Azure AI Foundry custom Sentinel MCP tool with OAuth Identity Passthrough returns redirectUrl: null and fails when Refresh URL is set

Question

Azure AI Foundry custom Sentinel MCP tool with OAuth Identity Passthrough returns redirectUrl: null and fails when Refresh URL is set

Oleksandr Antoniuk 0

I’m trying to follow the Microsoft documentation for adding a custom Sentinel MCP tool to an agent in Azure AI Foundry.

I am using:

Remote MCP server endpoint: https://sentinel.microsoft.com/mcp/custom/<collection-name>

Authentication: OAuth Identity Passthrough

Authorization URL: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize

Token URL: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token

Scope: <REDACTED on forum>/.default

Problem:

If I populate the Refresh URL field (using the same token endpoint), the connection creation fails.
If I leave Refresh URL blank, the connection is created successfully. But no follow-up wizzard with the redirect url appears
When I inspect the browser network response for the create request in Chrome DevTools, the response contains: "redirectUrl": null

So although the tool connection is created and I get a Project connection ID, no OAuth redirect URL is generated.

What I expected:

Based on the documentation, after clicking Connect, the custom OAuth setup should generate a redirect URL that can be copied into the Entra app registration.

What I’m seeing instead:

Refresh URL populated → creation fails

Refresh URL omitted → creation succeeds, but redirectUrl is null

Question:

Is this a known issue / preview limitation in Azure AI Foundry?

Should the Refresh URL currently be left blank as a workaround?

If so, why is the connection still returning redirectUrl: null?

Is there another required field or permission that would cause the redirect URL not to be generated?

Additional context:

The Entra app has delegated permissions configured.
I can see the saved tool in Foundry and it has a valid Project connection ID.
The redirect URL is not shown in the UI, and the backend response also confirms it is null.

Thank you. Note: PII redacted at supported side.

Manas Mohanty 16,030 Reputation points Microsoft External Staff Moderator

2026-03-06T09:28:01.18+00:00
Hey Oleksandr Antoniuk,

it looks like you’re running into a preview-mode issue in custom OAuth for MCP tools in Azure AI Foundry.

you need a valid Refresh URL to get back a redirectUrl, but as soon as you populate it in the “Connect” step, it errors out.

If you leave it blank, you get a successful connection but no redirect URL (it stays null). Here’s what’s going on and how you can work around it.

What might be happening in backend •

If you leave Refresh URL blank: Foundry skips validation, creates the connection, but since the OAuth config wasn’t “complete” it never returns a redirectUrl (hence null). •

If you fill in the Refresh URL exactly the same as the Token URL: Foundry tries to validate that endpoint and fails (likely a validation bug in the preview UX), so the connection creation itself errors out.

Workarounds & suggested steps to isolate the issue

Make sure your user has at least the Azure AI User role on the Foundry project—OAuth identity passthrough won’t work without it. Apply higher role like Azure AI administrator or Account owner to differentiate. Reference - https://dori-uw-1.kuma-moon.com/en-us/entra/identity/managed-identities-azure-resources/overview

As a temporary workaround, you can leave the Refresh URL blank to create the connection, then manually craft the redirectUri using the pattern: https://cas.services.azure-ai.net/app/oauth/redirect?connectionId= and add that URI in your Entra app registration’s Web platform > Redirect URIs.

Alternatively, switch to managed OAuth (the built-in Microsoft Entra app) while we are trying to replicate the issue. https://dori-uw-1.kuma-moon.com/en-us/entra/identity/managed-identities-azure-resources/overview

Follow-up questions •

What exact error message or HTTP status do you see when you populate the Refresh URL.

Can you share a HAR export or screenshot of the failed “Connect” network request via private message

Does your Entra app already include any Redirect URI entries under Web > Redirect URIs?

Could you share the documentation to create custom Sentinel MCP tool. I am referring below document for replication.

Looking forward to hearing from you.

Thank you.
Manas Mohanty 16,030 Reputation points Microsoft External Staff Moderator

2026-03-07T05:03:24.4533333+00:00

Hey Oleksandr Antoniuk,

Hope you found above pointers helpful

Could you reply to above follow up queries.

Thank you.
Manas Mohanty 16,030 Reputation points Microsoft External Staff Moderator

2026-03-08T04:07:30.39+00:00

Hey Oleksandr Antoniuk,

It would have been great if you have provided your inputs on the followed-up queries

Please let us know if you are still looking for assistance.

