsing -Body $body -Uri $uri69```70### Body invariants72- `properties.target` is **required** for every `authType` (validation rejects empty). The exact value depends on the variant β see each body shape. For `gateway_connector` specifically, the literal string `"https://placeholder"` is the correct value on PUT #1 and is **rewritten by the platform on PUT #2** to the real gateway URL.74- `properties.group` is server-filled (`GenericProtocol` for `RemoteTool`).75- `properties.credentials` is scrubbed to `null` on GET.76- `properties.peRequirement` defaults to `"NotRequired"`.77Allowed `authType` for `category=RemoteTool` (per `api-version=2025-04-01-preview`):79`None, CustomKeys, OAuth2, ProjectManagedIdentity, DeveloperConnection, UserEntraToken, AgentUserImpersonation, AgenticIdentityToken, AgenticUser, UserTokenAndProjectManagedIdentity`. `ApiKey` is **rejected** for `RemoteTool`. The authoritative list is whatever the [Cognitive Services projects API reference](https://learn.microsoft.com/rest/api/aiservices/) returns for the current API version β if you hit `invalid_payload: unsupported authType`, re-check against the schema for the version you're calling.80## Decision tree82| User scenario | `authType` | `metadata.type` | Notes |84|---|---|---|---|85| Catalog tile tagged "Custom Β· Preview" (Box, Pipedrive, GitHub, Salesforce, Outlook, β¦) | `OAuth2` | `gateway_connector` | **Connector-namespace managed MCP.** Powered by the Connector Namespace in your Foundry account; the namespace handles OAuth, token storage, and per-user passthrough. Needs **two** PUTs plus `listConsentLinks` per caller (see [Gateway connector full flow](#gateway-connector-full-flow)). |86| Catalog MCP tile with Microsoft-managed OAuth (no `client_id` needed) | `OAuth2` | `catalog_MCP` | Foundry brokers the OAuth app for you. The Catalog API tile **prepopulates** `target` (server URL); `listConsentLinks` flow same as gateway. |87| Catalog MCP tile with **your own** OAuth App | `OAuth2` | (omit) | Supply your own `client_id` + `client_secret` + raw `authorizationUrl` / `tokenUrl` / `scopes`. Do **not** mix BYO `credentials` with `metadata.type=catalog_MCP`. See [BYO OAuth caveats](#byo-oauth-app-against-a-catalog-mcp-server). |88| Remote MCP, Azure-side identity (project MI calls the server) | `ProjectManagedIdentity` | `catalog_MCP` *(when listed)* or `generic_mcp` | For catalog-listed MCP servers, prefer `catalog_MCP` so `target` is prepopulated. Requires `audience` in `metadata`. See [PMI limitations](#projectmanagedidentity-limitations). |89| Remote MCP, static shared secret / header key | `CustomKeys` | `catalog_MCP` *(when listed)* or `generic_mcp` | Header **name and format** are NOT always `Authorization: Bearer ...`. Read the required header name from the Catalog API entry's `x-ms-connection-parameters` and use that exact name in `credentials.keys`. |90| Remote MCP, user's Entra token forwarded | `UserEntraToken` | `generic_mcp` | Per-user identity passthrough. Not supported when the agent is published to Teams. Pair with `metadata.audience` for the upstream resource URI. |91| Custom OpenAPI / A2A tool (no MCP) | varies | n/a | Use the Custom subtab shapes; outside the MCP toolbox path. See [Custom subtab β OpenAPI / A2A](#custom-subtab--openapi--a2a). |92## Catalog APIs β three backends, three calls94There are **three** read endpoints the portal hits to populate a connection form. Programmatic callers should use the same three.96### 1. Asset-gallery (Foundry's index)98```100POST https://eastus.api.azureml.ms/asset-gallery/v1.0/tools101Headers:102Authorization: Bearer <token for https://management.azure.com>103Content-Type: application/json104Body:105{106"freeTextSearch": "*",107"filters": [108{ "field": "entityContainerId", "operator": "eq", "values": ["connectors-registry-prod-bl"] },109{ "field": "type", "operator": "eq", "values": ["tools"] },110{ "field": "annotations/name", "operator": "contains", "values": ["<name>"] }111],112"pageSize": 20113}114```115- **Catalog lives only in `eastus`.** `westus2.api.azureml.ms` returns `totalCount=0` for the same body. `entityId`s are portable across project regions.117- Use this **only to discover the connector's `entityId`** β pull `objectId` out of the returned `entityId` (e.g. `β¦/objectId/github`). That `objectId` is the `connectorName` you pass to PUTs and the next two catalog calls.118- The response is a **thin index**. `properties.remotes[]`, `xMsSecuritySchemes`, OAuth endpoints, scopes, and operation schemas are **not** included. Direct `GET /asset-gallery/v1.0/tools/{entityId}` returns 404. There is no expand/projection flag that surfaces these fields β fetch them from calls 2 and 3 below.119Two registries are indexed here β distinguished by `entityContainerId`:121| Registry | `entityContainerId` | Contents | Pair with |123|---|---|---|---|124| Public