Share via

Azure AI Foundry custom MCP OAuth Identity Passthrough - 500 InternalServerError (account-rp) before any request reaches MCP server - Brazil South

Felipe Gualberto 0 Reputation points
2026-05-05T09:56:25.77+00:00

When clicking Connect on a custom MCP tool configured with OAuth Identity Passthrough, Azure AI Foundry returns a 500 error after ~10 seconds. The error originates from componentName: "account-rp" in Brazil South, before Foundry makes any outbound request to the MCP or OAuth server.

Error response body from POST https://ai.azure.com/nextgen/api/query?createOrUpdateConnectionResolver:

{
    "error": {
        "code": "ServiceError",
        "message": "InternalServerError"
    },
    "correlation": {
        "operation": "3fa794e836e54c5884cd081cb94ea351",
        "request": "e0de6d5ce07e5d6b"
    },
    "environment": "brazilsouth",
    "location": "brazilsouth",
    "componentName": "account-rp",
    "statusCode": 500
}

Proof the server is not the problem:

  • Added request-logging middleware that fires on every incoming HTTP request
  • Postman OAuth flow: logs appear, full flow completes successfully
  • Foundry Connect: zero log entries - confirming Foundry never contacts the server

Server endpoints verified working:

  • /.well-known/oauth-authorization-server - 200, valid RFC 8414 JSON
  • /.well-known/openid-configuration - 200, valid OIDC JSON
  • OPTIONS /oauth/token with Origin: https://ai.azure.com - 204 with CORS headers
  • POST /oauth/token - responds correctly (tested with Postman, Claude Desktop)
  • /mcp - responds correctly when authenticated

I've read there are some issues regarding OAuth Identity Passthrough in Foundry's Agents custom MCP tools and I'd like to know if there is a fix.

Foundry Tools
Foundry Tools

Formerly known as Azure AI Services or Azure Cognitive Services is a unified collection of prebuilt AI capabilities within the Microsoft Foundry platform

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Felipe Gualberto 0 Reputation points
    2026-05-05T11:11:03.25+00:00

    I've recreated my resource in East US 2 and it worked.

    Brazil South region for Foundry is broken.

    Do not use Foundry in Brazil South region!

    Microsoft, please document or fix this! I've lost almost 2 days of work trying to figure out!

    0 comments
  2. Q&A Assist
    2026-05-05T09:56:45.0366667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The behavior matches a platform-side failure in the OAuth identity passthrough flow, not an issue with the MCP or OAuth server, especially since:

    • No requests ever reach the MCP or OAuth endpoints.
    • The error is returned directly from account-rp in Brazil South.

    From the available guidance, the only actionable checks on the customer side for OAuth identity passthrough are:

    1. Re‑validate OAuth identity passthrough configuration
      • Confirm the authorization URL, token URL, and scopes in the Foundry MCP tool configuration exactly match the OAuth provider settings.
      • Confirm client ID and client secret are correct and not expired.
      • Scope mismatches or incorrect endpoint URLs are a common cause of OAuth identity passthrough failures.
      • For Microsoft Entra-based OAuth, ensure the URLs follow the documented pattern:
        • Token URL: https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token
        • Auth URL: https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize
        • Refresh URL: https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token
        • Scopes format: ea9ffc3e-8a23-4a7d-836d-234d7c7565c1/{permission} (for the documented Microsoft MCP servers) or the provider’s required scopes.
    2. Re‑check redirect URL configuration
      • After configuring OAuth identity passthrough in Foundry, a redirect URL is provided.
      • Ensure this redirect URL is added to the OAuth app / Microsoft Entra app registration exactly as given.
      • Misconfigured redirect URLs are a documented cause of OAuth sign‑in failures when using custom OAuth identity passthrough.
    3. Validate that the tool is eligible for the configured routing
      • If an AI gateway or other mediation is involved, confirm the tool is an MCP tool and does not use managed OAuth, as tools with managed OAuth are not eligible for gateway routing.
      • If the tool was created before attaching an AI gateway, recreate the tool after the gateway is connected.
    4. Region/platform issue indication
      • Given that:
        • The OAuth and MCP endpoints work from other clients.
        • No traffic reaches the server when using Foundry.
        • The error is a 500 from account-rp in brazilsouth.
      • This strongly indicates a platform-side issue in the Brazil South environment rather than a misconfiguration of the MCP or OAuth server.
      • Similar issues (for example, transient internal errors or licensing/propagation problems) have been resolved only after backend fixes or propagation delays, without configuration changes on the customer side.

    If all configuration checks above are correct and the problem persists only in Brazil South, the next step is to open an Azure support ticket with the correlation IDs from the error (operation and request), specifying:

    • Region: Brazil South
    • Component: account-rp
    • Operation: createOrUpdateConnectionResolver for a custom MCP tool with OAuth identity passthrough

    This allows the product group to investigate and, if necessary, apply a backend fix similar to other reported platform issues.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.