AI IDE List
AI IDE List
Back to Developer Workflow Tools
Developer Workflow Tools
Microsoft Agent Framework logo

Microsoft Agent Framework

Microsoft Agent Framework is an open-source .NET and Python framework for building production-oriented AI agents and graph-based multi-agent workflows. It unifies ideas from Semantic Kernel and AutoGen while adding provider-neutral agents, durable orchestration, middleware, observability, MCP, A2A, and human approval controls.

Quick Verdict

Microsoft Agent Framework is a strong fit for Python or .NET teams that need more control than a simple agent loop and want explicit workflows, provider flexibility, observability, and Microsoft cloud integration. Its core APIs are production-oriented, but teams must still design the security, evaluation, hosting, state, and cost controls surrounding each agent application.

Last checked: Jul 10, 2026
Pricing checked: Jul 10, 2026
Editor Base
Standalone
Pricing
Open Source
Platforms
Windows, macOS, Linux, Azure
Models
Microsoft Foundry, Azure OpenAI, OpenAI, Anthropic Claude
Microsoft Agent Framework preview

Pricing Plans

Open-Source Framework

$0

The Python and .NET framework is available under the MIT license.

Model Usage

Variable

Inference is billed separately by the configured cloud model provider or local-model infrastructure.

Hosting and Storage

Variable

Deployment, databases, vector stores, telemetry, and durable workflow infrastructure use the pricing of the selected services.

Microsoft Foundry Hosting

Usage-based

Hosted agents, model endpoints, evaluations, observability, and related Azure resources are charged through the connected Azure services.

Core Features

1Agent Runtime

  • Unified agent abstractions for Python and .NET
  • Streaming, sessions, tools, and structured content
  • Custom middleware around agent and tool execution
  • Pluggable memory and context providers

2Workflow Orchestration

  • Graph-based agent and function workflows
  • Sequential, concurrent, handoff, group chat, and Magentic patterns
  • Checkpointing, pause, resume, and human-in-the-loop gates
  • Typed routing between deterministic and AI-powered steps

3Models and Knowledge

  • Microsoft Foundry and Azure OpenAI connectors
  • OpenAI, Anthropic, Bedrock, Gemini, and Ollama support
  • RAG and vector-store integration abstractions
  • Mem0, Redis, Neo4j, and custom memory options

4Protocols and Interfaces

  • Model Context Protocol tool integration
  • Agent-to-Agent protocol interoperability
  • AG-UI streaming frontend integration
  • OpenAI-compatible and ASP.NET Core hosting options

5Development and Operations

  • OpenTelemetry traces, logs, and metrics
  • DevUI for local workflow inspection
  • Declarative YAML agent definitions
  • Foundry hosted agents and Durable Extension deployment

6Agent Harness

  • Automatic context compaction for long sessions
  • Plan and execute operating modes
  • File memory, task tracking, skills, and background agents
  • Approval controls for sensitive tool execution

Pros

  • Uses consistent concepts across Python and .NET implementations.
  • Combines model-driven agents with explicit graph-based orchestration.
  • Supports multiple commercial providers and local Ollama deployments.
  • Provides stable 1.0 APIs for core production scenarios.
  • Includes middleware, checkpointing, telemetry, and human approval primitives.
  • Supports open protocols including MCP, A2A, and AG-UI.
  • Offers official migration paths from AutoGen and Semantic Kernel.
  • Uses a permissive MIT open-source license.

Cons

  • JavaScript and TypeScript are not first-class framework languages.
  • The framework does not include model inference or production hosting for free.
  • Some newer integrations and security features remain preview or experimental.
  • Building reliable multi-agent graphs introduces significant architectural complexity.
  • Provider capabilities and behavior are not completely uniform.
  • Python and .NET features may reach parity at different times.
  • Developers remain responsible for evaluation, safety controls, and tool authorization.
  • DevUI is a development sample and is not intended as a production interface.

Why Choose Microsoft Agent Framework?

Microsoft Agent Framework is designed for applications that have moved beyond a single prompt followed by a single response. Its value becomes clearer when an agent must maintain state, call several tools, wait for approval, delegate work, recover after interruption, or coordinate deterministic code with model-driven decisions.

The framework is the direct successor to Microsoft's AutoGen and Semantic Kernel agent work. Rather than maintaining separate abstractions for experimental multi-agent collaboration and enterprise application integration, Microsoft has consolidated those ideas into one programming model for Python and .NET.

This positioning matters for existing Microsoft users. A .NET team can work with familiar dependency injection, Microsoft.Extensions.AI abstractions, ASP.NET Core hosting, managed identity, Azure Functions, and OpenTelemetry. Python teams receive parallel agent and workflow concepts without being forced into a C# runtime.