Thank you.
Yutaka_K_JP 1,645 Reputation points

2026-03-08T05:01:56.5166667+00:00

Hello Oleksandr, I think the redirectUrl:null hits when the proj env can’t do a clean round‑trip to your auth URL — even a tiny proxy/TLS wiggle kills the OAuth hop; curl it from inside the proj and it’ll show u the truth, and once it works just pre‑add the redirect URI in Entra or the next wall will be the audience mismatch throwing 401s at u.
Manas Mohanty 16,030 Reputation points Microsoft External Staff Moderator

2026-03-09T08:51:14.77+00:00

Hey Oleksandr Antoniuk,

Could you confirm the presence of any proxy/TLS hop/firewall caused drops

Thank you.
Oleksandr Antoniuk 0 Reputation points

2026-03-09T10:23:38.8633333+00:00
Hi @Manas Mohanty I do not use a proxy, and I don't believe any TLS drop has happened. At the moment I am trying to verify all the other deteils but facing a new issue. The agents that I have had in work (not published yet) were with some defined models. Now the model appears blank, and when I try to choose any model, I face a 20000ms timeout reached message.

The new agent creation also doesn't work... The button "Create" never becomes active.

The foundry page in the Azure portal also seems unresponsive. I have checked that the same happens on different tenants/subscriptions, and other teammembers share the same experience. While this is happening, I would not be able to provide more details.

I was using the following instruction https://dori-uw-1.kuma-moon.com/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-azure-ai-foundry#add-a-custom-tool-collection and was never able to finish step 2.

The "redirectUrl:null" happens only when the refresh token is unspecified, otherwise I was getting:

ErrorService temporarily unavailable. Please try again later. I am getting in console foundry-chunk-app-insights-C_NVFUF6.js:7 POST https://ai.azure.com/nextgen/api/query?createOrUpdateConnectionResolver 500 (Internal Server Error)

Thank you,

Oleksandr
Manas Mohanty 16,030 Reputation points Microsoft External Staff Moderator

2026-03-10T10:40:36.2966667+00:00

Yes Oleksandr Antoniuk

Thank you for sharing the replication document.

Regarding slowness of existing foundry resource.

I had the same observation for all resources in existing resource group.

Foundry and other Azure resources were usable only new RG

It might be a service side limitation if it does not work at all.

But if it worked earlier and not working now, using a new foundry resource and creatin

Have reached you private message for replicating the issue properly.

Thank you for your inputs.
Manas Mohanty 16,030 Reputation points Microsoft External Staff Moderator

2026-03-17T04:28:07.0633333+00:00

Hey Oleksandr Antoniuk,

Thank you for sharing the context for replicating the issue.

Doing few more trial before reviewing with product group internal.

Thank you for your time and inputs.
Manas Mohanty 16,030 Reputation points Microsoft External Staff Moderator

2026-03-19T11:19:50.8533333+00:00

Hey Oleksandr Antoniuk,

I have shared all HAR traces, screenshots, resource ids collected as preview report to product team internally

Shall update here once we hear from them.

Thank you for your inputs.
Manas Mohanty 16,030 Reputation points Microsoft External Staff Moderator

2026-04-01T05:27:53.5733333+00:00

Hey Oleksandr Antoniuk,

I have gone with engineering ticket with all above details post review.

Shall update here once we get an update on engineering ticket.

Thank you for your inputs.

1 answer

Your answer

Manas Mohanty 16,030 Reputation points Microsoft External Staff Moderator

2026-03-07T05:03:24.4533333+00:00

Hey Oleksandr Antoniuk,

Hope you found above pointers helpful

Could you reply to above follow up queries.

Thank you.
Manas Mohanty 16,030 Reputation points Microsoft External Staff Moderator

2026-03-08T04:07:30.39+00:00

Hey Oleksandr Antoniuk,

It would have been great if you have provided your inputs on the followed-up queries

Please let us know if you are still looking for assistance.

Thank you.
Yutaka_K_JP 1,645 Reputation points

2026-03-08T05:01:56.5166667+00:00

Hello Oleksandr, I think the redirectUrl:null hits when the proj env can’t do a clean round‑trip to your auth URL — even a tiny proxy/TLS wiggle kills the OAuth hop; curl it from inside the proj and it’ll show u the truth, and once it works just pre‑add the redirect URI in Entra or the next wall will be the audience mismatch throwing 401s at u.
Manas Mohanty 16,030 Reputation points Microsoft External Staff Moderator

2026-03-09T08:51:14.77+00:00

Hey Oleksandr Antoniuk,

Could you confirm the presence of any proxy/TLS hop/firewall caused drops

Thank you.
Oleksandr Antoniuk 0 Reputation points

2026-03-09T10:23:38.8633333+00:00

Hi @Manas Mohanty I do not use a proxy, and I don't believe any TLS drop has happened. At the moment I am trying to verify all the other deteils but facing a new issue. The agents that I have had in work (not published yet) were with some defined models. Now the model appears blank, and when I try to choose any model, I face a 20000ms timeout reached message.

