Microsoft Agent Framework: Open Source SDK and Runtime for Enterprise Agent AI

Microsoft’s new open-source Microsoft Agent Framework, announced on October 1, 2025, aims to become the unified foundation for building, orchestrating, and deploying agentic AI applications across enterprise environments, bringing together ideas from Semantic Kernel and AutoGen while adding runtime features for observability, durability, and governance.

Background​

The rise of agentic AI — systems that reason, execute tasks, call external tools, and coordinate with other agents — has accelerated over the past two years. Developers and enterprises moved quickly from single-turn LLM-powered assistants to multi-step workflows that must manage state, call secure APIs, and maintain audit trails. Two earlier Microsoft projects, Semantic Kernel (focused on enterprise-ready integrations and plugins) and AutoGen (focused on experimental multi-agent orchestration patterns), served as building blocks for many agentic solutions. The Microsoft Agent Framework merges those efforts into a single, opinionated SDK and runtime with first-class support for both .NET and Python.
Microsoft positions the Agent Framework as an open-source SDK and cloud-agnostic runtime that supports:

• Graph-based multi-agent workflows and declarative agent manifests
• Model Context Protocol (MCP) for tool and context integration
• Agent2Agent (A2A) message exchange for cross-agent collaboration
• An OpenAPI-first connector design that lets agents call any API that exposes an OpenAPI spec
• Native hooks for Azure AI Foundry deployment, with built-in observability and compliance controls

These capabilities are documented in Microsoft’s official product pages and repositories and are reflected in early independent reporting and technical coverage. The framework is available on GitHub under an MIT license and is currently published as a public preview, with migration guides for existing Semantic Kernel and AutoGen users.

---

What the Microsoft Agent Framework actually is​

A combined SDK + runtime​

The Agent Framework is both a development kit (language SDKs, templates, and samples) and a runtime that executes agents in production. The SDK provides abstractions for:

• Agents — logical units that process inputs, call tools, and produce outputs;
• Tools — external capabilities (APIs, databases, MCP servers) that agents can invoke;
• Workflows — graph-based orchestrations that sequence agents, tools, and conditional logic;
• Manifests — declarative JSON/YAML definitions of agents and workflows that can be version-controlled.

The runtime implements execution semantics, state persistence, observability hooks, and the messaging glue that lets multiple agents interact deterministically.

Multi-language support​

From day one the product ships with official SDKs for .NET and Python, reflecting Microsoft’s intent to serve both traditional enterprise developers and data/ML engineers. Language-specific repositories and packages are available on GitHub and package feeds, enabling developers to consume the SDK via NuGet (.NET) and PyPI or source.

Cloud-agnostic ambition​

Although Microsoft integrates the Agent Framework tightly with Azure AI Foundry (for managed deployment, governance, and observability), the runtime is described as cloud-agnostic. That means:

• Connectors and tools are designed around OpenAPI and open protocols (MCP, A2A).
• Declarative agent manifests and OpenAPI-first design enable portability between hosting environments.
  In practice, portability will depend on connector availability, managed service features, and the surrounding compliance stack used by each vendor.

Standards-first approach​

Two open efforts are central to the framework’s interoperability claim:

• Model Context Protocol (MCP) — an open specification that standardizes how context and tools are exposed to models, enabling agents to access data stores, retrieval APIs, and function-style tools in a consistent fashion.
• Agent2Agent (A2A) — an open messaging pattern/specification for structured agent-to-agent interactions: exchanging goals, delegating work, sharing state, and returning results. A2A aims to provide a stable format for cross-runtime, cross-vendor agent collaboration.

Microsoft’s design embraces these protocols as first-class citizens to make it easier to interoperate with non-Microsoft agents and third-party MCP servers.

---

Key features and capabilities​

Graph-based orchestration and workflows​

A major selling point is graph-oriented workflows that let you visually and declaratively define sequences and dependencies between agents and tools. Typical use-cases include:

• Multi-step business processes (e.g., invoice triage → validation → approval)
• Multi-agent debate or review patterns (e.g., planner + checker + summarizer)
• Data pipelines that combine retrieval augmentation with reasoning

Graph workflows support conditional branching, parallel execution, and durable checkpoints so long-running processes survive restarts or scale-outs.

OpenAPI-first connectors​

Agents can call external services by referencing an OpenAPI specification. That lets developers:

• Auto-generate request/response bindings
• Validate inputs and outputs against the API schema
• Keep agent tooling model-agnostic (any API that publishes an OpenAPI spec becomes callable)

This reduces bespoke integration code and promotes integration hygiene for enterprise APIs.

MCP tool integration​

MCP tools enable an agent to call services that provide memory, retrieval, or structured context. The framework includes utilities to convert MCP servers into first-class tools an agent can call during a run. MCP support expands the kinds of persistent context and tool access available to agents without forcing bespoke adapters for every system.

