Share via

I am facing issue while trying to connect function app with agent using openapi

Surya Chauhan 0 Reputation points
2026-03-07T12:15:37.09+00:00

The schema I have used is
{

"openapi": "3.0.1",

"info": {

"title": "HelloMedicalAgent",

"version": "1.0.0"

},

"servers": [

{

"url": "https://xxxx.canadacentral-01.azurewebsites.net"

}

],

"paths": {

"/api/analyze_symptoms": {

"post": {

"operationId": "analyzeSymptoms",

"summary": "Analyze symptoms",

"requestBody": {

"required": true,

"content": {

"application/json": {

"schema": {

"type": "object",

"properties": {

"name": {

"type": "string"

              }

            },

"required": [

"name"

            ]

          }

        }

      }

    },

"responses": {

"200": {

"description": "Success",

"content": {

"application/json": {

"schema": {

"type": "object",

"properties": {

"message": {

"type": "string"

                }

              }

            }

          }

        }

      }

    }

  }

}

}

}

I am using managed identity as authentication and my function app code is

import azure.functions as func

import logging

import json

app = func.FunctionApp(http_auth_level=func.AuthLevel.ANONYMOUS)

@app.route(route="analyze_symptoms", methods=["POST"])

def agentfunc(req: func.HttpRequest) -> func.HttpResponse:

logging.info("Processing request")

try:

body = req.get_json()

name = body.get("name", "Guest")

except ValueError:

name = "Guest"

response = {

"message": f"Hello {name}, your sympxtoms were received"

}

return func.HttpResponse(

json.dumps(response),

status_code=200,

mimetype="application/json"

)

When I add to my agent as tool I am getting below error

{

id: "call_6yKcWS5m8HDKvS5R4zrEzzbI"

type: "openapi"

function: {

name: "HelloTool_analyzeSymptoms"

arguments: "{"name":"John"}"

output: "content_type='system_error' name='ValueError' text="Encountered exception: <class 'ValueError'>.""

}

}

Azure OpenAI Service
Azure OpenAI Service

An Azure service that provides access to OpenAI’s GPT-3 models with enterprise capabilities.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Karnam Venkata Rajeswari 565 Reputation points Microsoft External Staff Moderator
    2026-03-20T11:48:32.7266667+00:00

    Hello Surya Chauhan,

    Welcome to Microsoft Q&A .Thank you for reaching out.

    The integration is correctly configured. The failure is caused by an unsupported token audience value in the agent’s managed identity configuration, preventing authentication from reaching the function app.

    The expected flow is that the

    1. Agent acquires a Managed Identity access token
    2. Token is sent to the Function App
    3. Function App validates the token via Entra ID
    4. Function code executes and returns a response

    However, the Agent tool call fails with a system_error / ValueError, while the Function App shows zero invocations.

    From the provided information and screenshots , we can see that the Invocation count = 0 .This confirms the Function code is never executed. The failure occurs before the request reaches the function app runtime at the authentication layer.

    The identified root cause is that the Agent’s Managed Identity is requesting an access token using an unsupported audience value for Azure Function App authentication.While the function app allows multiple token audiences, Azure AI Agent + Managed Identity authentication reliably works only when the audience is set to the Application ID URI of the Function App’s Entra ID app registration

     format: api://<client-id>

    Using the Function App URL

    https://<app>.azurewebsites.net

    as the audience causes the token validation to fail silently.

    Please check if the following resolution steps help:

    1. Update Agent OpenAPI Tool Configuration

    • Authentication method: Managed Identity
    • Audience:
    api://<Function App Application (client) ID>

    2. Verify Function App Authentication

    • Authentication enabled (Entra ID)
    • Allowed token audiences include:
    api://<client-id>

    3.Please do not rely on IAM (RBAC) for inbound calls

    • RBAC controls resource management only
    • HTTP access is governed by Entra ID authentication

    4. As a validation check after updating the audience , see if

    • Function invocation count increases
    • Agent receives a successful response
    • No code changes required in the Function App

    References:

    Secure OpenAPI tool calls from Foundry Agent Service - Azure App Service | Microsoft Learn

    Connect OpenAPI tools to Microsoft Foundry agents - Microsoft Foundry | Microsoft Learn

    Thank you!

    0 comments
  2. Marcin Policht 83,190 Reputation points MVP Volunteer Moderator
    2026-03-07T13:50:11.37+00:00

    The error you're encountering, ValueError, suggests that the function may not be properly handling the input from the agent. Specifically, it seems that the function is having trouble parsing the input or the structure of the request body.

    Your OpenAPI specification indicates that the name field is required in the request body, but the function might not be handling the case where name is missing or malformed properly.

    Try modifying your function to handle missing or invalid inputs more gracefully. Below is an updated version of the function:

    import azure.functions as func
import logging
import json

app = func.FunctionApp(http_auth_level=func.AuthLevel.ANONYMOUS)

@app.route(route="analyze_symptoms", methods=["POST"])
def agentfunc(req: func.HttpRequest) -> func.HttpResponse:
    logging.info("Processing request")

    try:
        body = req.get_json()
        name = body.get("name", None)

        if not name:
            return func.HttpResponse(
                json.dumps({"message": "Name is required"}),
                status_code=400,
                mimetype="application/json"
            )
    except ValueError:
        return func.HttpResponse(
            json.dumps({"message": "Invalid JSON format"}),
            status_code=400,
            mimetype="application/json"
        )

    response = {
        "message": f"Hello {name}, your symptoms were received"
    }
    return func.HttpResponse(
        json.dumps(response),
        status_code=200,
        mimetype="application/json"
    )

    This version includes better error handling. It will now return a 400 status code with an appropriate message if the name is missing or if the request body is not valid JSON.

    Ensure that the agent is passing a valid JSON object with the name field, like this:

    {
  "name": "John"
}

    You can test the function independently using tools like Postman or cURL. For example, using cURL:

    curl -X POST https://xxxx.canadacentral-01.azurewebsites.net/api/analyze_symptoms \
-H "Content-Type: application/json" \
-d '{"name": "John"}'

    This should return a response like:

    {
  "message": "Hello John, your symptoms were received"
}

    Once this is working correctly, you can retry integrating it with your agent.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.