# Azure AI Agents s podporou Model Context Protocol (MCP) - Python

Tento notebook ukazuje, jak pou≈æ√≠vat Azure AI Agents s n√°stroji Model Context Protocol (MCP) v Pythonu. Demonstruje, jak vytvo≈ôit inteligentn√≠ho agenta, kter√Ω m≈Ø≈æe vyu≈æ√≠vat extern√≠ MCP servery (nap≈ô√≠klad Microsoft Learn) pro roz≈°√≠≈ôen√© schopnosti pomoc√≠ autentizace bez kl√≠ƒçe.


## Instalace pot≈ôebn√Ωch bal√≠ƒçk≈Ø Pythonu

Nejprve je nutn√© nainstalovat pot≈ôebn√© bal√≠ƒçky Pythonu:
- **azure-ai-projects**: Z√°kladn√≠ SDK pro Azure AI Projects
- **azure-ai-agents**: SDK pro Azure AI Agents pro vytv√°≈ôen√≠ a spr√°vu agent≈Ø
- **azure-identity**: Poskytuje bezkl√≠ƒçovou autentizaci pomoc√≠ DefaultAzureCredential
- **mcp**: Implementace Model Context Protocol pro Python


## V√Ωhody autentizace bez kl√≠ƒç≈Ø

Tento notebook demonstruje **autentizaci bez kl√≠ƒç≈Ø**, kter√° p≈ôin√°≈°√≠ nƒõkolik v√Ωhod:
- ‚úÖ **≈Ω√°dn√© API kl√≠ƒçe k spravov√°n√≠** - Vyu≈æ√≠v√° autentizaci zalo≈æenou na identitƒõ Azure
- ‚úÖ **Zv√Ω≈°en√° bezpeƒçnost** - ≈Ω√°dn√° tajemstv√≠ ulo≈æen√° v k√≥du nebo konfiguraƒçn√≠ch souborech
- ‚úÖ **Automatick√° rotace p≈ôihla≈°ovac√≠ch √∫daj≈Ø** - Azure se star√° o spr√°vu ≈æivotn√≠ho cyklu p≈ôihla≈°ovac√≠ch √∫daj≈Ø
- ‚úÖ **≈ò√≠zen√≠ p≈ô√≠stupu na z√°kladƒõ rol√≠** - Pou≈æ√≠v√° Azure RBAC pro detailn√≠ nastaven√≠ opr√°vnƒõn√≠
- ‚úÖ **Podpora v√≠ce prost≈ôed√≠** - Funguje bez probl√©m≈Ø jak v prost≈ôed√≠ v√Ωvoje, tak v produkci

`DefaultAzureCredential` automaticky vyb√≠r√° nejlep≈°√≠ dostupn√Ω zdroj p≈ôihla≈°ovac√≠ch √∫daj≈Ø:
1. **Spravovan√° identita** (p≈ôi bƒõhu v Azure)
2. P≈ôihla≈°ovac√≠ √∫daje z **Azure CLI** (bƒõhem lok√°ln√≠ho v√Ωvoje)
3. P≈ôihla≈°ovac√≠ √∫daje z **Visual Studio**
4. **Promƒõnn√© prost≈ôed√≠** (pokud jsou nastaveny)
5. Autentizace p≈ôes **interaktivn√≠ prohl√≠≈æeƒç** (jako z√°lo≈æn√≠ mo≈ænost)


## Nastaven√≠ autentizace bez kl√≠ƒç≈Ø

**P≈ôedpoklady pro autentizaci bez kl√≠ƒç≈Ø:**

### Pro lok√°ln√≠ v√Ωvoj:
```bash
# Install Azure CLI and login
az login
# Verify your identity
az account show
```

### Pro prost≈ôed√≠ Azure:
- Aktivujte **System-assigned Managed Identity** na va≈°em Azure zdroji
- P≈ôi≈ôaƒète odpov√≠daj√≠c√≠ **RBAC role** k t√©to identitƒõ:
  - `Cognitive Services OpenAI User` pro p≈ô√≠stup k Azure OpenAI
  - `AI Developer` pro p≈ô√≠stup k projekt≈Øm Azure AI

### Promƒõnn√© prost≈ôed√≠ (voliteln√©):
```python
# These are automatically detected by DefaultAzureCredential
# AZURE_CLIENT_ID=<your-client-id>
# AZURE_CLIENT_SECRET=<your-client-secret>
# AZURE_TENANT_ID=<your-tenant-id>
```

