Connect Azure AI Foundry

Azure AI Foundry's Agent Service reaches the gateway as an MCP tool: point it at https://gateway.ansvar.eu/mcp and each user signs in with their Ansvar account. Foundry does not support MCP Dynamic Client Registration, so — unlike Claude or Copilot Studio, which register themselves — the connection uses a pre-provisioned OAuth client. That is the same model as the Gemini Enterprise path: we provision the client for you and send back the values to paste in.

Step 1 — request an OAuth client

The connection needs a client ID and secret we issue for your tenant. to request a Foundry OAuth client, and tell us which Ansvar plan your users are on. We send back a client ID and client secret for the next steps.

Step 2 — add the MCP tool

In the new Foundry portal, add the MCP tool to your agent. Set the Server URL to https://gateway.ansvar.eu/mcp, give it a server label of your choice, and set Authentication to OAuth Identity Passthrough (custom OAuth).

Step 3 — enter the OAuth values

Fill in the custom OAuth fields with the credentials we sent and the gateway's identity-provider URLs:

Client ID:      <from us>
Client secret:  <from us>
Auth URL:       https://auth.ansvar.eu/realms/ansvar/protocol/openid-connect/auth
Token URL:      https://auth.ansvar.eu/realms/ansvar/protocol/openid-connect/token
Refresh URL:    https://auth.ansvar.eu/realms/ansvar/protocol/openid-connect/token
Scopes:         openid profile email offline_access

The Token URL and Refresh URL are the same endpoint. offline_access is what enables automatic token refresh — without it, sessions stop working when the short-lived access token expires.

Step 4 — send us your redirect URL

After you save the configuration, Foundry generates a Redirect URL. Send it to us and we add it to the client's allowed redirect URIs — the sign-in loop stays broken until that URL is registered on our side.

Step 5 — first use and consent

The first time each user runs the agent, Foundry returns an oauth_consent_request with a one-time consent link. The user follows it, signs in with their Ansvar account, and from then on the agent calls gateway tools with that user's identity, plan tier, and quotas.

Notes and limitations

  • Each user needs their own Ansvar account. Sign-in is per user, and per-user quotas apply.
  • Publishing to Teams or M365 Copilot does not carry user identity today. On that path Foundry sends the project's managed identity instead of the user's token — a Microsoft limitation, with no announced timeline. If you need that path, about a service credential.
  • Foundry's "Microsoft Entra ID" and "Unauthenticated" options do not work with the gateway. Tokens must be issued by Ansvar's identity provider, and unauthenticated requests are rejected. Use OAuth Identity Passthrough with custom OAuth.
  • Foundry defaults MCP tools to require approval on every call (require_approval). Adjust this in the tool configuration per your governance needs.

If something breaks

  • "Invalid tool schema." Make sure you are on the latest Foundry portal, then .
  • "Unauthorized." Re-check the client secret, and confirm the Redirect URL you sent us matches the one Foundry generated.
  • Everything else — the general troubleshooting page covers OAuth loops, tier gates, quota caps, and empty results.