catalog | `connectors-registry-prod-bl` | Catalog connector definitions (GitHub, Box, Salesforce, β¦). | `metadata.type=catalog_MCP` or `gateway_connector` |125| Private MCP entries | `registry-prod-bl` | MCP-server entries used by the portal Connections UI (e.g. `github-mcp-server`). Sometimes carries a canonical MCP URL when the public-catalog row lacks `remotes[]`. | `metadata.type=catalog_MCP` |126Always query both when surfacing "available tools" to a user β the private MCP entries can fill gaps in the public catalog row.128### 2. Logic Apps **managedApis** β OAuth source-of-truth130```132GET https://management.azure.com/subscriptions/{sub}133/providers/Microsoft.Web/locations/{region}/managedApis/{connectorName}134?api-version=2016-06-01135```136`connectorName` is the `objectId` from the asset-gallery `entityId`. Verified response shape for `github` (2026-05-21):138```jsonc140{141"properties": {142"displayName": "GitHub",143"runtimeUrls": ["https://logic-apis-eastus.azure-apim.net/apim/github"],144"connectionParameters": {145"token": {146"type": "oauthSetting",147"oAuthSettings": {148"identityProvider": "GitHub",149"clientId": "faa5f56b825cbc649ae1", // Microsoft's default OAuth-App id150"scopes": ["repo","workflow","read:org","admin:org"],151"redirectMode": "Direct",152"redirectUrl": "https://logic-apis-eastus.consent.azure-apim.net/redirect"153}154}155}156}157}158```159**Raw `authorizationUrl` / `tokenUrl` are NOT in this response.** Logic Apps abstracts them via the `identityProvider` string and resolves them inside the gateway. For BYO you must map `identityProvider β endpoints` yourself. Known mappings:161| `identityProvider` | `authorizationUrl` | `tokenUrl` |163|---|---|---|164| `GitHub` | `https://github.com/login/oauth/authorize` | `https://github.com/login/oauth/access_token` |165| `Google` | `https://accounts.google.com/o/oauth2/v2/auth` | `https://oauth2.googleapis.com/token` |166| `Box` | `https://account.box.com/api/oauth2/authorize` | `https://api.box.com/oauth2/token` |167| `AzureActiveDirectory` / `aad3rdPartySNI` | `https://login.microsoftonline.com/common/oauth2/v2.0/authorize` | `https://login.microsoftonline.com/common/oauth2/v2.0/token` |168For `identityProvider` values not in this table (`dynamicscrmonlinecertificate`, `salesforce`, `dropbox`, `oauth2generic`, β¦), look the provider's well-known OAuth endpoints up in its developer docs β the catalog API does not surface them.170Use the `scopes` array from this response as the default scopes list. The catalog `clientId` is Microsoft's default OAuth App; replace it with your own only when going BYO.172Derive `authType` from `connectionParameters`:174- Any parameter with `type: oauthSetting` β `authType = OAuth2`.176- Else any parameter with `type: securestring` β `authType = CustomKeys`.177- Else β `authType = None` (anonymous) or `ProjectManagedIdentity` if the connector explicitly supports MI.178### 3. Logic Apps **apiOperations** β operation catalog (`gateway_connector` only)180For `gateway_connector` you need the list of operations the connector exposes plus each operation's parameter schema, because that's what gets serialized into `metadata.mcpserverConfigProperties` on PUT #2. Asset-gallery does not carry this.182```184GET https://management.azure.com/subscriptions/{sub}185/providers/Microsoft.Web/locations/{region}/managedApis/{connectorName}186/apiOperations?api-version=2016-06-01187```188Returns `value[]` of operations with `name`, `properties.summary` (display name), `properties.description`, `properties.annotation.family`, and `properties.visibility` (`important` / `advanced` / `internal`). Verified 2026-05-21: Box returns 14 operations including `ListRootFolder`, `ListFolder`, `GetFileMetadata`, `GetFileContent`, `DeleteFile`, `CreateFile`, plus several `On*` triggers (not agent-callable).190To get parameter schemas, fetch a single operation with `$expand=properties/inputsDefinition`:192```194GET .../managedApis/{connectorName}/apiOperations/{operationName}195?api-version=2016-06-01&$expand=properties/inputsDefinition196```197`properties.inputsDefinition` is a JSON-Schema-shaped object with `type:"object"`, `properties:{...}`, and `required:[...]`. Map each entry to one `agentParameters` entry:199| `inputsDefinition.properties[name]` field | β `agentParameters[].schema` field |201|---|---|202| `type` | `type` |203| `description` | `description` |204| `title` | `x-ms-summary` |205| `default` | `default` (omit if absent) |206If `inputsDefinition.properties` is empty / missing, the operation takes no arguments and `agentParameters` is `[]` (e.g. Box `ListRootFolder`).208Skip any operation whose `properties.isWebhook` or `isNotification` is `true` β these are Logic Apps triggers, not agent-callable actions.210**Picking ops from a plain-language scenario.