The framework remains usable outside Azure. An application can connect to several model providers, use Ollama locally, choose its own databases, expose standard protocol endpoints, and run on self-managed infrastructure. Microsoft Foundry is the most integrated deployment path, but it is not a requirement for the core SDK.

A useful design principle from Microsoft's documentation is to avoid an agent when a normal function can solve the problem reliably. Microsoft Agent Framework is strongest when it lets developers decide exactly where probabilistic reasoning belongs and where ordinary code should remain in control.

Core Workflow

A practical implementation normally begins with one agent rather than a complete multi-agent system. The developer selects a model client, defines a narrow instruction set, adds a small number of typed tools, and establishes how conversation state will be stored. This creates a baseline whose behavior, latency, token consumption, and failure modes can be measured.

Tool contracts deserve more attention than agent personas. Each tool should have a precise description, validated parameters, bounded permissions, explicit timeouts, and predictable error results. A model should not receive a generic database or shell interface when a purpose-built operation can expose only the action it needs.

The next step is deciding whether additional behavior belongs inside the same agent or in an explicit workflow. Open-ended delegation can remain model-driven, but regulated or repeatable business processes are generally easier to inspect when represented as a graph. Deterministic executors can validate data, apply policies, or calculate results between agent steps.

Human involvement should be represented as part of the execution design rather than added after deployment. Approval gates are appropriate before financial transactions, account changes, external messages, destructive file operations, or other actions with meaningful consequences. The workflow can pause, preserve its state, and continue after an operator responds.

Observability and evaluation complete the development loop. Traces should show model calls, tool invocations, routing decisions, token use, latency, and errors. A repeatable evaluation set should then test whether changes to models, instructions, tools, or workflow topology improve the intended outcome rather than merely producing more fluent responses.

Agents Versus Explicit Workflows

An individual agent is appropriate when the task is conversational, the available actions are limited, and the model can reasonably decide what to do next. Examples include answering questions over a knowledge source, selecting one of several retrieval tools, or gathering missing information from a user.

A workflow is preferable when the application has required stages, fixed approvals, branching business rules, or obligations that cannot be left to model judgment. A claims process might use an agent to interpret an unstructured description, deterministic code to validate policy data, a second agent to draft a recommendation, and a human gate before any payment is initiated.

Multi-agent orchestration should not be treated as an automatic upgrade from a single agent. Every additional participant introduces more prompts, state transitions, latency, model calls, and possible disagreement. Separate agents are most defensible when they require distinct permissions, context, models, evaluation criteria, or ownership boundaries.

The graph model helps make those boundaries visible. Sequential execution suits review pipelines, concurrent execution suits independent research tasks, handoffs suit routing between specialists, and manager-style orchestration suits problems where the required subtasks are not known in advance. The correct pattern depends on how much routing control should belong to code versus the model.

Use Cases

Enterprise process automation: The framework can coordinate classification, document analysis, policy lookup, approval, and record updates while keeping deterministic business rules outside the language model.

Customer support orchestration: A triage agent can route a conversation to specialized refund, billing, or technical agents. Sensitive account actions can remain blocked until an employee approves the corresponding tool call.

Research and review pipelines: Several agents can investigate independent sources in parallel before a reviewer agent compares findings. Deterministic code can enforce citation structure, deduplicate evidence, and reject incomplete outputs.

Software operations assistants: An agent can collect diagnostic data and propose remediation while tools expose narrowly scoped operational actions. Approval and audit controls can prevent the model from making unrestricted infrastructure changes.

Long-running back-office work: Durable execution is useful when a process must wait for an external event, survive a worker restart, request additional information, or remain paused for hours or days before continuing.

Cross-framework agent networks: A2A support allows an Agent Framework application to discover and communicate with compatible remote agents. This can be useful when different departments or vendors implement agents with different runtimes.

Agentic web applications: AG-UI integration can stream agent activity, workflow state, approval requests, and tool progress to a frontend. This gives users more context than a chat interface that only displays the final answer.

Comparison to Alternatives

LangGraph is a close alternative for developers who want stateful graph orchestration and explicit control over execution paths. It has strong adoption in Python and JavaScript ecosystems. Microsoft Agent Framework is more directly aligned with .NET, Microsoft.Extensions.AI, Microsoft Foundry, and Microsoft's migration path from AutoGen and Semantic Kernel.

CrewAI emphasizes teams of role-oriented agents and task-based collaboration. That model can be approachable for quickly describing a group of specialists. Microsoft Agent Framework is generally more explicit about combining agents with deterministic executors, typed routing, checkpointing, middleware, and enterprise hosting patterns.

