Microsoft Agent Framework’s latest releases — Python 1.10.0 (June 30) and .NET 1.12.0 (July 2) — change a security default that’s easy to miss in the changelog: agent tools and file access now require approval unless you opt out. Both land as breaking changes.
What changed:
- All
SkillsProvidertools require approval by default (Python). - File-access tools require approval, with a read-only auto-approval tier.
- New pre-tool-use hooks —
on_pre_tool_use(Python),OnPreToolUse+ApprovalRequiredAIFunction(.NET) — let you route approvals through your own policy instead of a human every time. - The GitHub Copilot provider now enforces approval; Foundry hosted-agent toolboxes gained OAuth consent.
Why it matters: for anyone running MAF agents in production, this is the right default. An agent that can call any registered tool or touch the filesystem without a gate is the blast radius for prompt injection — the exact failure mode covered in AI Security: Prompt Injection, Jailbreaks, and Guardrails. Making approval the default instead of an opt-in flag forces you to decide what an agent may actually do.
The catch: it’s a breaking change. Harness and skills code that assumed silent tool execution will start blocking on approval after you upgrade. Audit your SkillsProvider and file providers and wire an approval handler — or lean on the read-only tier — before you bump the version.
Also landing in these releases:
- Durable long-running agents — standalone Durable Task worker hosting for MAF workflows, background agent loops, and a
BackgroundTaskCompletionLoopEvaluatoron .NET. - Two protocol bumps to plan for — Foundry Hosted Agent V2 (Python) and Azure.AI.AgentServer 2.0.0 (.NET), both breaking.
If you’re following the MAF series here, the approval-by-default shift is the one to act on first.

