Microsoft Agent Framework

Preventing OWASP ASI03 Identity and Privilege Abuse in a .NET AI agent with Entra Agent ID, RBAC, federated credentials, and per-action authorization.

Preventing Identity and Privilege Abuse in AI Agents

One of the challenges I faced developing an agent for my side project (Biotrackr) was how do I manage identity. Some AI Agents share the same service principals or managed identity with the application, which is used to authenticate API calls, access databases etc. This is an issue, because if the application has contributor access to a database, so does the agent. If the agent gets compromised, then the blast radius extends to the entire application’s permission scope. ...

Preventing OWASP ASI02 Tool Misuse in a .NET AI agent with date range limits, page size caps, read-only tools, egress controls, and managed identity.

Preventing Tool Misuse in AI Agents

In my side project (Biotrackr), I have a chat agent that I use to query my data using natural language. This agent has 12 tools that call APIs to retrieve data that provides context to a LLM. I’m using Claude as my LLM provider, so Claude will decide which tool to call, and with what parameters. Let’s pretend that we are bad actors trying to disrupt my agent. Say we decide to prompt inject the agent, and get it to perform an expensive query to retrieve 100 years of data (I’m not that old thankfully!) in an attempt to return a massive payload, consume thousands of Claude API tokens, and hammer my APIM gateway. ...

Preventing OWASP ASI05 Unexpected Code Execution in a .NET AI agent with input validation, non-root containers, static tool registration, and runtime monitoring.

Preventing Unexpected Code Execution in AI Agents

Can your AI Agent run code? If not, you probably don’t think that unexpected code execution applies to you. However, this goes a lot deeper than eval(). Input validation, container security, static analysis, and runtime monitoring all play a part here. Even an Agent with read-only capabilities and no code interpreter has an execution environment, tool parameters that flow from LLM output, and a CI/CD pipeline that needs to be secure. ...

Building a health data chat agent using Claude as the LLM backend with the Microsoft Agent Framework in .NET 10, featuring function tools, AG-UI streaming, and system prompt design.

Building a Health Data Chat Agent with Claude and the Microsoft Agent Framework

Using the Microsoft Agent Framework, we can build agents that interact with our data via chat capabilities. In my personal project, I decided to create a Chat API that allows me to query my data via a chat interface using an LLM. I wasn’t keen on using OpenAI, or even provisioning Microsoft Foundry to create a deployment so that I could use an LLM that they provide. I decided to just grab an API key for Anthropic so that I could use Claude, and hook it up into my agent so I wouldn’t have to worry about managing any Foundry infrastructure. ...

For models that don't support underlying in-service memory capabilities, the Microsoft Agent Framework allows you to use third party solutions to store agent chat history.

How to Store Chat History Using External Storage in Microsoft Agent Framework

Chat history and memory allow agents to maintain context across conversations and remember user preferences, which enables agents to provide personalized experiences. Using the Microsoft Agent Framework, we can use in-memory chat message stores, persistent databases, and specialized memory services to cater to a variety of different use cases. In this article, I’ll show you a simple example of how we can use an Azure Cosmos DB Vector store to store conversations we have with an agent, and how we can retrieve conversations so that our agents can maintain context. ...