Skip to main content
Items marked (preview) in this article are currently in public preview. This preview is provided without a service-level agreement, and we don’t recommend it for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.
When you connect to Work IQ, you may incur costs and data may be sent outside the Azure compliance boundary and processed according to the applicable service terms and data handling policies. It is your responsibility to manage whether your data will flow outside of your organization’s compliance and geographic boundaries and any related implications, and that appropriate permissions, boundaries, and approvals are provisioned.You’re responsible for carefully reviewing and testing applications you build in the context of your specific use cases and making all appropriate decisions and customizations. This includes implementing your own responsible AI mitigations, such as metaprompts, content filters, or other safety systems, and ensuring your applications meet appropriate quality, reliability, security, and trustworthiness standards. See the Foundry Agent Service transparency note.
For information on optimizing tool usage, see best practices.
Work IQ is the intelligence layer that grounds Microsoft 365 Copilot and your agents in real-time, shared context across your organization. It captures signals from emails, meetings, files, chats, and business systems, and applies semantic understanding so agents can reason over work data and take action. All requests run in the context of the signed-in user and honor Microsoft 365 permissions. You connect your Foundry agent to Work IQ through the Agent-to-Agent (A2A) protocol. Your agent delegates natural-language tasks to Work IQ as a peer agent — for example, “Summarize my recent emails about Project Contoso” — and Work IQ handles retrieval, reasoning, and response synthesis against the user’s Microsoft 365 data.

Usage support

Microsoft Foundry supportPython SDKC# SDKJavaScript SDKJava SDKREST APIBasic agent setupStandard agent setup
Work IQ✔️✔️✔️✔️✔️✔️

Prerequisites

Virtual network (VNet) integration is not supported. Your Foundry project must not use a VNet-restricted endpoint.
Before you begin, make sure you have:
  • A Microsoft 365 Copilot license. Users who call Work IQ tools through your agent must also have this license.
  • An active Microsoft Foundry project with a deployed model.
  • Azure RBAC roles:
    • Foundry User role on the Foundry project for the developer identity, the agent’s runtime identity, and any user identity involved in OAuth flows.
    • Foundry Project Manager role on the Foundry project for creating a Foundry connection to the Work IQ endpoint.
  • A Microsoft Entra Global Administrator who can grant admin consent for WorkIQAgent.Ask in your tenant and create or delegate app registrations.
  • Foundry Toolkit: Install Visual Studio Code and Foundry Toolkit for Visual Studio Code.

How it works

  1. Your agent dispatches a tool call — When the agent model identifies a task that requires Microsoft 365 data, it emits a tool call to the work_iq_preview tool.
  2. Foundry routes the request to Work IQ via A2A — Foundry uses the Agent-to-Agent (A2A) protocol to forward the natural-language query to Work IQ as a peer agent. Authentication uses On-Behalf-Of (OBO) so the request runs in the context of the signed-in user.
  3. Work IQ retrieves and reasons over M365 data — Work IQ queries the user’s emails, meetings, files, chats, and other Microsoft 365 signals. It applies semantic understanding to synthesize a response grounded in the user’s actual work context, honoring Microsoft 365 permissions and sensitivity labels throughout.
  4. The result is returned to your agent — Work IQ returns the synthesized response to Foundry via A2A. Your agent incorporates it into its reply to the user.

Connect to Work IQ

Add the Work IQ tool to your agent

Authentication and security

Work IQ uses Microsoft Entra ID delegated authentication. All requests run in the context of the signed-in user. Application-only (app-only) authentication isn’t supported. Microsoft 365 permissions are enforced automatically — Work IQ agents can never access data that the signed-in user isn’t already permitted to see. Only Bring your own Entra app (On-Behalf-Of authentication) is supported for Work IQ connections. This gives your Entra admin explicit control over which applications can retrieve Microsoft 365 data through Work IQ: the admin reviews and grants the WorkIQAgent.Ask permission specifically for your registered app.