** Match the user's words against `properties.summary` and `properties.description`, then prefer the simplest variant (fewest required parameters) and the one whose `annotation.family` aligns with the user intent. For Box "list my files", `ListRootFolder` (zero params) wins over `ListFolder` (requires `id`); if the user asks to list a specific folder, register both.212## Gateway connector full flow214For Catalog tiles tagged `Custom Β· Preview` (Box, Pipedrive, GitHub, Salesforce, Outlook, iManage Work, PDF4me, Qdrant, Medallia, Fulcrum, monday.com, SuperMCP, IA-Connect JML, iMIS, Huddo Boards, The Events Calendar, PUG Gamified Engagement, Nitro Sign Enterprise Verified, Soft1, Elfsquad Product Configurator, MintNFT, β¦).216### Step 1 β Discover218Query the asset-gallery (call #1) for the connector. Extract:220- `objectId` from `entityId` β `connectorName`222- Full `entityId` β `metadata.toolEntityId`223Then call managedApis (call #2) and apiOperations (call #3) for OAuth and operation metadata.225### Step 2 β PUT #1 (create connection)227Verbatim PUT body (captured from the portal's Box wizard, 2026-05-21):229```json231{232"properties": {233"authType": "OAuth2",234"category": "RemoteTool",235"target": "https://placeholder",236"credentials": {},237"connectorName": "box",238"metadata": {239"type": "gateway_connector",240"toolEntityId": "azureml://location/eastus/apiCenter/connectors-registry-prod-bl/type/tools/objectId/box/version/1",241"connectionproperties": "{\"connectorName\":\"box\"}"242}243}244}245```246Spelling traps (case-sensitive):248- `toolEntityId` β NOT `entityId`.250- `connectionproperties` β **lowercase**, value is a **stringified JSON object**, not a nested object. `"{\"connectorName\":\"box\"}"` is correct; `{"connectorName":"box"}` is rejected.251- `connectorName` appears at top-level under `properties` **and** inside `metadata` and inside `connectionproperties`.252`target = "https://placeholder"` is the **persisted value on PUT #1**, not a stub. There is no follow-up call that rewrites it before PUT #2. Runtime dispatch keys off `metadata.toolEntityId` + `metadata.connectionproperties.connectorName` + OAuth consent state. PUT #2 (register-actions) rewrites `target` to the real gateway URL `https://app-XX.<region>.logic.azure.com/api/connectorGateways/{envId}/mcpServerConfigs/{connectionName}/mcp`.254### Step 3 β Per-caller consent256For every distinct end-user (or service principal), call `listConsentLinks`:258```260POST .../connections/{name}/listConsentLinks?api-version=2025-04-01-preview261```262Verbatim portal body:264```json266{267"parameters": [{268"objectId": "<caller AAD oid>",269"parameterName": "token",270"redirectUrl": "https://ai.azure.com/nextgen/authConsentPopup",271"tenantId": "<caller AAD tid>"272}]273}274```275Notes:277- The portal sends `redirectUrl=https://int.ai.azure.com/...` from the INT environment; for production (`ai.azure.com`) use `https://ai.azure.com/nextgen/authConsentPopup`. The redirect URL only gates which Foundry origin the OAuth popup closes back into β it does not affect what tokens are minted.279- Returns a per-user OAuth authorization URL (e.g. a `box.com/api/oauth2/authorize?...` link). User navigates β consents β gateway stores the token.280- Cross-tenant calls return `InvalidConsentLinkParameter` (`objectId` + `tenantId` must match the caller principal).281#### Consent link expiry (~1 hour)283Each `listConsentLinks` response mints a short-lived signed token (β 1 hour TTL based on `ExpirationTime` in the base64 payload). A `500` from the consent host when clicking the link is most often caused by an **expired or stale link**, not a server outage. Fix: call `listConsentLinks` again to get a fresh link and use it immediately. Do not reuse a link from a previous step or previous session.285#### Portal popup lifecycle (pending-true happy path)287The portal pre-opens a blank popup (`about:blank`) before calling `listConsentLinks`, then drives the flow as follows once the consent URL is in hand. Code-first callers should replicate this:2891. Register listeners on `window.postMessage` **and** `BroadcastChannel('connector-oauth-callback')` to receive completion signals.2912. Navigate the popup to the consent URL.2923. Poll `popup.closed` every 1 second to detect finish / dismiss.2934. When the popup closes, wait **500 ms** grace for any in-flight postMessage / BroadcastChannel messages.2945. If a `{ pending: true }` signal arrives (consent completed server-side but no authorization code returned to the opener):295- Issue a **PUT** to the connection (same body as the original create PUT) to prompt the backend to finalise auth state.296- If `overallStatus` is `Connected` in the response, done β .297- Otherwise **poll `GET .../connections/{name}`** every 2 seconds, up to **15 attempts**, until `overallStatus` flips to `Connected`.2986. If **no signal** before popup close, treat as user-cancelled and surface an error.2997. **Cleanup:** remove listeners, clear polling, force-close the popup if still open.300The `{ pending: true }` path is the normal happy-path because the provider closes the popup by redirecting to `ai.azure.com/nextgen/authConsentPopup`, which has no JavaScript opener to post back to. **Don't assume consent is done just because the popup closed.