Skip to main content

Microsoft Agent Framework Makes Tool and File Access Approval-by-Default

Nitin Kumar Singh
Author
Nitin Kumar Singh
I build enterprise AI solutions and cloud-native systems. I write about architecture patterns, AI agents, Azure, and modern development practices — with full source code.
Microsoft Agent Framework Makes Tool and File Access Approval-by-Default

Microsoft Agent Framework’s latest releases — Python 1.10.0 (June 30) and .NET 1.12.0 (July 2) — change a security default that’s easy to miss in the changelog: agent tools and file access now require approval unless you opt out. Both land as breaking changes.

What changed:

  • All SkillsProvider tools require approval by default (Python).
  • File-access tools require approval, with a read-only auto-approval tier.
  • New pre-tool-use hooks — on_pre_tool_use (Python), OnPreToolUse + ApprovalRequiredAIFunction (.NET) — let you route approvals through your own policy instead of a human every time.
  • The GitHub Copilot provider now enforces approval; Foundry hosted-agent toolboxes gained OAuth consent.

Why it matters: for anyone running MAF agents in production, this is the right default. An agent that can call any registered tool or touch the filesystem without a gate is the blast radius for prompt injection — the exact failure mode covered in AI Security: Prompt Injection, Jailbreaks, and Guardrails. Making approval the default instead of an opt-in flag forces you to decide what an agent may actually do.

The catch: it’s a breaking change. Harness and skills code that assumed silent tool execution will start blocking on approval after you upgrade. Audit your SkillsProvider and file providers and wire an approval handler — or lean on the read-only tier — before you bump the version.

Also landing in these releases:

  • Durable long-running agents — standalone Durable Task worker hosting for MAF workflows, background agent loops, and a BackgroundTaskCompletionLoopEvaluator on .NET.
  • Two protocol bumps to plan for — Foundry Hosted Agent V2 (Python) and Azure.AI.AgentServer 2.0.0 (.NET), both breaking.

If you’re following the MAF series here, the approval-by-default shift is the one to act on first.