**≈Ω√°dn√© API kl√≠ƒçe ani p≈ôipojovac√≠ ≈ôetƒõzce nejsou pot≈ôeba!** üîê


In [None]:
! pip install azure-ai-projects -U
! pip install azure-ai-agents==1.1.0b4 -U
! pip install azure-identity -U
! pip install mcp==1.11.0 -U

## Importujte pot≈ôebn√© knihovny

Importujte nezbytn√© Python moduly:
- **os, time**: Standardn√≠ Python knihovny pro promƒõnn√© prost≈ôed√≠ a zpo≈ædƒõn√≠
- **AIProjectClient**: Hlavn√≠ klient pro Azure AI Projects
- **DefaultAzureCredential**: Bezkl√≠ƒçov√° autentizace pro Azure slu≈æby
- **T≈ô√≠dy souvisej√≠c√≠ s MCP**: Pro vytv√°≈ôen√≠ a spr√°vu MCP n√°stroj≈Ø a zpracov√°n√≠ schv√°len√≠


In [None]:
import os, time
from azure.ai.projects import AIProjectClient
from azure.identity import DefaultAzureCredential
from azure.ai.agents.models import McpTool, RequiredMcpToolCall, SubmitToolApprovalAction, ToolApproval


## Nastaven√≠ konfigurace MCP serveru

Nastavte konfiguraci MCP serveru pomoc√≠ promƒõnn√Ωch prost≈ôed√≠ s v√Ωchoz√≠mi hodnotami:
- **MCP_SERVER_URL**: URL adresa MCP serveru (v√Ωchoz√≠ je Microsoft Learn API)
- **MCP_SERVER_LABEL**: Oznaƒçen√≠ pro identifikaci MCP serveru (v√Ωchoz√≠ je "mslearn")

Tento p≈ô√≠stup umo≈æ≈àuje flexibiln√≠ konfiguraci nap≈ô√≠ƒç r≈Øzn√Ωmi prost≈ôed√≠mi.


In [None]:
mcp_server_url = os.environ.get("MCP_SERVER_URL", "https://learn.microsoft.com/api/mcp")
mcp_server_label = os.environ.get("MCP_SERVER_LABEL", "mslearn")

## Vytvo≈ôen√≠ klienta Azure AI Project (Autentizace bez kl√≠ƒçe)

Inicializujte klienta Azure AI Project pomoc√≠ **autentizace bez kl√≠ƒçe**:
- **endpoint**: URL koncov√©ho bodu projektu Azure AI Foundry
- **credential**: Pou≈æ√≠v√° `DefaultAzureCredential()` pro bezpeƒçnou autentizaci bez kl√≠ƒçe
- **≈Ω√°dn√© API kl√≠ƒçe nejsou pot≈ôeba**: Automaticky vyhled√° a pou≈æije nejlep≈°√≠ dostupn√© p≈ôihla≈°ovac√≠ √∫daje

**Proces autentizace:**
1. Kontroluje Managed Identity (v prost≈ôed√≠ Azure)
2. P≈ôech√°z√≠ na p≈ôihla≈°ovac√≠ √∫daje Azure CLI (pro lok√°ln√≠ v√Ωvoj)
3. Pou≈æ√≠v√° dal≈°√≠ dostupn√© zdroje p≈ôihla≈°ovac√≠ch √∫daj≈Ø podle pot≈ôeby

Tento p≈ô√≠stup eliminuje pot≈ôebu spravovat API kl√≠ƒçe nebo p≈ôipojovac√≠ ≈ôetƒõzce ve va≈°em k√≥du.


In [None]:
project_client = AIProjectClient(
    endpoint="Your Azure AI Foundry Endpoint",
    credential=DefaultAzureCredential(),
)

## Vytvo≈ôen√≠ definice n√°stroje MCP

Vytvo≈ôte n√°stroj MCP, kter√Ω se p≈ôipojuje k serveru Microsoft Learn MCP:
- **server_label**: Identifik√°tor pro server MCP
- **server_url**: URL endpoint serveru MCP
- **allowed_tools**: Voliteln√Ω seznam pro omezen√≠, kter√© n√°stroje mohou b√Ωt pou≈æity (pr√°zdn√Ω seznam umo≈æ≈àuje v≈°echny n√°stroje)

Tento n√°stroj umo≈æn√≠ agentovi p≈ô√≠stup k dokumentaci a zdroj≈Øm Microsoft Learn.


In [None]:
mcp_tool = McpTool(
    server_label=mcp_server_label,
    server_url=mcp_server_url,
    allowed_tools=[],  # Optional: specify allowed tools
)


## Vytvo≈ôen√≠ agenta a veden√≠ konverzace (bez kl√≠ƒç≈Ø)

Tato komplexn√≠ sekce ukazuje kompletn√≠ **workflow agenta bez kl√≠ƒç≈Ø**:

1. **Vytvo≈ôen√≠ AI agenta**: Nastavte agenta s modelem GPT-4.1 nano a n√°stroji MCP
2. **Vytvo≈ôen√≠ vl√°kna**: Zalo≈æte konverzaƒçn√≠ vl√°kno pro komunikaci
3. **Odesl√°n√≠ zpr√°vy**: Zeptejte se agenta na rozd√≠ly mezi Azure OpenAI a OpenAI
4. **Schvalov√°n√≠ n√°stroj≈Ø**: Automaticky schvalujte vol√°n√≠ n√°stroj≈Ø MCP, pokud je to pot≈ôeba
5. **Sledov√°n√≠ pr≈Øbƒõhu**: Sledujte pokrok agenta a ≈ôe≈°te p≈ô√≠padn√© po≈æadovan√© akce
6. **Zobrazen√≠ v√Ωsledk≈Ø**: Zobrazte detaily konverzace a pou≈æit√≠ n√°stroj≈Ø

**Funkce bez kl√≠ƒç≈Ø:**
- ‚úÖ **≈Ω√°dn√° pevnƒõ zak√≥dovan√° tajemstv√≠** - Ve≈°ker√© ovƒõ≈ôov√°n√≠ je zaji≈°tƒõno identitou Azure
- ‚úÖ **Bezpeƒçn√© jako standard** - Pou≈æ√≠v√° ≈ô√≠zen√≠ p≈ô√≠stupu na z√°kladƒõ rol√≠
- ‚úÖ **Zjednodu≈°en√© nasazen√≠** - Nen√≠ nutn√° spr√°va p≈ôihla≈°ovac√≠ch √∫daj≈Ø
- ‚úÖ **P≈ô√°telsk√© k auditu** - Ve≈°ker√Ω p≈ô√≠stup je sledov√°n prost≈ôednictv√≠m identity Azure

Agent bude pou≈æ√≠vat n√°stroje MCP k p≈ô√≠stupu k Microsoft Learn zdroj≈Øm s plnou bezpeƒçnost√≠ a bez spr√°vy API kl√≠ƒç≈Ø.


In [None]:
with project_client:
    agents_client = project_client.agents

    # Create a new agent with keyless authentication
    # NOTE: To reuse existing agent, fetch it with get_agent(agent_id)
    agent = agents_client.create_agent(
        model="Your Azure OpenAI Model Deployment Name",
        name="my-mcp-agent",
        instructions="You are a helpful agent that can use MCP tools to assist users. Use the available MCP tools to answer questions and perform tasks.",
        tools=mcp_tool.definitions,
    )
    print(f"Created agent, ID: {agent.id}")
    print(f"MCP Server: {mcp_tool.server_label} at {mcp_tool.server_url}")

    # Create thread for communication
    thread = agents_client.threads.create()
    print(f"Created thread, ID: {thread.id}")

    # Create message to thread
    message = agents_client.messages.create(
        thread_id=thread.id,
        role="user",
        content="What's difference between Azure OpenAI and OpenAI?",
    )
    print(f"Created message, ID: {message.id}")

    # KEYLESS APPROACH: Handle tool approvals without hardcoded secrets
    
    # Option 1: Completely keyless (recommended for Azure identity-enabled MCP servers)
    # run = agents_client.runs.create(thread_id=thread.id, agent_id=agent.id, tool_resources=mcp_tool.resources)
    
    # Option 2: With minimal headers (if MCP server requires specific headers)
    # For demonstration purposes, using a placeholder header
    mcp_tool.update_headers("SuperSecret", "123456")  # Replace with actual auth if needed
    