The OpenAI Agents SDK provides a focused way to build agents, tools, handoffs, guardrails, and traces around OpenAI services. It can be simpler when the application is intentionally centered on the OpenAI platform. Microsoft Agent Framework provides a broader provider abstraction and a first-class .NET implementation alongside Python.

Google Agent Development Kit is a natural candidate for applications centered on Gemini and Google Cloud. The decision resembles a broader platform choice: which identity system, model catalog, observability stack, deployment environment, and managed agent services the organization already uses.

PydanticAI appeals to Python teams that value typed outputs, dependency injection, validation, and a comparatively compact programming model. Microsoft Agent Framework covers a larger orchestration and hosting surface, but that additional scope also increases the number of concepts a team must understand.

AutoGen and Semantic Kernel remain important comparison targets because many existing Microsoft agent applications use them. For new Microsoft projects, Agent Framework is the forward-looking choice. Migration is not necessarily a mechanical package replacement, however; existing conversation patterns and plugin architectures should be reconsidered against the newer unified agent and workflow model.

Best Configuration

Use stable packages for the application's core path and isolate preview integrations behind internal interfaces. The framework's 1.0 APIs have a compatibility commitment, but newer harness, security, UI, hosting, and research packages may evolve more quickly.

Install only the provider packages the application needs once the initial prototype is working. The Python meta-package is convenient for exploration, but a smaller dependency set reduces image size, transitive vulnerabilities, startup work, and accidental configuration of unused services.

Keep provider selection behind an application-owned factory or configuration layer. A common agent interface reduces migration work, but providers still differ in tool calling, structured output, hosted tools, context limits, authentication, and error semantics. Provider-specific behavior should not leak throughout the business logic.

Give tools narrow capabilities and make mutating operations idempotent. An agent may retry after a timeout or workflow recovery, so a repeated tool call should not accidentally create duplicate payments, messages, tickets, or infrastructure resources.

Use approval-required wrappers for consequential actions. Approval data should include the proposed operation, relevant parameters, expected effect, requesting agent, and workflow context so the reviewer can make an informed decision rather than approving an opaque function name.

Choose memory by purpose. Short conversational history, long-term user facts, workflow state, retrieval documents, and agent-generated working notes are different data classes. Storing all of them in one vector index makes retention, access control, deletion, and relevance tuning harder.

Export OpenTelemetry data to an existing observability backend, but keep sensitive prompt and response capture disabled unless there is a justified debugging need. When content logging is enabled, apply redaction, access controls, retention limits, and environment separation.

Use DevUI locally to inspect message flow and workflow execution. Build a separate authenticated interface for production because DevUI is a development sample rather than a hardened end-user application.

For long-running processes, persist checkpoints outside the worker process. Azure Functions and the Durable Extension provide a managed path, while bring-your-own-compute deployments can connect durable workers to an external scheduler. In either case, recovery behavior should be tested through deliberate restarts and duplicate-delivery scenarios.

Migration from AutoGen

AutoGen applications often encode coordination through conversations between several agents. During migration, identify which exchanges represent genuine autonomous collaboration and which are actually fixed process stages that should become workflow edges.

Map provider-specific agent classes to the newer common agent abstraction, then move cross-cutting behavior into middleware where appropriate. Logging, validation, rate limiting, security checks, retry policy, and content filtering should not need to be repeated in every prompt.

Existing group chats should be evaluated against the available orchestration patterns. A sequential review process, for example, is easier to test as an explicit sequence than as an open group conversation that happens to produce the same order most of the time.

Preserve behavioral tests before changing the implementation. Capture representative inputs, expected tool calls, routing outcomes, approval points, and failure cases. Comparing these traces is more useful than checking whether the migrated application produces text with similar wording.

Migration from Semantic Kernel

Semantic Kernel users should expect changes to package names, message types, agent construction, invocation methods, options, and tool registration. Microsoft Agent Framework relies on common Microsoft.Extensions.AI content abstractions and uses a consolidated agent model across supported chat clients.

Kernel plugins can often become direct function tools. This can reduce framework-specific attributes and boilerplate, but it is also an opportunity to narrow overly broad plugins and separate read operations from actions that modify external systems.

Applications that used different Semantic Kernel agent classes for different providers can move toward one common agent abstraction. Provider-specific configuration still exists at the client layer, but higher-level application code can depend on the shared interface.

Hosted conversation semantics need special attention. Not every provider supports the same server-side history or deletion behavior, so session lifecycle and retention should be designed explicitly rather than assumed from one previous backend.

