Foundry Hosted Agents (Azure)

Foundry Hosted Agents are Fabric Harness's primary Azure target. The build target emits a Dockerfile, an azd project file, Bicep infra, and Foundry agent metadata.

Status: scaffold + preview metadata. This target emits deployable scaffolding ready for azd up. Live Hosted Agent create/update/invoke is pending Azure MCP Foundry discovery or an official stable Hosted Agent deployment schema.

Build

fh build --target foundry-hosted-agent

Output:

.fabricharness/build/foundry-hosted-agent/
  Dockerfile
  azure.yaml
  foundry-agent.yaml
  infra/main.bicep
  dist/server.mjs
  manifest.json

You can also build the worker variant:

fh build --target foundry-hosted-agent --runtime temporal-worker
fh build --target foundry-hosted-agent --runtime node

Deploy

cd .fabricharness/build/foundry-hosted-agent
azd up

azd provisions the Foundry project, identity, networking, and deploys the container image.

Why Foundry

Architecture decision

• Fabric runs inside the Foundry session substrate. Foundry provides the per-session sandbox; Fabric provides the harness loop, governance, and (optionally) Temporal durability.
• Temporal workers run outside Foundry. Use the temporal-worker runtime variant when you need durable, replayable agent sessions; the worker calls Foundry-hosted activities for sandbox effects.
• Entra Agent ID + OBO identities are recorded in the session entry's actor field so audit trails answer "which agent acted, on whose behalf, who approved?".
• Foundry preview integrations (Toolbox, Memory, Activity Protocol) live in @fabric-harness/azure only — no Foundry SDK types leak into @fabric-harness/sdk.

Identity model

actor?: {
  agentId?: string;        // Entra Agent ID
  onBehalfOf?: string;     // upstream user identity
};

Approval requests record both identities for compliance.

See also

• Azure overview
• Capability matrix — Foundry feature coverage.