How to create a remote agent exposed via A2A in Foundry?

[buzahid]

In the Foundry portal, I created and published an agent MyAgent:

I created another agent a2a-test to try and connect to this agent using the custom Agent2agent tool, however I'm seeing an error ErrorFailed to fetch agent card: Response status code does not indicate success: 401 (PermissionDenied).

What is the correct way to use the A2A protocol with agents created in Foundry?

[leestott]

Hi @buzahid

Why you are seeing the 401 (PermissionDenied)

Agents created and published in the Foundry portal (like MyAgent) are not exposed as public A2A servers. The “Activity Protocol endpoint” and “Responses API endpoint” shown in the Foundry UI are internal, authenticated endpoints intended for Microsoft 365 Copilot and Foundry‑managed runtimes. They do not expose a public A2A agent card endpoint.

When your a2a-test agent tries to use the Agent2Agent (A2A) tool to fetch the agent card for a Foundry‑hosted agent, the request fails with 401 (PermissionDenied) because:

• The endpoint is not a public A2A endpoint
• It requires Foundry/M365‑scoped authentication
• Anonymous or external A2A card resolution is not supported for Foundry‑hosted agents

This behavior is expected with the current Foundry architecture.

What is supported today

1. Foundry agent calling an external A2A agent (supported)

The A2A tool in Foundry is designed for this pattern:

• A Foundry agent acts as the A2A client
• The remote agent is hosted externally (for example, Azure Container Apps, Functions, VM, or another service)
• The remote agent implements the A2A protocol and exposes a public agent card endpoint
• That external agent is registered in Foundry as an A2A connection
• Authentication is configured (shared identity or delegated identity)

Official docs:
https://learn.microsoft.com/azure/ai-foundry/agents/how-to/tools/agent-to-agent
https://learn.microsoft.com/azure/ai-foundry/agents/concepts/agent-to-agent-authentication

2. Foundry agent to Foundry agent composition (do NOT use A2A)

If both agents live inside Foundry, the correct approach is:

• Connected Agents
• Multi‑Agent Workflows

These are native Foundry composition mechanisms. A2A is not used for Foundry‑to‑Foundry agent calls.

Reference:
https://techcommunity.microsoft.com/blog/azure-ai-foundry-blog/building-a-digital-workforce-with-multi-agents-in-azure-ai-foundry-agent-service/4414671

What is NOT supported

• Using A2A to call a Foundry‑hosted agent from another Foundry‑hosted agent
• Treating a Foundry‑published agent as a public A2A server
• Fetching an A2A agent card from the Foundry “Activity Protocol endpoint”

Key Considerations

• Foundry agents are A2A consumers, not A2A servers
• A2A is for Foundry → external agents
• Foundry → Foundry agent orchestration should use Connected Agents or Workflows
• A 401 PermissionDenied when fetching an agent card from a Foundry agent endpoint is expected

Hope this clarifies your question.

[hhoeksel]

Hi Lee,

Does this also apply to the agents in the new foundry? As far as I am aware the connected agents feature was removed.

I am currently trying (and strugling!) doing the same thing and was also looking at the agent 2 agent connector.

Best regards, Hans