** The "blank Foundry page" seen after authorising in a detached tab is this same redirect arriving without an opener β the gateway token is still stored; retry PUT #2 to confirm.302#### Consent-host hosts304Links served from `logic-apis-df.consent.azure-apim.net` are the **dogfood / INT** consent host (DF = dogfood). Production region traffic goes through `logic-apis-{region}.consent.azure-apim.net` (e.g. `logic-apis-eastus.consent.azure-apim.net`). Either host can return DF links depending on which Logic Apps environment the connector is deployed in; the caller cannot force the host.306#### Dogfood OAuth-app runtime allowlist trap308Some connectors (Spotify `spotifyip` confirmed) are backed by a **dogfood-env Microsoft OAuth app** registered in provider "development mode" with a hard-coded test-user allowlist. Consent + `Connected` status work fine code-first for any caller, but `tools/call` at runtime returns:310```json312{ "error": { "code": 403, "source": "...logic-df.azure-apihub.net",313"innerError": "Check settings on https://developer.spotify.com/dashboard, the user may not be registered." } }314```315Detect by inspecting the consent URL's first 302: if the `redirect_uri` is `https://global-test.consent.azure-apim.net/redirect` (rather than `global.consent...`), the connector is on the dogfood OAuth app. **The connection will still go Connected and `tools/list` will work**; only the actual API invocation fails. Not fixable client-side; requires Microsoft to promote the app or add the caller's email to the provider-side allowlist.317```pwsh319$consentUrl = ($r.Content | ConvertFrom-Json).value[0].link320try { Invoke-WebRequest -Uri $consentUrl -MaximumRedirection 0 -ErrorAction Stop | Out-Null }321catch { $loc = $_.Exception.Response.Headers.Location.ToString() }322if ($loc -match 'global-test\.consent\.azure-apim\.net') {323Write-Warning "Connector uses dogfood OAuth app; tools/call may 403 with 'user may not be registered' even after Connected."324}325```326### Step 4 β PUT #2 (register actions)328After OAuth, the portal issues a **second PUT** against the **same connection name** to register which connector operations the agent can invoke. **Without this PUT the runtime has no actions to dispatch even though `overallStatus` shows `Authenticated`.**330The body is identical to PUT #1 plus an additional `metadata.mcpserverConfigProperties` field (stringified JSON). Verbatim example for Box connection `box-5`:332```jsonc334{335"properties": {336"authType": "OAuth2",337"category": "RemoteTool",338"target": "https://placeholder",339"credentials": {},340"connectorName": "box",341"metadata": {342"type": "gateway_connector",343"toolEntityId": "azureml://location/eastus/apiCenter/connectors-registry-prod-bl/type/tools/objectId/box/version/1",344"connectionproperties": "{\"connectorName\":\"box\"}",345"mcpserverConfigProperties": "{\"description\":\"\",\"state\":\"Enabled\",\"connectors\":[{\"name\":\"box\",\"connectionName\":\"box-5\",\"displayName\":\"box\",\"description\":\"\",\"operations\":[{\"name\":\"GetFileMetadata\",\"displayName\":\"Get file metadata using id\",\"description\":\"\",\"userParameters\":[],\"agentParameters\":[{\"name\":\"id\",\"schema\":{\"type\":\"string\",\"description\":\"The unique identifier of the file in Box.\",\"x-ms-summary\":\"File Id\"}}]}]}]}"346}347}348}349```350Decoded `mcpserverConfigProperties` schema:352```jsonc354{355"description": "",356"state": "Enabled",357"connectors": [358{359"name": "<connectorName>", // same as properties.connectorName360"connectionName": "<this connection name>",361"displayName": "<connectorName>",362"description": "",363"operations": [364{365"name": "<OperationId>", // operation id from apiOperations366"displayName": "<friendly>",367"description": "",368"userParameters": [], // bound at connection time (rare for CustomΒ·Preview)369"agentParameters": [ // parameters the agent fills at call time370{371"name": "<paramName>",372"schema": {373"type": "string|number|boolean",374"description": "...",375"x-ms-summary": "...",376"default": "..." // optional377}378}379]380}381]382}383]384}385```386Each operation in `operations[]` corresponds 1:1 to one `apiOperations` entry; `agentParameters[].schema` is translated from `inputsDefinition.properties` per the mapping in [Catalog APIs Β§3](#3-logic-apps-apioperations--operation-catalog-gateway_connector-only).388The portal lets the user multi-select