A2A messaging for agent collaboration​

A2A support lets agents communicate in a standardized way: negotiating goals, sharing intermediate artifacts, and invoking actions. This is crucial for building ecosystems of specialized agents (for example, a legal agent, a data-extraction agent, and a compliance-checking agent) that must collaborate without a central orchestrator implementing every interaction.

Observability, durability, and compliance​

The runtime exposes:

• Logging and distributed tracing via OpenTelemetry
• Integration with Azure Monitor, Application Insights, and similar telemetry backends
• Durable checkpoints and persistent conversation state to support long-running workflows
• Authentication and governance integration (Microsoft Entra, access control)
  These capabilities are aimed squarely at enterprise needs: auditing, retention policies, and the ability to replay or inspect agent decisions for compliance or debugging.

Local-first development, cloud-first deployment​

Developers can iterate locally with the SDK and emulators, then deploy to Azure AI Foundry for production-grade hosting with built-in SLA, observability, and compliance. The workflow from local development (fast feedback) to managed deployment is part of Microsoft’s narrative around the product.

---

How it compares to Semantic Kernel and AutoGen​

Semantic Kernel emphasized enterprise-ready integrations, plugin-style architectures, and stable APIs, while AutoGen explored emergent multi-agent patterns in research and prototypes. The Agent Framework intends to:

• Keep the enterprise-grade primitives and governance expectations from Semantic Kernel
• Ingest the experimental orchestration patterns and multi-agent choreography from AutoGen
• Provide a clear migration path for users of both projects, with guides and mapping patterns to ease transition

Microsoft has said that Semantic Kernel and AutoGen will enter maintenance mode while the Agent Framework becomes the primary avenue for new feature investment. That migration path is reflected in published migration guides and release notes.

---

Enterprise implications: promise and practical gains​

Productivity and automation​

The framework lowers the engineering friction to:

• Build assistants that partially automate repetitive tasks while preserving audit trails
• Create multi-agent orchestration for complex workflows that previously required bespoke coordination code
• Reuse OpenAPI connectors and MCP tools across agents, reducing duplicate integration effort

For enterprises that already rely on Microsoft stacks (.NET, Azure, Microsoft 365), that friction reduction is meaningful: agents can plug into Microsoft Graph, SharePoint, and Teams with less custom plumbing.

Governance and observability​

Out-of-the-box observability and Entra integration make it easier to apply corporate compliance policies to agentic workloads. Persistent checkpointing and audit logs address a core enterprise requirement: showing the “how” and “why” behind automated decisions.

Ecosystem and interoperability​

A standards-first approach (MCP + A2A + OpenAPI) lowers vendor lock-in risk in theory by enabling agents to interoperate and call standardized tools. In practice, achieving cross-vendor, cross-cloud agent systems will require broad adoption of these protocols across the ecosystem.

---

Risks, gaps, and open questions​

Data exfiltration and tool trust boundaries​

Allowing agents to call arbitrary MCP servers or third-party tools introduces real risk. Agents may inadvertently send sensitive content (prompts, documents, API keys) to external MCP servers unless strict controls are in place. Microsoft’s own documentation warns developers to review data flows when integrating non-Microsoft MCP servers and to log and audit shared data. This is an area where organizational policies, architecture design, and runtime enforcement must align.

Security: prompt injection, token leakage, and supply-chain concerns​

Any agent that composes and executes external calls is vulnerable to:

• Prompt injection attacks that manipulate downstream tool calls
• Credential leakage when headers or temporary tokens are mishandled by tool adapters
• Supply-chain issues when reusable connectors or community-contributed agent manifests contain malicious code or misconfigurations

Robust runtime safeguards (sanitization, least-privilege credentials, and strong vetting of public manifests) are essential.

Governance vs. agility trade-offs​

Enterprises that demand strict data residency, auditable workflows, and minimal third-party exposure may find the openness of the framework both a benefit and a liability. While Azure AI Foundry provides a managed, governed hosting option, the framework’s cloud-agnostic promises and OpenAPI-first design mean developers can run agents outside Azure — but doing so could complicate compliance. This creates a tension: agility and hybrid deployment versus centralized governance and strict controls.

Interoperability is not automatic​

Support for MCP and A2A is a major step toward interoperability, but it does not guarantee cross-vendor plug-and-play. Differences in protocol versions, required authentication schemes, or feature gaps in MCP servers will require integration work. The existence of open protocols reduces friction but does not eliminate integration cost.

Cost and operational complexity​

Persistent, multi-agent workflows with retrieval augmentation, long-term memory, and frequent model invocations can be expensive. Enterprises must model CPU/VM costs, inference costs (if using hosted models), storage, telemetry ingestion, and operational staff time for monitoring and incident response.

