feat(agent-framework): Add Purview policy enforcement and pin compatible package versions#274
Open
Rishabh4275 wants to merge 3 commits intomicrosoft:mainfrom
Open
feat(agent-framework): Add Purview policy enforcement and pin compatible package versions#274Rishabh4275 wants to merge 3 commits intomicrosoft:mainfrom
Rishabh4275 wants to merge 3 commits intomicrosoft:mainfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds optional Microsoft Purview policy enforcement to the Python Agent Framework sample while pinning SDK package versions to a known-compatible set to prevent upstream import/rename breakages.
Changes:
- Pin
agent-framework-*andmicrosoft_agents_a365_*dependencies to specific compatible versions and document why. - Add opt-in Purview policy middleware initialization with multiple auth modes.
- Attach a resolved AAD user GUID to each message via
ChatMessage.additional_propertiesfor Purview evaluation.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| python/agent-framework/sample-agent/pyproject.toml | Pins Agent Framework + A365 SDK versions and adds rationale/comments for the constraints. |
| python/agent-framework/sample-agent/agent.py | Adds Purview middleware setup and passes a validated user GUID in message metadata. |
| python/agent-framework/sample-agent/.env.template | Documents and templates Purview configuration and supported auth modes. |
Rishabh4275
changed the title
Rishabh4275
force-pushed
the
main
branch
4 times, most recently
from
16579ff to
1b27609
Compare
Rishabh4275
force-pushed
the
main
branch
2 times, most recently
from
a75c615 to
a7b2125
Compare
Rishabh4275
force-pushed
the
main
branch
2 times, most recently
from
6d7d125 to
7b81d5d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds optional Microsoft Purview policy enforcement to the Agent Framework samples (Python and .NET) and migrates both samples to the latest Agent Framework SDKs.
.NET (
dotnet/agent-framework/sample-agent/)SDK & runtime upgrades
net8.0→net10.0.Microsoft.Agents.AIupgraded1.0.0-preview.251113.1→1.3.0(stable).Azure.Identityupgraded1.17.0→1.21.0.Microsoft.Agents.AI.Purview1.3.*-*.Migration to the 1.3.0 agent API (
Agent/MyAgent.cs)ChatClientAgent(ChatClientAgentOptions)constructor to the new(chatClient, instructions, name, description, tools)constructor.AgentThread→AgentSession(GetNewThread/DeserializeThread→CreateSessionAsync/DeserializeSessionAsync/SerializeSessionAsync). The thread-management helper is nowGetConversationSessionAsync.ChatMessageStoreFactory+MessageCountingChatReducer(10)setup — chat history is now managed by the newAgentSessionAPI.Purview integration
PurviewUserIdStampingClient.cs— aDelegatingChatClientthat stamps everyChatRole.Usermessage withAdditionalProperties["userId"]before it reaches the Purview middleware. Required becauseClientSecretCredentialis an app-level token from which Purview cannot infer the user.Program.cs—WithPurview()is added to theIChatClientpipeline usingClientSecretCredential. Opt-in: only enabled whenPurview:ClientAppId,AppName,TenantId, andClientSecretare all set; gracefully skipped otherwise.appsettings.json/appsettings.Playground.json— added aPurviewsection (ClientAppId,AppName,TenantId,ClientSecret,UserId).Streaming + thread-history fixes for Purview-blocked turns (
Agent/MyAgent.cs)ChatRole.Assistant. Purview emits its block message as aSystem/Toolchunk; the previous filter silently swallowed it. All non-empty text chunks are now forwarded."No response was produced for that request...") when the SDK streams nothing at all, instead of lettingEndStreamAsyncthrow a bare exception to the user.Python (
python/agent-framework/sample-agent/)Chat client switch (
agent.py,AGENT-CODE-WALKTHROUGH.md)agent_framework.azure.AzureOpenAIChatClient→agent_framework.openai.OpenAIChatClientconfigured for Azure (azure_endpoint,api_version).AzureOpenAIChatClient->/openai/deployments/...API surface mismatch with the latest Azure OpenAI v1 endpoint, which only acceptsapi-version=previewon/openai/v1/responses.ChatAgent→Agent(the renamed top-level class in currentagent-framework).AzureCliCredentialauth, selected by presence ofAZURE_OPENAI_API_KEY.Purview integration (
agent.py)_build_purview_middleware()wiresPurviewPolicyMiddlewareinto theAgentat creation time.PURVIEW_CLIENT_APP_IDis set; logs"ℹ️ Purview not configured"and continues without it otherwise.process_user_messagenow wraps the user input in aMessagewithadditional_properties={"user_id": ...}. The user id is resolved from the activity'saad_object_idif it's a valid UUID, falling back toPURVIEW_DEFAULT_USER_ID(covers Agents Playground, which sends synthetic non-GUID user ids)._valid_guid()helper validates user-id strings before they're sent to Purview.DISABLE_MCPescape hatch (agent.py,.env.template)setup_mcp_servers()now honorsDISABLE_MCP=trueand skips MCP tool registration entirely. Useful for local Agents Playground runs where the cloud MCP servers reject requests because the playground has no real M365 tenant context.Dependencies (
pyproject.toml)agent-framework(top-level package, required for the renamedAgentclass).agent-framework-purview(Purview middleware).Configuration template (
.env.template)Purview Policy Enforcementsection documenting allPURVIEW_*env vars and the three auth modes.DISABLE_MCPtoggle with a comment explaining when to use it.How to test
Python
pip install -e .(oruv pip install --prerelease=allow -e .) inpython/agent-framework/sample-agent/.PURVIEW_CLIENT_APP_IDempty → agent boots and logs"ℹ️ Purview not configured".PURVIEW_CLIENT_APP_ID,PURVIEW_CLIENT_SECRET,PURVIEW_TENANT_ID→ agent logs"✅ Purview policy middleware enabled"and Purview is consulted on every turn.DISABLE_MCP=trueto skip MCP registration..NET
dotnet build dotnet/agent-framework/sample-agent/AgentFrameworkSampleAgent.csproj(requires .NET 10 SDK).ASPNETCORE_ENVIRONMENT=Playgroundand fill inappsettings.Playground.json.dotnet run --project dotnet/agent-framework/sample-agent/AgentFrameworkSampleAgent.csproj."---"→ agent runs without the middleware."Prompt blocked by policies"to the user, and a normal follow-up message proceeds without being poisoned by the blocked turn.