README.md

Declarative Agent with an API plugin connected to an OAuth-secured API with validation (Python)

Summary

This sample demonstrates how to build a declarative agent for Microsoft 365 Copilot that answers questions about repairs. The agent uses an API plugin to connect to an API that is secured with Entra ID.

Key aspects of the sample:

• Shows how to configure Microsoft 365 Agents Toolkit to make a declarative agent with an API plugin that is secured with Entra ID with just F5 to run locally.

• Shows how to validate an Entra ID access token in Python using PyJWT rather than rely on an external service. This differs from the Teams Toolkit scaffolding, which doesn't authenticate users locally but instead relies on Azure App Services authentication (EasyAuth) for security in Azure only. Note: the included Bicep still enables Easy Auth as defense-in-depth when deployed to Azure, but the primary validation is done in code.

Here are some advantages of validating the token in your code instead of using Easy Auth:

• Since Easy Auth doesn't work locally, local requests are not authenticated. By handling in code, local requests are authenticated and the packaging source files are the same for all environments.

• If the code is deployed outside of Azure App Services, and if the included Bicep files aren't used, the code will appear to work but will do no token validation at all.

• With the Easy Auth scenario, if something goes wrong there is no way to inspect the OAuth token. In this sample you can set a breakpoint to inspect the token and walk through the validation.

• Easy Auth does not check the scope, or check to see if the token is an app token.

Prerequisites

• Microsoft 365 tenant with Microsoft 365 Copilot
• Visual Studio Code with Microsoft 365 Agents Toolkit v5.10 or greater
• Python version 3.10 or later
• Azure Functions Core Tools v4

Version history

Version	Date	Author	Comments
1.0	May 7, 2026	YugalPradhan31	Initial release (Python port)

Disclaimer

THIS CODE IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING ANY IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR NON-INFRINGEMENT.

---

Minimal Path to Awesome

• Clone this repository

• Open the cloned copy of this folder with Visual Studio Code

• Install required Python packages:

  pip install -r requirements.txt

• Press F5 to run the application. A browser window should open offering to add your application to Microsoft Teams.

Features

This sample illustrates the following concepts:

• Building a declarative agent for Microsoft 365 Copilot with an API plugin
• Connecting an API plugin to an API secured with OAuth
• Using Python Azure Functions to build an API secured with Entra ID
• Validating Entra ID tokens in code using PyJWT (without Easy Auth)
• Using dev tunnels to test the API plugin locally

Further reading

• Build declarative agents for Microsoft 365 Copilot
• API Plugins for Microsoft 365 Copilot
• PyJWT Documentation
• Azure Functions Python developer guide