via checkboxes in the wizard's "Configure actions" page; the selection is serialized into this string. When the selection changes later, the portal **replaces `mcpserverConfigProperties` wholesale** β no merge. Your code must do the same: any time the agent-callable op list changes, re-run PUT #2 with the full new list.390### Step 5 β `overallStatus` flip semantics392Two independent conditions must BOTH be true for `overallStatus` to flip `Unauthenticated` β `Connected`:3941. **PUT #2 issued with non-empty `metadata.mcpserverConfigProperties`** (rewrites `target` to the real gateway URL; target rewrite is visible immediately on PUT #2 regardless of consent state).3962. **OAuth consent completed** (user followed the `listConsentLinks` URL and clicked Authorize). Gateway then stores the token.397Order-independent observations:399- PUT #2 before consent β `target` rewrites, status stays `Unauthenticated`.401- Consent before PUT #2 β status stays `Unauthenticated` until PUT #2 fires; PUT #2 then flips to `Connected` in the same response.402## Body shape β `OAuth2` + `catalog_MCP` (Microsoft-managed OAuth)404Use when the catalog entry is an MCP server and you accept Microsoft's managed OAuth App + consent flow (no BYO secret):406```json408{409"properties": {410"authType": "OAuth2",411"category": "RemoteTool",412"target": "https://api.githubcopilot.com/mcp",413"credentials": {},414"metadata": {415"type": "catalog_MCP",416"toolEntityId": "azureml://location/eastus/apiCenter/connectors-registry-prod-bl/type/tools/objectId/github/version/1"417},418"peRequirement": "NotRequired"419}420}421```422For MCP URL discovery when `connectors-registry-prod-bl` lacks `remotes[]`, look up the peer entry in `registry-prod-bl` (e.g. `github-mcp-server`) β its asset-gallery row sometimes carries the canonical MCP URL. Consent uses the same `listConsentLinks` flow as gateway_connector.424## BYO OAuth App against a catalog MCP server426When the user has their own OAuth App (e.g. GitHub `https://github.com/organizations/<org>/settings/applications/<app-id>`) and wants the connection to mint tokens via *their* app instead of Microsoft's managed one. Verified shape, 2026-05-21:428```json430{431"properties": {432"authType": "OAuth2",433"category": "RemoteTool",434"target": "<MCP server URL>",435"credentials": { "clientId": "<your client id>", "clientSecret": "<your client secret>" },436"authorizationUrl": "https://github.com/login/oauth/authorize",437"tokenUrl": "https://github.com/login/oauth/access_token",438"scopes": ["repo","workflow","read:org","admin:org"],439"peRequirement": "NotRequired"440}441}442```443### Filling the OAuth fields from the catalog APIs4451. **Find the connector `entityId`** β asset-gallery POST with `annotations/name contains <name>`. Pull `objectId` out of the returned `entityId`.4472. **Look up OAuth metadata** β `GET .../managedApis/<objectId>?api-version=2016-06-01`. From `properties.connectionParameters.token.oAuthSettings`:448- `identityProvider` β look up `authorizationUrl` / `tokenUrl` in the mapping table in [Catalog APIs Β§2](#2-logic-apps-managedapis--oauth-source-of-truth).449- `scopes` β use as the default scopes array (override only if the user explicitly needs different scopes).4503. **Supply your own `clientId` / `clientSecret`** in `credentials`. Do not reuse the catalog `clientId` from step 2 β that's Microsoft's managed OAuth App and you cannot mint with it.4514. **PUT** the body above.452### Hard rules verified by probe (2026-05-21)454- **`scopes` MUST be a JSON array.** A space-separated string returns `400 "Error when parsing request; unable to deserialize request body"`.456- **DO NOT send `useCustomConnector`.** It is ignored on input; server fills `false`.457- **DO NOT send `metadata.{type=catalog_MCP, toolEntityId, ...}`** for BYO. Those fields anchor the connection to the catalog's managed OAuth App and conflict with your supplied `credentials`.458- **DO NOT call `listConsentLinks`** for BYO β the gateway handles consent via the standard authorization_code flow using the server-filled `redirectUrl`. Calling `listConsentLinks` against a fresh BYO connection returns `404 AIGatewayConnectionNotFound`.459### Server-filled response fields461- `credentials` β `null` (scrubbed).463- `connectorName` β `<gatewayId>-<connectionName>` (your input ignored).464- `redirectUrl` β `https://global.consent.azure-apim.net/redirect/<32-hex>` β **the OAuth callback URL the provider (e.g. GitHub OAuth App) must allow-list**. Generated per-connection on first PUT. Two-pass flow:4651. PUT with placeholder client_secret.4662. Read `properties.redirectUrl` from the response.4673. Register it as the "Authorization callback URL" on the OAuth App.4684. PUT again with the real client_secret.469### Caveat: `api.githubcopilot.com/mcp` rejects BYO OAuth-App tokens471The GitHub Copilot