Share via

Azure AI Foundry — Agent Application identity provisioning stuck at "Creating" in East US 2, blocks A2A orchestration with 401

EV Admin 10 Reputation points
2026-02-28T11:01:24.7266667+00:00

I'm setting up Agent-to-Agent (A2A) orchestration in Azure AI Foundry (New) and both of my published Agent Applications have their identity provisioning permanently stuck at "Creating".

Environment

  • Region: East US 2
  • API Version: 2025-10-01-preview

Problem

When I query the Agent Application resources via ARM API (GET .../applications/{name}?api-version=2025-10-01-preview), the top-level provisioningState shows "Succeeded", but the nested identity states are stuck:


"agentIdentityBlueprint": { "provisioningState": "Creating" },

"defaultInstanceIdentity": { "provisioningState": "Creating" }

The Entra ID service principals do exist and are enabled — the identities were created, but the provisioning state never transitioned to "Succeeded".

Impact

This blocks A2A tool calls. When my orchestrator agent tries to invoke a sub-agent via the a2a_preview tool, I get:


Error code: tool_user_error

Error message: 400 Failed to fetch agent card: Response status code does not indicate success: 401 (PermissionDenied)

I've verified:

  • RBAC is correct: Azure AI User role assigned on the Agent Application resources for both the orchestrator's agentic identity and the project managed identity
  • Direct endpoint calls work: Calling the Agent Application endpoint with a user bearer token returns 200 OK
  • Auth type doesn't matter: Tested with both AgenticIdentityToken and ProjectManagedIdentity connection types — same 401
  • Cannot modify or delete the stuck resources: PUT and DELETE operations return SystemError from managementfrontend in eastus2

Additional details

  • Two separate Agent Applications are affected, suggesting this is systemic in the region rather than resource-specific

Questions

  1. Is there a known issue with Agent Application identity provisioning in East US 2?
  2. Is there a way to re-trigger or unstick the identity provisioning?
  3. Would creating the Foundry resource in a different region (e.g., Sweden Central) avoid this issue?
Foundry Tools
Foundry Tools

Formerly known as Azure AI Services or Azure Cognitive Services is a unified collection of prebuilt AI capabilities within the Microsoft Foundry platform

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Karnam Venkata Rajeswari 565 Reputation points Microsoft External Staff Moderator
    2026-03-23T14:35:24.7033333+00:00

    Hello EV Admin,

    Welcome to Microsoft Q&A and Thank you for reaching out.

    The observed behaviour is consistent with a scenario where the Agent Application completes provisioning at the control‑plane level while the associated agent identities continue to finalize in the background. In such cases, the top‑level provisioning state may show as successful even though the dependent identity components have not yet fully transitioned.

    Agent identity provisioning is an asynchronous process. Agent identities and their related blueprints are automatically created and managed through Entra ID, with a lifecycle that is independent of the parent Agent Application resource. Until this identity lifecycle completes, dependent scenarios—such as Agent‑to‑Agent orchestration—may encounter temporary authorization issues, including 401 responses. Management operations on the Agent Application can also remain restricted during this transition period, even when the service principals already exist and are enabled.

    Agent identities are fully platform‑managed and cannot be manually forced into a new provisioning state through update or patch operations. If identity provisioning remains incomplete for an extended period, the following practical steps may help move forward:

    Please consider to see if the following troubleshooting steps helps:

    1. Please allow additional time for background identity reconciliation to complete.
    2. Validate that the required RBAC assignments are present at both the Agent Application scope and the project scope.
    3. Confirm that the Agent Application identities exist and are enabled in Entra ID.
    4. Then recreate the affected Agent Application to allow identity provisioning to restart cleanly.
    5. Kindly avoid repeated update or delete attempts while the identity state is still transitioning.

    If the behaviour continues after these steps, deploying the same configuration in another supported region can help determine whether the behavior is region‑specific. Azure AI Foundry Agent Service availability, supported features, and preview capabilities can vary by region, and infrastructure readiness may differ.

    When using Agent Service features, all dependent resources must reside in the same region. Creating a new Foundry resource and Agent Applications in an alternate supported region may allow identity provisioning to complete successfully and unblock Agent‑to‑Agent orchestration.

     

    References:

    Manage agent identities with Microsoft Entra ID - Microsoft Foundry | Microsoft Learn

    Quotas and limits for Microsoft Foundry Agent Service - Microsoft Foundry | Microsoft Learn

     

    Thank you!

    0 comments
  2. kagiyama yutaka 1,320 Reputation points
    2026-02-28T11:07:13.8566667+00:00

    I think u’re hitting the eastus2 stamp drift… once the agent id freezes in “Creating” it won’t self‑heal, so just dup it into a clean region (swedencentral’s fine) and let support unstick the old backend for u.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.