Set up your Entra app (one-time, per organization)

An Entra admin must complete the following steps before you can create a Work IQ connection in Foundry.

Provision the Work IQ service principal (one-time)

Before you create the app registration, a Global Administrator must provision the Work IQ service principal in your tenant. If this step is skipped, the Work IQ option won’t appear when you search API permissions. Follow Step 1: Create the Work IQ service principal in the Work IQ API quickstart. A 201 Created response from Graph Explorer confirms success. A conflict error means the principal already exists — continue to the next step.

Create the app registration

  1. Go to the Microsoft Entra admin center. In the left navigation, select Entra ID > App registrations.
  2. Select New registration. Give the app a descriptive name and set Supported account types to Accounts in this organizational directory only. Select Register.
  3. Copy the Application (client) ID. You need this value when creating the Foundry connection.
  4. Select API permissions > Add a permission > APIs my organization uses. Search for Work IQ (application ID fdcc1f02-fc51-4226-8753-f668596af7f7), select Delegated permissions, select WorkIQAgent.Ask, then select Add permissions.
Screenshot of the Request API permissions panel in the Microsoft Entra admin center, showing the APIs my organization uses tab with Work IQ entered in the search box.
Screenshot of the Work IQ delegated permissions selection in the Microsoft Entra admin center, showing WorkIQAgent.Ask permission with Admin consent required.
  1. Select Grant admin consent for [your tenant]. Review the confirmation dialog and select Yes.
Granting tenant-wide admin consent requires the Global Administrator role in Microsoft Entra ID. If you don’t have this role, ask your organization’s Global Administrator to complete this step.
  1. Select Certificates & secrets > New client secret. Add a description and expiration. Select Add, then immediately copy the secret Value — it’s only shown once.
  2. Copy your Directory (tenant) ID from the Microsoft Entra ID overview page.

Fill in the Foundry connection values

In Microsoft Foundry, open your project and go to Settings > Connections > New connection > Work IQ. Fill in the following fields:
FieldValue
Client IDApplication (client) ID from step 3
Client secretClient secret value from step 6
Authorization URLhttps://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize
Token URLhttps://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
Refresh URLhttps://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
Scopesapi://workiq.svc.cloud.microsoft/WorkIQAgent.Ask,offline_access
Replace {tenant-id} with your Directory (tenant) ID from step 7. Select Save to create the connection.
Screenshot of the Edit connection dialog in the Foundry portal, showing fields for Remote MCP Server endpoint, Authentication set to OAuth Identity Passthrough, Client ID, Client secret, Token URL, Auth URL, Refresh URL, and Scopes filled in for Work IQ.
Connection fields can’t be edited after creation. If you enter incorrect values, delete the connection and create a new one.

Add the redirect URI to your app registration

After Foundry creates the connection, it displays an OAuth redirect URL. Add this URL to your app registration:
  1. In the Microsoft Entra admin center, go to Entra ID > App registrations and select your app.
  2. Select Authentication > Add a platform > Web.
  3. Under Redirect URIs, paste the OAuth redirect URL from Foundry.
  4. Select Configure.

Create the connection with the REST API

As an alternative to the Foundry portal, use the Azure Resource Manager API to create the Work IQ connection programmatically. Step 1: Acquire a token 
ARM_TOKEN=$(az account get-access-token \
  --resource https://management.azure.com \
  --query accessToken -o tsv)
Step 2: Create the connection 
SUBSCRIPTION_ID=<your-subscription-id>
RESOURCE_GROUP=<your-resource-group>
ACCOUNT_NAME=<your-foundry-account-name>
PROJECT_NAME=<your-project-name>
CONNECTION_NAME=<name-for-this-connection>
TENANT_ID=<your-tenant-id>
CLIENT_ID=<your-client-id>
CLIENT_SECRET=<your-client-secret>

