Azure Foundry Agent Fails to Use MCP Server

Mohamed Nassar 0 Reputation points
2026-06-22T14:22:38.6+00:00

I am experiencing an intermittent authentication issue when using an Azure AI Foundry Agent configured with an MCP server hosted through Azure Logic Apps.

The agent is configured to connect to the MCP server through the Tools section using key-based authentication. When I start a new session and send the first prompt, the agent consistently returns the following error:

Authentication failed when connecting to the MCP server:

Response status code does not indicate success: 401 (Unauthorized).

Response body:

You do not have permission to view this directory or page.

Verify your authentication headers.

However, if I immediately send a second prompt in the same session, the MCP tool connects successfully and executes without any issues.

Additional Observations

  • The issue occurs consistently on the first interaction of a new session.
  • Subsequent prompts within the same session work correctly.
  • The MCP server is hosted via Azure Logic Apps and accessed through Azure AI Foundry tools.
  • Authentication is configured using key-based authentication.
  • I observe the same behavior when using a Knowledge Base in Azure AI Foundry:
  • The first prompt in a new session fails with a similar authentication error.
    • The second prompt succeeds without any changes to the configuration.
Microsoft Foundry
Microsoft Foundry

A unified Azure platform for creating and managing AI models, agents, and applications with built‑in enterprise security, monitoring, and governance

0 comments No comments

2 answers

Sort by: Most helpful
  1. Jubin Soni 0 Reputation points
    2026-06-27T23:14:08.1133333+00:00

    Hi @Mohamed Nassar , thanks for posting your issue here.

    It seems like on the first prompt of a new session, the Foundry agent is lazily initializing the connection to your MCP server and fetching the key from Key Vault at the same time the Logic App is receiving the request. The 401 fires because the auth header isn't ready in time. By the second prompt everything is warmed up so it just works.

    The fact that it happens consistently on prompt 1 and never on prompt 2 is the tell.

    I'd suggest trying below:

    • Switching from key-based auth to Managed Identity if your Logic App and Foundry project are in the same tenant. This eliminates the Key Vault fetch latency entirely since the identity token is already available when the session starts.
    • If you need to stay on key-based auth for now, the practical workaround is to send a silent warmup prompt at session initialization from your client code, something like a hidden "ping" or "initialize" message that fires before the user's first real prompt. This forces the credential fetch to happen in the background so the user never sees the 401.
    • Also worth checking: make sure your Key Vault has "Allow trusted Microsoft services to bypass this firewall" enabled. Extra network latency during that first key fetch makes the race condition worse and more consistent.

    The same pattern causing your KB to fail on first prompt is the same root cause, lazy initialization of the tool connections at session start.

    Please upvote and accept the answer if it helps!

    Was this answer helpful?

    0 comments No comments

  2. Jose Benjamin Solis Nolasco 9,451 Reputation points Volunteer Moderator
    2026-06-22T15:30:26.8966667+00:00

    Welcome to Microsoft Q&A

    Hello @Mohamed Nassar I hope you are doing well,

    Check please the following things:

    1. Switch to Managed Identity (Recommended): If your Logic App and Azure AI Foundry project are in the same Azure tenant, switch the tool's authentication method from Key-Based to Managed Identity. This avoids the Key Vault lazy-loading latency entirely.
    2. Implement a Warm-up Ping: If you must remain on key-based authentication, design your client application to send a silent initialization prompt (like a hidden "hello") when a new session is created. This forces the credential fetch to occur in the background, ensuring the user's first actual prompt has the cached key ready.
    3. Check Key Vault Network Access: Ensure that the Azure Key Vault storing your API key has the "Allow trusted Microsoft services to bypass this firewall" option enabled. Network latency during the initial fetch exacerbates this 401 race condition.

    Could you please check the official Microsoft documentation and let me know if the issue still persists?

    References

    Authenticate and authorize access to Azure AI Foundry

    Integrate MCP servers with Azure AI Foundry

    If my answer helped you resolve your issue, please consider marking it as the correct answer. This helps others in the community find solutions more easily.

    Was this answer helpful?

    0 comments No comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.