403 Forbidden (AADSTS53003) when invoking Azure AI Foundry agent with DefaultAzureCredential #176
Description
Describe the bug
When I try to call an AI agent created in Azure AI Foundry (Sweden Central) using DefaultAzureCredential (Microsoft Entra ID) in both the Notebook and the Playground, the request fails with a 403 Forbidden error:
POST https://obotoken.vienna-swedencentral.svc/obotoken/v1.0/saveusertoken/v2
403 Forbidden
Error Code: UserError/ForbiddenError
AADSTS53003: Access has been blocked by Conditional Access policies. The access policy does not allow token issuance.
I have not changed any Conditional Access policies, and I can successfully create and call agents via API key—but not via DefaultAzureCredential.
To Reproduce
Go to Azure AI Foundry portal in the Sweden Central region.
Create a new AI agent.
In a notebook (or the Playground), configure environment variables for DefaultAzureCredential.
Run the example code that calls obotoken/v1.0/saveusertoken/v2.
Observe the 403 error in the response.
Expected behavior
The token should be issued successfully and the agent call should complete without a 403 error.
Screenshots
If applicable, attach a screenshot of the error from the Notebook or Playground here.
Desktop (please complete the following information):
OS: Mac Air M3
Browser: Microsoft Edge
Azure region: Sweden Central
Smartphone (please complete the following information):
N/A
Additional context
I can create API clients and make requests using API keys without issue.
The agent itself is created successfully in the Foundry portal, so my environment variables appear correct.
The error suggests a Conditional Access policy is blocking token issuance, but I have not configured any custom policies, and my admin has not made changes.