I am working with the following architecture:
1. API layer (public client) secured with Microsoft Entra ID using Authorization Code Flow with PKCE.
2. The API calls a Microsoft Foundry Orchestration agent (multi-agent system).
3. The orchestration agent triggers sub-agents, some of which use custom MCP servers as tools.
4. The MCP servers are also protected using the same Entra ID application as the API layer.
The difficulty is that, in a multi-agent setup, sub-agents are created by the orchestrator, not by the API layer. Therefore the API layer cannot directly issue access tokens for those MCP servers.
What I need to understand
1. What is the recommended way to handle access tokens between these layers when all components are protected by Entra ID?
Is each layer expected to acquire its wn token?
Or is a single access token expected to be forwarded downstream?
2. How should a sub-agent obtain a token for the MCP server when:
It is instantiated by the orchestration agent,
The API layer cannot trigger its creation or inject a token,
The MCP server requires an Entra ID access token
What I have tried:
In a single-agent setup, the API layer can obtain tokens both for the agent and for the MCP server and everything works.
In a multi-agent setup, I cannot determine how a sub-agent—created internally by the orchestrator—should obtain an access token for the MCP server without direct involvement from the API layer.
Question:
How should token acquisition be implemented correctly in this multi-agent architecture, and how can sub-agents securely obtain Entra ID access tokens for the MCP server when they are spawned by the orchestrator?
