Skip to content

Azure AI Foundry — Agent Application identity provisioning stuck at "Creating" in East US 2, blocks A2A orchestration with 401 #567

New issue
New issue
Open
Open
Azure AI Foundry — Agent Application identity provisioning stuck at "Creating" in East US 2, blocks A2A orchestration with 401#567
@vedtam

Description

@vedtam
vedtam
opened on Feb 28, 2026

I'm setting up Agent-to-Agent (A2A) orchestration in Azure AI Foundry (New) and both of my published Agent Applications have their identity provisioning permanently stuck at "Creating".

Environment

  • Region: East US 2

  • API Version: 2025-10-01-preview

Problem

When I query the Agent Application resources via ARM API (GET .../applications/{name}?api-version=2025-10-01-preview), the top-level provisioningState shows "Succeeded", but the nested identity states are stuck:

"agentIdentityBlueprint": { "provisioningState": "Creating" },

"defaultInstanceIdentity": { "provisioningState": "Creating" }

The Entra ID service principals do exist and are enabled — the identities were created, but the provisioning state never transitioned to "Succeeded".

Impact

This blocks A2A tool calls. When my orchestrator agent tries to invoke a sub-agent via the a2a_preview tool, I get:

Error code: tool_user_error

Error message: 400 Failed to fetch agent card: Response status code does not indicate success: 401 (PermissionDenied)

I've verified:

  • RBAC is correct: Azure AI User role assigned on the Agent Application resources for both the orchestrator's agentic identity and the project managed identity

  • Direct endpoint calls work: Calling the Agent Application endpoint with a user bearer token returns 200 OK

  • Auth type doesn't matter: Tested with both AgenticIdentityToken and ProjectManagedIdentity connection types — same 401

  • Cannot modify or delete the stuck resources: PUT and DELETE operations return SystemError from managementfrontend in eastus2

Additional details

  • Two separate Agent Applications are affected, suggesting this is systemic in the region rather than resource-specific

Questions

  1. Is there a known issue with Agent Application identity provisioning in East US 2?

  2. Is there a way to re-trigger or unstick the identity provisioning?

  3. Would creating the Foundry resource in a different region (e.g., Sweden Central) avoid this issue?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions