# Azure AI Agents s podporou Model Context Protocol (MCP) - Python

Tento notebook demon≈°truje, ako pou≈æ√≠va≈• Azure AI Agents s n√°strojmi Model Context Protocol (MCP) v Pythone. Ukazuje, ako vytvori≈• inteligentn√©ho agenta, ktor√Ω dok√°≈æe vyu≈æ√≠va≈• extern√© MCP servery (ako Microsoft Learn) na roz≈°√≠ren√© funkcie pomocou autentifik√°cie bez kƒæ√∫ƒça.


## In≈°tal√°cia potrebn√Ωch bal√≠kov Pythonu

Najsk√¥r mus√≠me nain≈°talova≈• potrebn√© bal√≠ky Pythonu:
- **azure-ai-projects**: Z√°kladn√© SDK pre Azure AI Projects
- **azure-ai-agents**: SDK pre Azure AI Agents na vytv√°ranie a spr√°vu agentov
- **azure-identity**: Poskytuje bezkƒæ√∫ƒçov√∫ autentifik√°ciu pomocou DefaultAzureCredential
- **mcp**: Implement√°cia Model Context Protocol pre Python


## V√Ωhody autentifik√°cie bez kƒæ√∫ƒçov

Tento notebook demon≈°truje **autentifik√°ciu bez kƒæ√∫ƒçov**, ktor√° prin√°≈°a niekoƒæko v√Ωhod:
- ‚úÖ **≈Ωiadne API kƒæ√∫ƒçe na spr√°vu** - Pou≈æ√≠va autentifik√°ciu zalo≈æen√∫ na identite Azure
- ‚úÖ **Zv√Ω≈°en√° bezpeƒçnos≈•** - ≈Ωiadne tajn√© √∫daje ulo≈æen√© v k√≥de alebo konfiguraƒçn√Ωch s√∫boroch
- ‚úÖ **Automatick√° rot√°cia poveren√≠** - Azure sa star√° o spr√°vu ≈æivotn√©ho cyklu poveren√≠
- ‚úÖ **Riadenie pr√≠stupu na z√°klade rol√≠** - Pou≈æ√≠va Azure RBAC na detailn√© nastavenie opr√°vnen√≠
- ‚úÖ **Podpora viacer√Ωch prostred√≠** - Funguje bez probl√©mov v prostred√≠ v√Ωvoja aj produkcie

`DefaultAzureCredential` automaticky vyber√° najlep≈°√≠ dostupn√Ω zdroj poveren√≠:
1. **Spravovan√° identita** (pri spusten√≠ v Azure)
2. **Poverenia Azure CLI** (poƒças lok√°lneho v√Ωvoja)
3. **Poverenia Visual Studio**
4. **Premenn√© prostredia** (ak s√∫ nakonfigurovan√©)
5. **Autentifik√°cia cez interakt√≠vny prehliadaƒç** (ako z√°lo≈æn√© rie≈°enie)


## Nastavenie autentifik√°cie bez kƒæ√∫ƒçov

**Predpoklady pre autentifik√°ciu bez kƒæ√∫ƒçov:**

### Pre lok√°lny v√Ωvoj:
```bash
# Install Azure CLI and login
az login
# Verify your identity
az account show
```

### Pre prostredia Azure:
- Aktivujte **Syst√©mom priraden√∫ spravovan√∫ identitu** na va≈°om Azure zdroji
- Priraƒète vhodn√© **RBAC roly** spravovanej identite:
  - `Cognitive Services OpenAI User` pre pr√≠stup k Azure OpenAI
  - `AI Developer` pre pr√≠stup k projektom Azure AI

### Premenn√© prostredia (voliteƒæn√©):
```python
# These are automatically detected by DefaultAzureCredential
# AZURE_CLIENT_ID=<your-client-id>
# AZURE_CLIENT_SECRET=<your-client-secret>
# AZURE_TENANT_ID=<your-tenant-id>
```

**Nie s√∫ potrebn√© ≈æiadne API kƒæ√∫ƒçe ani re≈•azce pripojenia!** üîê


In [None]:
! pip install azure-ai-projects -U
! pip install azure-ai-agents==1.1.0b4 -U
! pip install azure-identity -U
! pip install mcp==1.11.0 -U

## Importujte potrebn√© kni≈ænice

Importujte potrebn√© Python moduly:
- **os, time**: ≈†tandardn√© Python kni≈ænice pre premenn√© prostredia a oneskorenia
- **AIProjectClient**: Hlavn√Ω klient pre Azure AI Projects
- **DefaultAzureCredential**: Bezkl√∫ƒçov√° autentifik√°cia pre slu≈æby Azure
- **MCP-related classes**: Na vytv√°ranie a spr√°vu MCP n√°strojov a spracovanie schv√°len√≠


In [None]:
import os, time
from azure.ai.projects import AIProjectClient
from azure.identity import DefaultAzureCredential
from azure.ai.agents.models import McpTool, RequiredMcpToolCall, SubmitToolApprovalAction, ToolApproval


## Konfigur√°cia nastaven√≠ MCP servera

Nastavte konfigur√°ciu MCP servera pomocou environment√°lnych premenn√Ωch s predvolen√Ωmi hodnotami:
- **MCP_SERVER_URL**: URL adresa MCP servera (predvolene Microsoft Learn API)
- **MCP_SERVER_LABEL**: Oznaƒçenie na identifik√°ciu MCP servera (predvolene "mslearn")

Tento pr√≠stup umo≈æ≈àuje flexibiln√∫ konfigur√°ciu v r√¥znych prostrediach.


In [None]:
mcp_server_url = os.environ.get("MCP_SERVER_URL", "https://learn.microsoft.com/api/mcp")
mcp_server_label = os.environ.get("MCP_SERVER_LABEL", "mslearn")

## Vytvorenie klienta projektu Azure AI (Autentifik√°cia bez kƒæ√∫ƒça)

Inicializujte klienta projektu Azure AI pomocou **autentifik√°cie bez kƒæ√∫ƒça**:
- **endpoint**: URL koncov√©ho bodu projektu Azure AI Foundry
- **credential**: Pou≈æ√≠va `DefaultAzureCredential()` na bezpeƒçn√∫ autentifik√°ciu bez kƒæ√∫ƒça
- **Nie s√∫ potrebn√© API kƒæ√∫ƒçe**: Automaticky vyhƒæad√°va a pou≈æ√≠va najlep≈°ie dostupn√© poverenia

**Proces autentifik√°cie:**
1. Kontroluje Managed Identity (v prostrediach Azure)
2. Ako z√°lo≈æn√© rie≈°enie pou≈æ√≠va poverenia Azure CLI (pre lok√°lny v√Ωvoj)
3. V pr√≠pade potreby vyu≈æ√≠va ƒèal≈°ie dostupn√© zdroje poveren√≠

Tento pr√≠stup eliminuje potrebu spravova≈• API kƒæ√∫ƒçe alebo re≈•azce pripojenia vo va≈°om k√≥de.


In [None]:
project_client = AIProjectClient(
    endpoint="Your Azure AI Foundry Endpoint",
    credential=DefaultAzureCredential(),
)

## Vytvorenie defin√≠cie n√°stroja MCP

Vytvorte n√°stroj MCP, ktor√Ω sa prip√°ja k serveru Microsoft Learn MCP:
- **server_label**: Identifik√°tor pre server MCP
- **server_url**: URL koncov√Ω bod servera MCP
- **allowed_tools**: Voliteƒæn√Ω zoznam na obmedzenie, ktor√© n√°stroje m√¥≈æu by≈• pou≈æit√© (pr√°zdny zoznam umo≈æ≈àuje v≈°etky n√°stroje)

Tento n√°stroj umo≈æn√≠ agentovi pr√≠stup k dokument√°cii a zdrojom Microsoft Learn.


In [None]:
mcp_tool = McpTool(
    server_label=mcp_server_label,
    server_url=mcp_server_url,
    allowed_tools=[],  # Optional: specify allowed tools
)


## Vytvorenie agenta a vykonanie konverz√°cie (Pr√°ca bez kƒæ√∫ƒçov)

T√°to komplexn√° sekcia demon≈°truje kompletn√Ω **pracovn√Ω postup agenta bez kƒæ√∫ƒçov**:

1. **Vytvorenie AI agenta**: Nastavte agenta s modelom GPT-4.1 nano a n√°strojmi MCP
2. **Vytvorenie vl√°kna**: Zalo≈æte konverzaƒçn√© vl√°kno pre komunik√°ciu
3. **Odoslanie spr√°vy**: Op√Ωtajte sa agenta na rozdiely medzi Azure OpenAI a OpenAI
4. **Schvaƒæovanie n√°strojov**: Automaticky schvaƒæujte volania n√°strojov MCP, keƒè je to potrebn√©
5. **Monitorovanie vykon√°vania**: Sledujte pokrok agenta a rie≈°te potrebn√© akcie
6. **Zobrazenie v√Ωsledkov**: Zobrazte detaily konverz√°cie a pou≈æitia n√°strojov

**Funkcie bez kƒæ√∫ƒçov:**
- ‚úÖ **≈Ωiadne pevne zak√≥dovan√© tajomstv√°** - V≈°etka autentifik√°cia je spravovan√° identitou Azure
- ‚úÖ **Bezpeƒçn√© ako ≈°tandard** - Pou≈æ√≠va kontrolu pr√≠stupu na z√°klade rol√≠
- ‚úÖ **Zjednodu≈°en√© nasadenie** - Nie je potrebn√° spr√°va poveren√≠
- ‚úÖ **Vhodn√© na audit** - V≈°etky pr√≠stupy s√∫ sledovan√© prostredn√≠ctvom identity Azure

Agent bude pou≈æ√≠va≈• n√°stroje MCP na pr√≠stup k zdrojom Microsoft Learn s plnou bezpeƒçnos≈•ou a bez spr√°vy API kƒæ√∫ƒçov.


In [None]:
with project_client:
    agents_client = project_client.agents

    # Create a new agent with keyless authentication
    # NOTE: To reuse existing agent, fetch it with get_agent(agent_id)
    agent = agents_client.create_agent(
        model="Your Azure OpenAI Model Deployment Name",
        name="my-mcp-agent",
        instructions="You are a helpful agent that can use MCP tools to assist users. Use the available MCP tools to answer questions and perform tasks.",
        tools=mcp_tool.definitions,
    )
    print(f"Created agent, ID: {agent.id}")
    print(f"MCP Server: {mcp_tool.server_label} at {mcp_tool.server_url}")

    # Create thread for communication
    thread = agents_client.threads.create()
    print(f"Created thread, ID: {thread.id}")

    # Create message to thread
    message = agents_client.messages.create(
        thread_id=thread.id,
        role="user",
        content="What's difference between Azure OpenAI and OpenAI?",
    )
    print(f"Created message, ID: {message.id}")

    # KEYLESS APPROACH: Handle tool approvals without hardcoded secrets
    
    # Option 1: Completely keyless (recommended for Azure identity-enabled MCP servers)
    # run = agents_client.runs.create(thread_id=thread.id, agent_id=agent.id, tool_resources=mcp_tool.resources)
    
    # Option 2: With minimal headers (if MCP server requires specific headers)
    # For demonstration purposes, using a placeholder header
    mcp_tool.update_headers("SuperSecret", "123456")  # Replace with actual auth if needed
    
    # Set approval mode - uncomment next line to disable approval requirement completely
    # mcp_tool.set_approval_mode("never")  # Fully automated, no approval needed
    
    run = agents_client.runs.create(thread_id=thread.id, agent_id=agent.id, tool_resources=mcp_tool.resources)
    print(f"Created run, ID: {run.id}")

    while run.status in ["queued", "in_progress", "requires_action"]:
        time.sleep(1)
        run = agents_client.runs.get(thread_id=thread.id, run_id=run.id)

        if run.status == "requires_action" and isinstance(run.required_action, SubmitToolApprovalAction):
            tool_calls = run.required_action.submit_tool_approval.tool_calls
            if not tool_calls:
                print("No tool calls provided - cancelling run")
                agents_client.runs.cancel(thread_id=thread.id, run_id=run.id)
                break

            tool_approvals = []
            for tool_call in tool_calls:
                if isinstance(tool_call, RequiredMcpToolCall):
                    try:
                        print(f"Approving tool call: {tool_call}")
                        
                        # KEYLESS APPROVAL OPTIONS:
                        
                        # Option 1: No headers (fully keyless)
                        # tool_approvals.append(
                        #     ToolApproval(
                        #         tool_call_id=tool_call.id,
                        #         approve=True,
                        #         headers={}  # No headers needed for keyless
                        #     )
                        # )
                        
                        # Option 2: With headers (if MCP server requires them)
                        tool_approvals.append(
                            ToolApproval(
                                tool_call_id=tool_call.id,
                                approve=True,
                                headers=mcp_tool.headers,  # Uses configured headers if needed
                            )
                        )
                    except Exception as e:
                        print(f"Error approving tool_call {tool_call.id}: {e}")

            print(f"tool_approvals: {tool_approvals}")
            if tool_approvals:
                agents_client.runs.submit_tool_outputs(
                    thread_id=thread.id, run_id=run.id, tool_approvals=tool_approvals
                )

        print(f"Current run status: {run.status}")

    print(f"Run completed with status: {run.status}")
    if run.status == "failed":
        print(f"Run failed: {run.last_error}")

    # Display run steps and tool calls
    run_steps = agents_client.run_steps.list(thread_id=thread.id, run_id=run.id)

    # Loop through each step
    for step in run_steps:
        print(f"Step {step['id']} status: {step['status']}")

        # Check if there are tool calls in the step details
        step_details = step.get("step_details", {})
        tool_calls = step_details.get("tool_calls", [])

        if tool_calls:
            print("  MCP Tool calls:")
            for call in tool_calls:
                print(f"    Tool Call ID: {call.get('id')}")
                print(f"    Type: {call.get('type')}")

        print()  # add an extra newline between steps

    # Fetch and log all messages
    messages = agents_client.messages.list(thread_id=thread.id)
    print("\nConversation:")
    print("-" * 50)
    for msg in messages:
        if msg.text_messages:
            last_text = msg.text_messages[-1]
            print(f"{msg.role.upper()}: {last_text.text.value}")
            print("-" * 50)

    # Example of dynamic tool management (keyless)
    print(f"\nDemonstrating keyless dynamic tool management:")
    print(f"Current allowed tools: {mcp_tool.allowed_tools}")
    print("‚úÖ All operations completed using keyless authentication!")


---

**Upozornenie**:  
Tento dokument bol prelo≈æen√Ω pomocou slu≈æby AI prekladu [Co-op Translator](https://github.com/Azure/co-op-translator). Aj keƒè sa sna≈æ√≠me o presnos≈•, pros√≠m, berte na vedomie, ≈æe automatizovan√© preklady m√¥≈æu obsahova≈• chyby alebo nepresnosti. P√¥vodn√Ω dokument v jeho p√¥vodnom jazyku by mal by≈• pova≈æovan√Ω za autoritat√≠vny zdroj. Pre kritick√© inform√°cie sa odpor√∫ƒça profesion√°lny ƒæudsk√Ω preklad. Nie sme zodpovedn√≠ za ak√©koƒævek nedorozumenia alebo nespr√°vne interpret√°cie vypl√Ωvaj√∫ce z pou≈æitia tohto prekladu.
