A unified Azure platform for creating and managing AI models, agents, and applications with built‑in enterprise security, monitoring, and governance
Hi @Mohamed Nassar , thanks for posting your issue here.
It seems like on the first prompt of a new session, the Foundry agent is lazily initializing the connection to your MCP server and fetching the key from Key Vault at the same time the Logic App is receiving the request. The 401 fires because the auth header isn't ready in time. By the second prompt everything is warmed up so it just works.
The fact that it happens consistently on prompt 1 and never on prompt 2 is the tell.
I'd suggest trying below:
- Switching from key-based auth to Managed Identity if your Logic App and Foundry project are in the same tenant. This eliminates the Key Vault fetch latency entirely since the identity token is already available when the session starts.
- If you need to stay on key-based auth for now, the practical workaround is to send a silent warmup prompt at session initialization from your client code, something like a hidden "ping" or "initialize" message that fires before the user's first real prompt. This forces the credential fetch to happen in the background so the user never sees the 401.
- Also worth checking: make sure your Key Vault has "Allow trusted Microsoft services to bypass this firewall" enabled. Extra network latency during that first key fetch makes the race condition worse and more consistent.
The same pattern causing your KB to fail on first prompt is the same root cause, lazy initialization of the tool connections at session start.
Please upvote and accept the answer if it helps!