It's not possible to link a MCP to an Agetn if the MCP requires authentication

[DennesTorres]

• Package Name: azure.ai.project
• Package Version: 1.0.0 and 1.1.0b3
• Operating System: Window
• Python Version: 3.9

Describe the bug
When creating an agent with a MCP server which requires authentication, the update_headers method seems to be ignored. After creating the agent, when trying to use it in Foundry playground it returns a permission denied.

Error message when using the agent:

Error
tool_server_error: MCP Connector error. Http status: 424, error details: Error retrieving tool list from MCP server: 'products'. Http status code: 401 (Unauthorized) RunId: run_wQg5RYVQv3DHya2gqUASIhJx

To Reproduce
Steps to reproduce the behavior:

1. create an MCP which requires authentication. In my tests, I used an azure function (https://devblogs.microsoft.com/dotnet/build-mcp-remote-servers-with-azure-functions/)
2. Create an agent linked to the MCP using the code below
3. Access the agent in the playground an try a question

import os, time
from azure.ai.projects import AIProjectClient
from azure.identity import DefaultAzureCredential
from azure.identity import InteractiveBrowserCredential
from azure.ai.agents.models import (
AsyncToolSet,
ListSortOrder,
McpTool,
RequiredMcpToolCall,
RunStepActivityDetails,
SubmitToolApprovalAction,
ToolApproval,
)

Get MCP server configuration from environment variables

mcp_server_url = "https://datasamplemcp.azurewebsites.net/runtime/webhooks/mcp/sse"
mcp_server_label = "products"

credential = InteractiveBrowserCredential()

project_client = AIProjectClient(
endpoint="https://myfoundyowrc.services.ai.azure.com/api/projects/mytokagentsowrc", # Replace with your endpoint
credential=credential)

Initialize agent MCP tool

mcp_tool = McpTool(
server_label=mcp_server_label,
server_url=mcp_server_url
)

mcp_tool.allow_tool("list_categories")
mcp_tool.allow_tool("list_products")
mcp_tool.allow_tool("list_productbycategory")

mcp_tool.update_headers("x-functions-key", "Sp1RjYId1RRc8SqHZxeNQg2b6ypIUqR3Mf60W3GPa73bAzFuYdd-TQ==")

mcp_tool.set_approval_mode("never")

agent = project_client.agents.create_agent(
model="callable objegpt-4o",
name="my-mcp-agent",
headers={"x-ms-enable-preview": "true"},
instructions="You are an agent capable to use the MCP tools attached to answer questions about products and product categories. You are capable to analyse the data returned in order to answer the questions correctly",
tools=mcp_tool.definitions,
tool_resources=mcp_tool.resources
)

Expected behavior
A) The agent should keep the authentication and not create an error.
B) In future passthrough scenarios, the agent should be the one requiring the authentication and passing it forward.

What should not happen is the client have the need to pass authentication information about the tools. The tools should be encapsulated, the client should know what they do but not their structure to the level to control the authentication of each one. This is not a client task

Screenshots

Additional context
Add any other context about the problem here.

[github-actions]

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @dargilco @glharper @howieleung @jhakulin @nick863 @trangevi.

[xiangyan99]

@DennesTorres Thanks for reaching out.

Just a friendly reminder that you may accidentally expose your key. Please rotate it.