Adding template to demonstrate Azure AI integration of users, applications and enterprise data, using OAuth 2.0 token intelligence

[gary-archer]

Please fill out this template! There are three different types of contributions, feel free to delete the checklists that are not applicable to your contribution type.

If you are submitting a new azd template to the gallery

Fill this out if you want your template to be added to the awesome-azd gallery!

Your template repository

Place your template repository link here: https://github.com/curityio/azd-ai-autonomous-agent

• [✓] Added an entry to https://github.com/Azure/awesome-azd/blob/main/website/static/templates.json that includes:

  • [✓] Template title - Azure AI integration of customer users with C# applications and enterprise data, using OAuth 2.0 token intelligence.

  • [✓] Description - A secured A2A and MCP flow, where customer users send commands to backend agents and resource servers apply token-based authorization. Includes a container apps deployment where tokens enable agents to complete complex flows, while resource servers and API gateways can apply dynamic access controls.

  • [✓] Architecture Diagram or Application Screenshot - Added to website/static/templates/images/curity-autonomous-ai-agent.png

  • [✓] Link to Author's GitHub or other relevant website - https://curity.io

  • [✓] Author's Name - Curity Team / Gary Archer

  • [✓] Link to template source - Link to the template GitHub repo

  • [✓] Tags - community, a2a, mcp, ai, oauth2

  • [✓] Languages Tags - dotnetCsharp

  • [✓] Azure Services Tags - aca, aifoundry, managedidentity, azuresql, vnets

  • [✓] ID - 4218b822-4eca-451e-8b9b-c89a9be0dec5

    Required tags:

    • [✓] Tag your template as Microsoft-authored ("msft") or Community-authored ("community") - community
    • [✓] Tag the IaC provider ("bicep" or "terraform") - bicep
    • [✓] Add the "new" tag for any newly authored templates - new

Points of Interest

• At Curity we have been discussing this objective with @kristenwomack
• The deployment uses layered provisioning, which is in beta, and which could affect automated checks, so we are more than happy to change content based on reviewer recommendations

[Copilot]

Pull request overview

Adds a new community azd template entry to the Awesome azd gallery for the Curity autonomous AI agent sample, along with an associated preview image asset.

Changes:

• Added a new template card entry to website/static/templates.json for curityio/azd-ai-autonomous-agent
• Added a new preview image asset under website/static/templates/images/

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 3 comments.

File	Description
website/static/templates.json	Registers the new template in the gallery, including tags, services, IaC, and preview image reference
website/static/templates/images/curity-autonomous-ai-agent.jpg	Adds the template’s preview image asset

[hemarina]

@v-xuto Could you test this template please?

[kristenwomack]

I came here to say the same! Thank you @hemarina and @v-xuto.

Notes:

• README hits everything in our standards 🙌
• Please check: infra/hooks/gateway-internal/preprovision.sh lines 28-29, the CONTAINER_REGISTRY_NAME is used before it's set. The external gateway script has these two lines in the correct order. Fix: swap lines 28 and 29.

[gary-archer]

Cool - I fixed that up.
The parent script infra/hooks/preprovision.sh loads environmental values to use in its logic.

[gary-archer]

@microsoft-github-policy-service agree company="Curity"

[v-xuto]

@hemarina, @gary-archer We have finished this template test, and we filed two issues. Please review.

• Entra ID preprovisioning commands fail, leading to prompts for Entra Client ID / secret etc curityio/azd-ai-autonomous-agent#1
• ./src/ConsoleClient/run.sh returns PermissionDenied / 401: principal lacks required data action AIServices/agents/write even after granting Azure AI User per AZURE-AI-SETUP.md curityio/azd-ai-autonomous-agent#2

[gary-archer]

@hemarina, @gary-archer We have finished this template test, and we filed two issues. Please review.