MCP server requires GitHub-App-minted Copilot tokens (the `microsoft-foundry-agent-service` GitHub App). A token from a user OAuth App will be rejected at runtime even if the connection PUT is 200. For real BYO testing point `target` at a self-hosted GitHub MCP server, or use an OpenAPI tool against `api.github.com` instead.473## `ProjectManagedIdentity` Remote MCP475For MCP servers that accept Azure-side identity (the project's system MI calls the MCP server's bearer endpoint):477```json479{480"properties": {481"authType": "ProjectManagedIdentity",482"category": "RemoteTool",483"target": "<MCP server URL with required query string>",484"metadata": { "type": "generic_mcp", "audience": "<upstream resource URI>" }485}486}487```488For catalog-listed MCP servers, prefer `metadata.type = catalog_MCP` with `toolEntityId` so `target` is prepopulated. `audience` is **required for MI auth** β it tells Foundry which resource URI to request a token for. Read the required `audience` from the connector's catalog entry or its documentation (typical values: an app ID URI like `api://contoso-mcp`, or an Azure service resource ID like `https://cognitiveservices.azure.com`). If you omit `audience`, the MCP server rejects the call with 401.490### `ProjectManagedIdentity` limitations492Verified end-to-end against Azure Language `/language/mcp`, 2026-05-21:4941. **Forwarder drops the query string.** The connection `target`'s `?api-version=...` is **not** preserved on the upstream call. If the upstream MCP requires a query parameter, PMI fails with 401/404 even when RBAC is correct.4962. **Forwarder mints the wrong audience.** The MI token Foundry sends does not have `aud=https://cognitiveservices.azure.com` or `https://ai.azure.com`. Setting `properties.audience` on the connection is accepted but **does not** change what is minted.4973. Endpoints not on the trust list reject the forwarded MI token with `-32007 PERMISSION_DENIED "Cannot pass Microsoft token to untrusted MCP endpoint"` (e.g. `api.githubcopilot.com/mcp`). This is the expected security gate.498## `CustomKeys` Remote MCP500Static header(s) injected on every upstream call. Minimum body:502```json504{505"properties": {506"authType": "CustomKeys",507"category": "RemoteTool",508"target": "<MCP server URL>",509"credentials": { "keys": { "Ocp-Apim-Subscription-Key": "<value>" } },510"metadata": { "type": "generic_mcp" }511}512}513```514Verified PUT 200 / GET 200 / DELETE 200 round-trip. The header name is **arbitrary** β it is forwarded as-is to the MCP server. Different connectors require different header shapes:516- GitHub PAT: `Authorization: Bearer <pat>` or `Authorization: token <pat>` β catalog dictates.518- API-key services: `x-api-key: <key>` or `Ocp-Apim-Subscription-Key: <key>`.519- Multi-header schemes: e.g. `X-Account-Id: <id>` + `X-Account-Secret: <secret>`.520Always read the canonical header set from the connector's `connectionParameters` (each `securestring` parameter names the header it maps to) before writing the `keys` block. **Do not default to `Authorization: Bearer`** β it's wrong for many connectors.522For catalog-listed servers, swap `metadata.type` to `catalog_MCP` and add `toolEntityId`.524## `UserEntraToken` Remote MCP526For MCP servers that consume the *caller's* Entra token directly. Body includes `metadata.audience` so the platform mints the correct token for the upstream:528```json530{531"properties": {532"authType": "UserEntraToken",533"category": "RemoteTool",534"target": "<MCP server URL>",535"metadata": { "type": "generic_mcp", "audience": "<upstream resource URI>" }536}537}538```539Not available when the agent is published to Teams (Teams agents use the project MI).541## Custom subtab β OpenAPI / A2A543Not catalog-driven β the user provides the spec themselves. Each Save in this subtab maps to a single PUT against the same connections endpoint:545| Tile | `authType` options | `target` | Notes |547|---|---|---|---|548| OpenAPI | `None`, `CustomKeys`, `ApiKey`, `OAuth2` | OpenAPI spec URL or upstream API base | Agent gets `tools[].openapi.auth.security_scheme.connection_id`. |549| A2A (Preview) | `None` / `CustomKeys` / `UserEntraToken` / `AAD` (mapped from UI) | A2A endpoint | `metadata.agentCardPath` default `/.well-known/agent-card.json`; agent gets `tools=[A2APreviewTool(project_connection_id=...)]