    # Set approval mode - uncomment next line to disable approval requirement completely
    # mcp_tool.set_approval_mode("never")  # Fully automated, no approval needed
    
    run = agents_client.runs.create(thread_id=thread.id, agent_id=agent.id, tool_resources=mcp_tool.resources)
    print(f"Created run, ID: {run.id}")

    while run.status in ["queued", "in_progress", "requires_action"]:
        time.sleep(1)
        run = agents_client.runs.get(thread_id=thread.id, run_id=run.id)

        if run.status == "requires_action" and isinstance(run.required_action, SubmitToolApprovalAction):
            tool_calls = run.required_action.submit_tool_approval.tool_calls
            if not tool_calls:
                print("No tool calls provided - cancelling run")
                agents_client.runs.cancel(thread_id=thread.id, run_id=run.id)
                break

            tool_approvals = []
            for tool_call in tool_calls:
                if isinstance(tool_call, RequiredMcpToolCall):
                    try:
                        print(f"Approving tool call: {tool_call}")
                        
                        # KEYLESS APPROVAL OPTIONS:
                        
                        # Option 1: No headers (fully keyless)
                        # tool_approvals.append(
                        #     ToolApproval(
                        #         tool_call_id=tool_call.id,
                        #         approve=True,
                        #         headers={}  # No headers needed for keyless
                        #     )
                        # )
                        
                        # Option 2: With headers (if MCP server requires them)
                        tool_approvals.append(
                            ToolApproval(
                                tool_call_id=tool_call.id,
                                approve=True,
                                headers=mcp_tool.headers,  # Uses configured headers if needed
                            )
                        )
                    except Exception as e:
                        print(f"Error approving tool_call {tool_call.id}: {e}")

            print(f"tool_approvals: {tool_approvals}")
            if tool_approvals:
                agents_client.runs.submit_tool_outputs(
                    thread_id=thread.id, run_id=run.id, tool_approvals=tool_approvals
                )

        print(f"Current run status: {run.status}")

    print(f"Run completed with status: {run.status}")
    if run.status == "failed":
        print(f"Run failed: {run.last_error}")

    # Display run steps and tool calls
    run_steps = agents_client.run_steps.list(thread_id=thread.id, run_id=run.id)

    # Loop through each step
    for step in run_steps:
        print(f"Step {step['id']} status: {step['status']}")

        # Check if there are tool calls in the step details
        step_details = step.get("step_details", {})
        tool_calls = step_details.get("tool_calls", [])

        if tool_calls:
            print("  MCP Tool calls:")
            for call in tool_calls:
                print(f"    Tool Call ID: {call.get('id')}")
                print(f"    Type: {call.get('type')}")

        print()  # add an extra newline between steps

    # Fetch and log all messages
    messages = agents_client.messages.list(thread_id=thread.id)
    print("\nConversation:")
    print("-" * 50)
    for msg in messages:
        if msg.text_messages:
            last_text = msg.text_messages[-1]
            print(f"{msg.role.upper()}: {last_text.text.value}")
            print("-" * 50)

    # Example of dynamic tool management (keyless)
    print(f"\nDemonstrating keyless dynamic tool management:")
    print(f"Current allowed tools: {mcp_tool.allowed_tools}")
    print("‚úÖ All operations completed using keyless authentication!")


---

**Prohl√°≈°en√≠**:  
Tento dokument byl p≈ôelo≈æen pomoc√≠ slu≈æby pro automatick√Ω p≈ôeklad [Co-op Translator](https://github.com/Azure/co-op-translator). Aƒçkoli se sna≈æ√≠me o p≈ôesnost, mƒõjte pros√≠m na pamƒõti, ≈æe automatick√© p≈ôeklady mohou obsahovat chyby nebo nep≈ôesnosti. P≈Øvodn√≠ dokument v jeho p≈Øvodn√≠m jazyce by mƒõl b√Ωt pova≈æov√°n za autoritativn√≠ zdroj. Pro d≈Øle≈æit√© informace doporuƒçujeme profesion√°ln√≠ lidsk√Ω p≈ôeklad. Neodpov√≠d√°me za ≈æ√°dn√° nedorozumƒõn√≠ nebo nespr√°vn√© interpretace vypl√Ωvaj√≠c√≠ z pou≈æit√≠ tohoto p≈ôekladu.