The new agent creation also doesn't work... The button "Create" never becomes active.

The foundry page in the Azure portal also seems unresponsive. I have checked that the same happens on different tenants/subscriptions, and other teammembers share the same experience. While this is happening, I would not be able to provide more details.

I was using the following instruction https://dori-uw-1.kuma-moon.com/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-azure-ai-foundry#add-a-custom-tool-collection and was never able to finish step 2.

The "redirectUrl:null" happens only when the refresh token is unspecified, otherwise I was getting:

ErrorService temporarily unavailable. Please try again later. I am getting in console foundry-chunk-app-insights-C_NVFUF6.js:7 POST https://ai.azure.com/nextgen/api/query?createOrUpdateConnectionResolver 500 (Internal Server Error)

Thank you,

Oleksandr
Manas Mohanty 16,030 Reputation points Microsoft External Staff Moderator

2026-03-10T10:40:36.2966667+00:00

Yes Oleksandr Antoniuk

Thank you for sharing the replication document.

Regarding slowness of existing foundry resource.

I had the same observation for all resources in existing resource group.

Foundry and other Azure resources were usable only new RG

It might be a service side limitation if it does not work at all.

But if it worked earlier and not working now, using a new foundry resource and creatin

Have reached you private message for replicating the issue properly.

Thank you for your inputs.
Manas Mohanty 16,030 Reputation points Microsoft External Staff Moderator

2026-03-17T04:28:07.0633333+00:00

Hey Oleksandr Antoniuk,

Thank you for sharing the context for replicating the issue.

Doing few more trial before reviewing with product group internal.

Thank you for your time and inputs.
Manas Mohanty 16,030 Reputation points Microsoft External Staff Moderator

2026-03-19T11:19:50.8533333+00:00

Hey Oleksandr Antoniuk,

I have shared all HAR traces, screenshots, resource ids collected as preview report to product team internally

Shall update here once we hear from them.

Thank you for your inputs.
Manas Mohanty 16,030 Reputation points Microsoft External Staff Moderator

2026-04-01T05:27:53.5733333+00:00

Hey Oleksandr Antoniuk,

I have gone with engineering ticket with all above details post review.

Shall update here once we get an update on engineering ticket.

Thank you for your inputs.

Answer 1

Hi Oleksandr Antoniuk

Thank you for confirming that it worked (custom sentinel MCP server) in another region.

We have requested the product group engineer for possible backend deletion for resource in Germany west Central region.

We can also delete the Studio project then Foundry hub if the projects were in test phases.

Attached CLI command to delete them via identifier id

az resource delete \
  --ids /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.CognitiveServices/accounts/<FOUNDRY_RESOURCE_NAME>

Attached CLI commands to delete the stuck connections.

Please copy the tool connection id from "Tools" tab as show in screenshot

User's image

Confirm the presence of tool connection from Cloud CLI

az login --identity
az rest \
  --method GET \
  --url "https://management.azure.com/subscriptions/<subid>/resourceGroups/AprilRG/providers/Microsoft.CognitiveServices/accounts/<foundryacctname>/projects/<projectname>/connections/MicrosoftLearnMCPserver?api-version=2025-04-01-preview"

Delete the presence of tool connection from Cloud CLI

az login --identity
az rest \
  --method DELETE \
  --url 
"https://management.azure.com/subscriptions/<subid>/resourceGroups/AprilRG/providers/Microsoft.CognitiveServices/accounts/<foundryacctname>/projects/<projectname>/connections/MicrosoftLearnMCPserver?api-version=2025-04-01-preview"

Reference used - https://dori-uw-1.kuma-moon.com/en-us/cli/azure/resource?view=azure-cli-latest#az-resource-delete

Please let me know if the issue persists at your side even with above remedial to delete stuck connection from Germany west central.

Thank you for your inputs.

Manas Mohanty 16,030 Reputation points Microsoft External Staff Moderator

2026-04-09T06:25:37.57+00:00

Hi Oleksandr Antoniuk

Thank you for collaborating during course of investigation.

Could you accept the answer if it helped.

Thank you.

Share via

Azure AI Foundry custom Sentinel MCP tool with OAuth Identity Passthrough returns redirectUrl: null and fails when Refresh URL is set

1 answer

Your answer