Unverifiable vendor claims and marketing items​

Microsoft and partners have made customer- and performance-related claims in marketing materials. Some early adopter case studies (for example, quoted partner usage) are illustrative but may not generalize. Any specific performance, cost, or accuracy claims should be validated through proof-of-concept work within the customer’s environment. Where vendor materials make broad promises (e.g., “seamless cross-cloud interoperability”), treat them as directional goals rather than guarantees until proven in heterogeneous deployments.

---

Practical adoption playbook for IT teams​

To adopt the Agent Framework responsibly and effectively, organizations should follow a staged plan:

• Sandbox and experimentation
• Start with a limited-scope PoC that exercises the most important agent patterns (one agent + one external tool).
• Use local emulation and unit tests to validate safety rules (sanitization, token handling).
• Security and governance baseline
• Define a strict data-flow map: what leaves the tenant, what is persisted, and who can access logs.
• Use least-privilege credentials, short-lived tokens, and an enforced policy for MCP servers.
• Establish vetting for any public manifests or community-contributed connectors.
• Observability and diagnostics
• Instrument agents with distributed tracing and log correlation identifiers.
• Create dashboards and set alerts for unusual call volumes, high-latency tool calls, or failed authorizations.
• Cost modeling and limits
• Estimate model invocation costs (per call pricing), storage and telemetry ingestion costs, and capacity needs.
• Implement runtime quotas and circuit breakers to prevent runaway costs.
• Compliance and retention
• Map agent data retention to legal and regulatory requirements.
• Ensure audit logs are tamper-evident and accessible to compliance teams.
• Migration strategy
• If migrating from Semantic Kernel or AutoGen, follow the available migration guides and run integration tests for critical workflows.
• Maintain a compatibility layer for concurrent operation while migrating.
• Scale with patterns and templates
• Build internal templates for common agent patterns (onboarding assistant, invoice processor) so teams reuse vetted, secure manifests.

---

Developer experience and tooling​

Microsoft provides:

• Language SDKs and quick-start templates for .NET and Python
• Declarative manifest formats in YAML/JSON
• Visual workflow tools and VS Code integration for authoring graphs and manifests
• GitHub-hosted samples and migration guides

This combination targets both professional developers and citizen developers who need higher-level abstractions (manifests, visual workflows). The emphasis on OpenAPI and MCP means developers can often avoid writing custom adapter code for standard REST APIs and memory stores.

---

Ecosystem and standards outlook​

The Agent Framework’s embrace of MCP and A2A feeds a broader industry trend toward standardized agent plumbing. If MCP and A2A achieve cross-vendor adoption, we could see:

• Reusable agent marketplaces where agents and tools interoperate across platforms
• Easier portability for organizations that want to move workloads between cloud providers
• A richer third-party ecosystem of MCP servers and agent tooling

However, the speed and quality of adoption by other major cloud and AI vendors will determine whether those benefits materialize. Standards are necessary but not sufficient: widespread, consistent implementations, reference clients, and conformance tests matter.

---

What this means for Microsoft’s platform strategy​

Microsoft is doubling down on an “open standards + managed platform” playbook:

• Open-source the SDK and adopt open protocols (reduces developer friction and raises trust)
• Provide a managed runtime and compliance controls in Azure AI Foundry (addresses enterprise risk)
• Create migration paths from existing Microsoft agent projects (lowers friction for current users)

This approach attempts to balance developer freedom with enterprise-grade controls. For customers already invested in Microsoft ecosystems — Microsoft 365, Azure, and Entra — the friction to adopt will be lower. For organizations that prioritize heterogeneous stacks, the open protocols and OpenAPI-first design give an entry point, but careful integration engineering will still be required.

---

Conclusion​

The Microsoft Agent Framework is a significant, pragmatic step in the evolution of agentic AI for enterprises. It unifies earlier research and open-source efforts under a single SDK and runtime that emphasizes observability, durability, and governance while adopting open protocols (MCP and A2A) and an OpenAPI-first design. The framework simplifies many engineering tasks around multi-agent orchestration and offers a clear path from local experimentation to managed deployment in Azure AI Foundry.
At the same time, the technology surface presents real operational challenges: data governance, tool trust boundaries, security risks (prompt injection and token leakage), and cost management. Enterprises should treat the framework as a powerful new capability that requires disciplined adoption: start small, instrument thoroughly, enforce strict data controls, and validate interoperability claims in proof-of-concept deployments.
For developers and teams evaluating the Agent Framework, the pragmatic advice is to test core patterns in a controlled environment, harden integrations with MCP servers and OpenAPI connectors, and plan for staged migration from Semantic Kernel and AutoGen. The promise is compelling — a standards-forward, enterprise-grade agent platform — but the path to safe, reliable production use remains a deliberate engineering and governance effort.

---

Source: InfoWorld Microsoft unveils framework for building agentic AI apps