Microsoft Agent Framework
Microsoft Agent Framework is Microsoft's open, multi-language framework for building production-grade AI agents and multi-agent workflows in .NET and Python, positioned as the successor to Semantic Kernel and AutoGen.
Definition
Microsoft Agent Framework is an open framework for building AI agents and multi-agent workflows across .NET and Python. The official Microsoft Learn overview describes it as the next generation of both Semantic Kernel and AutoGen, created by the same teams and combining AutoGen's agent abstractions with Semantic Kernel's enterprise features.
The official GitHub repository describes the project as a framework for teams taking agents from prototype to production. Its stated ecosystem includes Microsoft Foundry, Azure OpenAI, OpenAI, and the GitHub Copilot SDK, with samples and hosting patterns for local and cloud deployment.
Microsoft's Agent Framework 1.0 announcement says the project reached version 1.0 for both .NET and Python, with stable APIs and long-term-support commitments. That makes the framework a current production-oriented Microsoft agent stack, not only a research experiment.
Architecture
The framework organizes agent applications around agents, context providers, model clients, function invocation, middleware, telemetry, and storage. Microsoft Learn's agent-pipeline page describes a request path where middleware and telemetry run around the agent, context providers load history or add tools and instructions, and function middleware handles tool-calling loops.
Middleware is a central governance surface. Microsoft Learn describes middleware as reusable behavior that can intercept, inspect, and modify requests and responses at defined points. That makes it a natural place for logging, security checks, policy enforcement, redaction, and operational controls.
Agent Framework also exposes provider-specific agent types. The documentation names local chat-client agents as well as remote-service agents such as A2A, GitHub Copilot, and Copilot Studio agents. The practical point is that a single framework can wrap very different execution and trust boundaries.
Workflows
Workflows are the framework's explicit orchestration layer. Microsoft Learn distinguishes agents from workflows by saying that a workflow has a predefined sequence of operations, can include AI agents as components, and is designed for business processes involving agents, human interactions, and external systems.
The workflow documentation describes directed graphs of executors and edges, checkpoints for saving and resuming state, and observability spans, logs, and metrics. The orchestration documentation lists built-in multi-agent patterns including sequential, concurrent, handoff, group chat, and Magentic orchestrations.
This is why the framework matters for AI governance. It is not merely a chat wrapper. It gives developers a way to make multi-agent execution paths more explicit, while still leaving policy, data classification, authorization, safety testing, and incident response to the application owner.
Governance and Safety
Microsoft's own overview includes a third-party-systems warning: applications that operate with third-party servers, agents, code, or non-Azure Direct models do so under those third parties' terms, and customers are responsible for reviewing data shared with and received from those systems. That warning is central, not boilerplate.
Agent Framework's safety documentation also cautions about logs and telemetry. It says trace-level logging can include full chat messages and personally identifiable information, and that telemetry configured with sensitive data can include chat messages, function calls, and results. Those settings should not be treated as ordinary debug toggles in production.
The security documentation describes FIDES, an information-flow-control middleware where content carries integrity and confidentiality labels and policies are enforced before sensitive tools run. That is a useful signal about where agent frameworks are heading: from orchestration toward policy-aware execution. It does not remove the need for threat modeling, least privilege, or human review.
Defense Pattern
- Inventory the runtime. Record framework version, language runtime, agent types, providers, model routes, tools, middleware, workflows, and hosting environment.
- Separate agents and workflows. Treat a workflow graph, checkpoint, or orchestration pattern as deployed policy, not just glue code.
- Gate tool use outside the model. Middleware and called functions should enforce authorization even when the model selects the tool.
- Protect traces. Disable production trace settings that expose full prompts, private documents, function arguments, or returned data unless formally approved.
- Review migrations. Moving from AutoGen or Semantic Kernel should trigger evaluation and change management, not only import changes.
Source Discipline
Claims about Microsoft Agent Framework should cite current Microsoft Learn pages, the official GitHub repository, and Microsoft devblog release posts. Avoid treating third-party framework comparisons as proof of support, security, or production readiness.
When describing an implementation, name the Agent Framework version, SDK language, provider, agent type, workflow pattern, middleware stack, logging settings, and connected third-party systems. "Built with Agent Framework" is too broad to audit.
Spiralist Reading
Spiralism reads Microsoft Agent Framework as a sign that agents are moving from improvisation into architecture. The agent is no longer only a prompt and a tool list. It is a pipeline, workflow, middleware stack, trace, checkpoint, and policy boundary.
That is progress only if the institution uses the architecture honestly. A framework can make delegation visible, or it can make unsafe delegation look professionally packaged.
Open Questions
- Which Semantic Kernel and AutoGen deployments should migrate, and which should remain stable?
- How should workflow checkpoints be logged without preserving excessive private context?
- Which tool calls should require middleware-based policy checks even after model selection?
- How should organizations compare Microsoft Agent Framework with model-provider-native agent SDKs and independent frameworks?
Related Pages
- Semantic Kernel
- LangChain
- DSPy
- AI Agents
- Tool Use and Function Calling
- Model Context Protocol
- Agent2Agent Protocol
- AI Agent Observability
- AI Agent Sandboxing
- AI Audit Trails
- AI Change Management
- Microsoft AI
Sources
- Microsoft Learn, Microsoft Agent Framework overview, reviewed June 25, 2026.
- GitHub, microsoft/agent-framework, official repository, reviewed June 25, 2026.
- Microsoft Agent Framework Blog, Microsoft Agent Framework Version 1.0, reviewed June 25, 2026.
- Microsoft Learn, Agent Pipeline Architecture, reviewed June 25, 2026.
- Microsoft Learn, Microsoft Agent Framework Workflows, reviewed June 25, 2026.
- Microsoft Learn, Workflow orchestrations in Agent Framework, reviewed June 25, 2026.
- Microsoft Learn, Agent Safety, reviewed June 25, 2026.
- Microsoft Learn, Agent Security with FIDES, reviewed June 25, 2026.
- Microsoft Learn, Semantic Kernel to Microsoft Agent Framework Migration Guide, reviewed June 25, 2026.
- Microsoft Learn, AutoGen to Microsoft Agent Framework Migration Guide, reviewed June 25, 2026.