curl --request PUT \
  --url "https://management.azure.com/subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.CognitiveServices/accounts/$ACCOUNT_NAME/projects/$PROJECT_NAME/connections/$CONNECTION_NAME?api-version=2025-04-01-preview" \
  --header "Authorization: Bearer $ARM_TOKEN" \
  --header "Content-Type: application/json" \
  --data '{
    "tags": null,
    "location": null,
    "name": "'"$CONNECTION_NAME"'",
    "type": "Microsoft.MachineLearningServices/workspaces/connections",
    "properties": {
      "authType": "OAuth2",
      "group": "ServicesAndApps",
      "category": "RemoteA2A",
      "expiryTime": null,
      "target": "https://workiq.svc.cloud.microsoft/a2a/",
      "isSharedToAll": true,
      "sharedUserList": [],
      "TokenUrl": "https://login.microsoftonline.com/'"$TENANT_ID"'/oauth2/v2.0/token",
      "AuthorizationUrl": "https://login.microsoftonline.com/'"$TENANT_ID"'/oauth2/v2.0/authorize",
      "RefreshUrl": "https://login.microsoftonline.com/'"$TENANT_ID"'/oauth2/v2.0/token",
      "Scopes": [
        "api://workiq.svc.cloud.microsoft/WorkIQAgent.Ask",
        "offline_access"
      ],
      "Credentials": {
        "ClientId": "'"$CLIENT_ID"'",
        "ClientSecret": "'"$CLIENT_SECRET"'"
      },
      "metadata": {
        "ApiType": "Azure"
      }
    }
  }'
A successful response returns HTTP 200 or 201. The response body includes a properties.oauthRedirectUrl field — use that value as the redirect URI in your Entra app registration (see Add the redirect URI to your app registration).

Data governance and compliance

Work IQ operates entirely within the Microsoft 365 trust boundary. The following commitments apply when you route agent requests through Work IQ.

Data residency

Work IQ retrieves data from your organization’s Microsoft 365 tenant. Data doesn’t leave your tenant or cross regional boundaries during retrieval. The data’s location follows your Microsoft 365 tenant data residency configuration, not your Foundry project region. For details, see Microsoft 365 Copilot privacy and data handling policies.

Privacy and data handling

All Work IQ requests are governed by the Microsoft 365 Copilot privacy and data handling policies. Key commitments:
  • Work IQ doesn’t use customer content to train or improve underlying AI models.

Access control and permissions

Work IQ enforces Microsoft 365 permissions automatically on every request. Agents can only access data that the signed-in user is already authorized to see — no elevation of privilege is possible:
  • Role-based access control, sensitivity labels, and information barriers defined in Microsoft 365 are respected.

Compliance certifications

Work IQ inherits Microsoft 365’s compliance certifications. For details, see Microsoft 365 Copilot privacy and data handling policies.

Admin management

As an Entra admin, you control which applications in your tenant can access Work IQ data on behalf of users. The following sections describe the key controls available to you. Admin consent for WorkIQAgent.Ask is required before any user in your organization can authenticate through the app. You can manage consent at any time:
  • Grant consent: In the Microsoft Entra admin center, go to Entra ID > App registrations > select the app > API permissions. Select Grant admin consent for [your tenant].
  • Revoke consent: On the same API permissions page, select the WorkIQAgent.Ask permission and select Revoke admin consent. Existing tokens remain valid until they expire; no new tokens can be issued after revocation.

Troubleshooting

SymptomLikely causeResolution
403 ForbiddenUser missing Microsoft 365 Copilot licenseAssign the license and wait 15–30 minutes for provisioning.
401 UnauthorizedToken audience mismatchEnsure the token is issued for api://workiq.svc.cloud.microsoft, not for a different resource.
403 Forbidden with Required scopes = [...]Admin consent for WorkIQAgent.Ask not grantedAn admin must grant consent for the app registration.
Agent gets no response or empty resultWork IQ index hasn’t built yet after license assignmentWait 15–30 minutes and retry.
Principal does not have access to API/OperationAgent identity missing Foundry User role at project scopeAssign Foundry User at both account scope and project scope.

Related content