`; runtime emits `a2a_preview_call` / `a2a_preview_call_output` events. |550| MCP | covered above | β | This tile is just a router to the catalog / BYO flows. |551## Toolbox attach β `gateway_connector` tool naming553Attach the same as `generic_mcp` β the tool block uses `type:"mcp"` and `project_connection_id` set to the **full ARM resource id** of the connection (NOT just the name):555```jsonc557{558"tools": [{559"type": "mcp",560"server_label": "box5",561"project_connection_id":562"/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.CognitiveServices/accounts/{acct}/projects/{proj}/connections/{connName}"563}]564}565```566`tools/list` returns one MCP tool per registered operation. Tool names follow the verified pattern (probed 2026-05-22 against Box):568```570<server_label>___<connectorName>_<OperationName>571```572Note `___` (**three** underscores) between `server_label` and the rest, then a **single** `_` between `connectorName` and operation name. Example for Box attached with `server_label="box5"`:574| `mcpserverConfigProperties` op | `tools/list` `name` | `description` |576|---|---|---|577| `ListRootFolder` | `box5___box_ListRootFolder` | `box - List files and folders in root folder` |578| `GetFileMetadata` | `box5___box_GetFileMetadata` | `box - Get file metadata using id` |579The MCP tool's `inputSchema` is exactly the JSON schema derived from `apiOperations/{op}?$expand=properties/inputsDefinition` (the `agentParameters[].schema` values, re-keyed by parameter name). For an operation with no agent parameters, `inputSchema` is `{"type":"object"}`.581Worked `tools/call` for "list my files in Box" β verified end-to-end:583```jsonc585POST {dp}/toolboxes/{tb}/mcp?api-version=v1586{587"jsonrpc": "2.0", "id": 2, "method": "tools/call",588"params": { "name": "box5___box_ListRootFolder", "arguments": {} }589}590β 200591{592"jsonrpc": "2.0", "id": 2,593"result": {594"content": [{ "type": "text", "text": "[]" }],595"isError": false596}597}598```599(`text` carries a JSON-stringified array of Box file/folder objects; empty `[]` means the root folder is empty.)601### `outlook` connector β verified end-to-end (2026-05-22)603Uses `identityProvider: oauth2generic` (MSA / consumers tenant). `connectorName = "outlook"`, `toolEntityId` objectId = `outlook`. `tools/call` response wraps in `{ "value": [...] }` (not a bare array like Box):605```jsonc607POST {dp}/toolboxes/{tb}/mcp?api-version=v1608{609"jsonrpc": "2.0", "id": 2, "method": "tools/call",610"params": { "name": "outlook-1___outlook_GetEmailsV2",611"arguments": { "folderPath": "Inbox", "top": 3 } }612}613β 200614{615"jsonrpc": "2.0", "id": 2,616"result": {617"content": [{ "type": "text",618"text": "{\n \"value\": [\n { \"Subject\": \"...\", \"From\": \"...\", ... }\n ]\n}" }],619"isError": false620}621}622```623Operations registered for the test: `GetEmailsV2` (read emails with `folderPath` / `top` / `fetchOnlyUnread` agent parameters) and `SendEmailV2` (send with `emailMessage` object param containing required `To`, `Subject`, `Body`). `SendEmailV2`'s top-level schema is `object` β pass it as a single nested `agentParameters` entry; the gateway flattens into the Logic Apps `emailMessage` envelope internally. The follow-up PUT after popup close (pending-true path) immediately returned `overallStatus: Connected` without needing the GET poll loop β outlook's MSA consent round-trips are fast.625## Minimum attach + verify recipe627Verifying a fresh connection is the only toolbox operation in scope of this reference. Toolboxes are upserted implicitly by `POST /versions`; no separate container create is needed.629The `$dp` value below is the project's data-plane endpoint, in the same `{project_endpoint}` form used elsewhere in these references β `https://<account>.services.ai.azure.com/api/projects/<project>`. The host segment varies by Foundry account/region; read it from a non-`FOUNDRY_`-prefixed env var (see [toolbox-reference.md Β§ Agent env contract](toolbox-reference.md#agent-env-contract)) rather than hardcoding. The bearer-token resource is `https://ai.azure.com`, NOT ARM.631```pwsh633# 0. Constants.634$dp = $env:PROJECT_ENDPOINT # https://<account>.services.ai.azure.com/api/projects/<project>635$tb = "default-tb"636$lbl = "box5" # becomes the "<label>___" prefix on tool names637$connId = "/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.CognitiveServices/accounts/<acct>/projects/<proj>/connections/<connName>"638$tok = az account get-access-token --resource "https://ai.azure.com" --query accessToken -o tsv639$hdr = @{ Authorization = "Bearer $tok"640"Content-Type" = "application/json"641"Foundry-Features" = "Toolboxes=V1Preview" # REQUIRED642Accept = "application/json, text/event-stream" }643# 1. Create a toolbox version with the connection attached.645$body = @{ tools = @(@{646type = "mcp"647server_label = $lbl648project_connection_id = $connId649}) } | ConvertTo-Json -Depth 6 -Compress650$v = Invoke-WebRequest -Method POST -Headers $hdr -UseBasicParsing -Body $body `651-Uri "$dp/toolboxes/$tb/versions?api-version=v1"652$ver = ($v.Content | ConvertFrom-Json).version653# 2. Promote the new version to default. default_version MUST be a JSON STRING, not a number.655# Use ${tb} to terminate the variable name unambiguously before the literal '?'