Migrate one vertical workflow at a time. Running the old and new implementations against the same evaluation set makes it easier to identify differences caused by prompts, provider versions, history handling, tool schemas, or the framework itself.

Production Architecture

Treat the agent layer as one component of the application rather than the entire application. Authentication, authorization, billing, record ownership, policy decisions, and irreversible state changes should remain in ordinary services with explicit interfaces.

Agent instructions are not an authorization boundary. A prompt telling an agent not to access certain records is weaker than a tool that never returns those records. Permissions should be enforced when data is retrieved and again when an action is executed.

Separate external content from trusted instructions. Web pages, retrieved documents, emails, MCP responses, and remote-agent messages may contain prompt injection or misleading directives. Sensitive tools should not be driven directly by untrusted content without validation or approval.

Create an evaluation suite before switching models. Provider flexibility has limited value when a team cannot determine whether a replacement model preserves routing accuracy, tool selection, structured output, safety behavior, latency, and cost.

Budgeting should be based on complete workflow traces rather than the price of one model call. Multi-agent applications may invoke several models, repeat calls after tool execution, retrieve documents, write memory, emit telemetry, and remain active across many turns.

Deployment should also include concurrency limits, timeouts, cancellation, circuit breakers, rate limiting, dead-letter handling, and an operator path for abandoned workflows. Agent-specific abstractions do not replace conventional distributed-system engineering.

Operational Tradeoffs

Provider neutrality reduces architectural coupling but does not make models interchangeable. A workflow tested with one provider may behave differently after switching because of tool-call formatting, reasoning style, context handling, safety filters, or support for hosted capabilities.

The shared Python and .NET design is valuable for mixed-language organizations, although the two implementations do not always receive every integration simultaneously. Teams should verify language-specific documentation before committing to an interface or deployment feature.

Durable and multi-agent execution improves resilience but expands the state model. Developers must decide which messages, tool results, checkpoints, files, approvals, and memories can be replayed, deleted, or retained after a deployment changes.

Local Ollama support can improve control over data flow and experimentation costs, but local inference is not automatically equivalent to enterprise privacy or performance. The organization still needs to secure the host, select an appropriate model, manage updates, monitor output quality, and provision enough compute.

The framework provides useful controls, but it does not certify the resulting agent as safe, accurate, or compliant. Those properties depend on the chosen models, data, instructions, tool permissions, evaluations, interfaces, deployment architecture, and operational policies.

Best For

  • Python and .NET teams building production AI-agent applications
  • Applications that combine deterministic business logic with model reasoning
  • Multi-agent systems requiring explicit routing and human approval
  • Long-running workflows that must pause, checkpoint, and resume
  • Organizations standardizing on Microsoft Foundry or Azure infrastructure
  • Teams that need to switch between cloud model providers without redesigning the entire agent layer
  • Developers migrating from AutoGen or the Semantic Kernel agent framework
  • Applications exposing agents through MCP, A2A, AG-UI, or OpenAI-compatible interfaces

Not Ideal For

  • Frontend teams requiring a TypeScript-native agent framework
  • Simple applications that only need one or two direct model API calls
  • Users seeking a complete no-code agent builder
  • Teams that do not want to operate model, storage, telemetry, and hosting infrastructure
  • Projects expecting identical behavior from every supported model provider
  • Applications without the resources to test agent accuracy, security, and failure behavior

Privacy Notes

Microsoft Agent Framework is a software framework rather than a hosted model service. Data handling depends on the configured model endpoints, MCP servers, A2A agents, memory stores, telemetry exporters, tools, and deployment environment. Local Ollama usage can keep inference within user-controlled infrastructure, while cloud providers may process prompts and tool results under their own terms. Microsoft advises developers to review third-party retention, geographic boundaries, permissions, and compliance implications. Sensitive prompt and response content should be redacted or disabled in telemetry, and production applications should implement their own authorization, content safety, evaluation, and responsible-AI controls.

Alternatives

LangGraphCrewAIOpenAI Agents SDKGoogle Agent Development KitPydanticAILlamaIndex

Update History

  • Jul 10, 2026: Verified current 1.x positioning, model providers, deployment choices, integrations, migration guidance, and open-source licensing.
  • Jun 3, 2026: Microsoft announced Agent Harness capabilities, Foundry Hosted Agents integration, CodeAct work, skills improvements, and expanded production tooling at Build 2026.
  • Apr 2, 2026: Microsoft Agent Framework reached version 1.0 for Python and .NET with stable core APIs and a long-term support commitment.
  • Oct 1, 2025: Microsoft introduced the framework in preview as the unified successor to its AutoGen and Semantic Kernel agent technologies.

Related Tools

More listings in a similar part of the directory.

Browse Developer Workflow Tools