• README missing guidance for azd up required parameters/secrets (entraClientId, entraClientSecret, licenseKey, etc.) curityio/azd-ai-autonomous-agent#1
• ./src/ConsoleClient/run.sh returns PermissionDenied / 401: principal lacks required data action AIServices/agents/write even after granting Azure AI User per AZURE-AI-SETUP.md curityio/azd-ai-autonomous-agent#2

Thanks @v-xuto, I believe I have provided resolutions in the issues you raised, so I wonder if you can retry when you get some time? I will then close the issues if you don't disagree.

[kristenwomack]

@hemarina, @gary-archer We have finished this template test, and we filed two issues. Please review.

• README missing guidance for azd up required parameters/secrets (entraClientId, entraClientSecret, licenseKey, etc.) curityio/azd-ai-autonomous-agent#1
• ./src/ConsoleClient/run.sh returns PermissionDenied / 401: principal lacks required data action AIServices/agents/write even after granting Azure AI User per AZURE-AI-SETUP.md curityio/azd-ai-autonomous-agent#2

Thanks @v-xuto, I believe I have provided resolutions in the issues you raised, so I wonder if you can retry when you get some time? I will then close the issues if you don't disagree.

@v-xuto will you re-test and sign off once you confirm?

[v-xuto]

@gary-archer Issue#2 has been verified as fixed. Issue#1 still has a minor problem; We’ve added comments—please review. In addition, during retesting we found a new issue; please review it as well.

• New issue: Portfolio MCP Server ./test.sh fails: “valid access token” test returns 401 and teardown throws HttpListener ObjectDisposedException curityio/azd-ai-autonomous-agent#3

[v-xuto]

@v-xuto will you re-test and sign off once you confirm?

Yes, we will retest. If everything looks good, we will add the relevant comments.

[gary-archer]

Great - thanks for all of your efforts, which have resulted in some nice improvements. This GitHub repo provides a quite complex end-to-end Azure deployment. You have the local flow working, and hopefully we are not far from getting the deployed flow working.

There are 3 open issues and I have updated them all. The first two of these have straightforward resolutions and hopefully we can close them quickly:

• Integration test failure
• azd pipeline config prompts
• Entra ID app registration creation failure

The third issue seems to be more complex. Perhaps your Microsoft environment may differ to mine when it comes to Entra ID. So I'll need you to check a few things about your environment to enable us to resolve that issue. Hopefully my suggestions lead us to a resolution. When you get some time, could you please check them and report back.

Regards.

[kristenwomack]

Great - thanks for all of your efforts, which have resulted in some nice improvements. This GitHub repo provides a quite complex end-to-end Azure deployment, but hopefully we are not far from getting it fully working.

There are 3 open issues and I have updated them all. The first two of these have straightforward resolutions and hopefully we can close them quickly:

• Integration test failure
• azd pipeline config prompts
• Entra ID app registration creation failure

The third issue seems to be more complex. Perhaps your Microsoft environment may differ to mine when it comes to Entra ID. So I'll need you to check a few things about your environment to enable us to resolve that issue. Hopefully my suggestions lead us to a resolution. When you get some time, could you please check them and report back.

Regards.

Noted, I have pinged the team on this.

cc @puicchan @weikanglim @rajeshkamal5050

[kristenwomack]

hey @v-xuto, will you share an update on your latest testing?

[gary-archer]

An update from me:

@weikanglim provided some insights in this issue and suggested that we use the following test flow to avoid prompts:

• First run a local Azure deployment
• Then run azd pipeline config to create a GitHub workflow

To avoid secrets on disk, I updated the local deployment to save secrets to an Azure key vault. This enables azd pipeline config to copy all secrets to the GitHub workflow, so removes all prompts for parameters. Therefore the deployment has a clean UX now.

ENTRA ID ISSUE

In previous testing, though, you experienced this unexplained Entra ID issue, which seems to prevent you from completing the deployment. I wondered if @x-vuto could troubleshoot this, starting by double checking that you have an Entra ID tenant. I would be happy to jump on a call of that helps, @kristenwomack.