.656Invoke-WebRequest -Method PATCH -Headers $hdr -UseBasicParsing `657-Body (@{ default_version = "$ver" } | ConvertTo-Json) `658-Uri "$dp/toolboxes/${tb}?api-version=v1" | Out-Null659# 3. tools/list β expect one entry per registered op, named "<server_label>___<connectorName>_<OpName>".661$req = '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}'662Invoke-WebRequest -Method POST -Headers $hdr -UseBasicParsing -Body $req `663-Uri "$dp/toolboxes/$tb/mcp?api-version=v1"664# 4. tools/call β the prefixed name and arguments per inputSchema.666$call = @{ jsonrpc="2.0"; id=2; method="tools/call"; params=@{667name="$lbl`___box_ListRootFolder"; arguments=@{} } } | ConvertTo-Json -Depth 5 -Compress668Invoke-WebRequest -Method POST -Headers $hdr -UseBasicParsing -Body $call `669-Uri "$dp/toolboxes/$tb/mcp?api-version=v1"670```671The `Foundry-Features: Toolboxes=V1Preview` header is mandatory β without it the dataplane returns 404. The response body for `/mcp` is plain JSON (no SSE `data:` framing) despite the `text/event-stream` Accept.673## Required RBAC summary675| Operation | Role |677|---|---|678| PUT any connection above | **Azure AI Developer** on the project (or **Cognitive Services Contributor** on the account) |679| Drive OAuth consent (`gateway_connector`, `catalog_MCP` managed-OAuth) | The end-user themselves, signed in to the subscription's tenant |680| `ProjectManagedIdentity` against a Cognitive Services upstream | Project MI needs the upstream's data-plane role (e.g. `Cognitive Services Language Owner` for `/language/mcp`) |681## Pitfalls / common mistakes683- **Do not forget PUT #2 for `gateway_connector`** ([Step 4](#step-4--put-2-register-actions)). The first PUT + OAuth flips status to `Authenticated` but the runtime has no actions to dispatch until you PUT again with `metadata.mcpserverConfigProperties`.685- **Do not invent a "real" target URL** for the `gateway_connector` flow on PUT #1. `"https://placeholder"` is correct on PUT #1; PUT #2 rewrites it.686- **Do not mix BYO `credentials` with `metadata.type=catalog_MCP`** in the BYO body. They conflict; the server accepts the PUT but the runtime uses the catalog's managed app and ignores your secret β or fails with consent confusion.687- **Do not send `scopes` as a space-separated string** anywhere. Always an array.688- **Do not call `listConsentLinks` for BYO OAuth.** Use only for `gateway_connector` and managed-OAuth `catalog_MCP`.689- **Do not assume the asset-gallery search response contains OAuth metadata** β it does not. Always pair it with the Logic Apps `managedApis` GET (or hardcode the identityProvider mapping) to get `scopes` and to derive `authorizationUrl` / `tokenUrl`.690- **Use exact field spelling** for `gateway_connector`: `toolEntityId` (NOT `entityId`), `connectionproperties` (lowercase, stringified JSON).691- **Sign in to the subscription's tenant** before calling `listConsentLinks` β it validates the caller principal owns the supplied `objectId` + `tenantId`.692- **Toolbox PATCH `default_version` must be a JSON STRING**, not a number. Sending `{"default_version": 1}` returns `400 invalid_payload "requires an element of type 'String', but the target element has type 'Number'"`. Use `{"default_version": "1"}`.693- **`metadata.audience` is required for `ProjectManagedIdentity`.** Without it the MCP server returns 401.694- **Header names for `CustomKeys` come from the catalog**, not from a default `Authorization: Bearer` template.695- **`ApiKey` is rejected** for `category=RemoteTool`. Use `CustomKeys` for static secrets.696- **OAuth consent is per-user, per-connection, per-project.** Each new caller hits `CONSENT_REQUIRED` (code `-32007`) once and must open the URL the toolbox returns.697- **`api.githubcopilot.com/mcp` rejects user OAuth-App tokens.** Use a self-hosted MCP or fall back to OpenAPI.698- **PMI forwarder drops `target` query strings and mints a fixed audience.** Setting `properties.audience` is accepted but does not change what is sent.699- **Network-secured Foundry** projects cannot use private-endpoint-only MCP servers β only public endpoints reachable from the Foundry data plane and the Connector Namespace.700## References702- [Tool Catalog](https://learn.microsoft.com/azure/foundry/agents/concepts/tool-catalog)704- [Toolbox (preview)](https://learn.microsoft.com/azure/foundry/agents/how-to/tools/toolbox)705- [Private tools catalog](https://learn.microsoft.com/azure/foundry/agents/concepts/tool-catalog#private-tools-catalog)706- [Cognitive Services projects REST API](https://learn.microsoft.com/rest/api/aiservices/)707- [tool-mcp.md](tool-mcp.md) β prompt-agent MCP wiring (no toolbox)708- [toolbox-reference.md](toolbox-reference.md) β MCP endpoint, auth, testing, troubleshooting709- [agent-tools.md](agent-tools.md) β the agent-tools index710- [use-toolbox-in-hosted-agent.md](use-toolbox-in-hosted-agent.md) β wiring a toolbox into a hosted agent711