Description
When using the Copilot SDK with a BYOK (Bring Your Own Key) Azure AI Foundry provider, the built-in task tool always fails because the sub-agent it spawns cannot authenticate. The parent session authenticates via Azure AI Foundry, but the sub-agent expects GitHub OAuth or Copilot HMAC credentials which don't exist in BYOK mode.
Every task invocation fails immediately with:
{
"message": "Error: No GitHub OAuth token or Copilot HMAC key provided",
"code": "failure"
}
This also means MCP servers configured in the parent session are inaccessible to sub-agents, since they never get past the auth step.
Environment
- Copilot SDK Version: 0.1.26 (.NET)
- .NET Version: 10.0
- OS: Linux (Ubuntu 24.04, containerized)
- Provider: Azure AI Foundry BYOK (
type: "azure")
- Model: gpt-5.2
Steps to Reproduce
- Create a Copilot client with a BYOK Azure AI Foundry provider
- Create a session with MCP servers configured
- Send a prompt that causes the agent to use the
task tool
- The model calls the
task tool to delegate work to a sub-agent
- The sub-agent immediately fails with the auth error above
var client = new CopilotClient(new CopilotClientOptions
{
CliPath = "copilot",
UseStdio = true
});
await client.StartAsync();
var session = await client.CreateSessionAsync(new SessionConfig
{
Model = "gpt-5.2",
Provider = new ProviderConfig
{
Type = "azure",
BaseUrl = "https://my-resource.services.ai.azure.com/openai/deployments/gpt-5.2",
ApiKey = "<key>"
},
McpServers = new Dictionary<string, McpServerConfig>
{
...
}
});
// Agent will try to use `task` tool to delegate to a sub-agent
// Sub-agent fails with "No GitHub OAuth token or Copilot HMAC key provided"
await session.SendAndWaitAsync(new MessageOptions
{
Prompt = "...."
});
Expected Behavior
The task tool should either:
- Propagate the parent session's auth context (BYOK provider config) and MCP server configurations to the sub-agent, OR
- Fail gracefully with an error indicating that
task is not supported in BYOK mode, so the model can fall back to direct tool calls
Actual Behavior
The task tool spawns a sub-agent that immediately fails because it tries to authenticate via GitHub OAuth/HMAC, which is not available in BYOK deployments. The error gives the model no indication that it should retry the same work as a direct tool call instead.
Impact
This effectively breaks any multi-step investigation workflow in BYOK mode:
- The model prefers delegating MCP tool calls via
task (likely trained on patterns where task works)
task always fails in BYOK mode
- The model rarely recovers by calling MCP tools directly
- The session produces empty results despite MCP servers being configured and available
Related Issues
Description
When using the Copilot SDK with a BYOK (Bring Your Own Key) Azure AI Foundry provider, the built-in
tasktool always fails because the sub-agent it spawns cannot authenticate. The parent session authenticates via Azure AI Foundry, but the sub-agent expects GitHub OAuth or Copilot HMAC credentials which don't exist in BYOK mode.Every
taskinvocation fails immediately with:{ "message": "Error: No GitHub OAuth token or Copilot HMAC key provided", "code": "failure" }This also means MCP servers configured in the parent session are inaccessible to sub-agents, since they never get past the auth step.
Environment
type: "azure")Steps to Reproduce
tasktooltasktool to delegate work to a sub-agentExpected Behavior
The
tasktool should either:taskis not supported in BYOK mode, so the model can fall back to direct tool callsActual Behavior
The
tasktool spawns a sub-agent that immediately fails because it tries to authenticate via GitHub OAuth/HMAC, which is not available in BYOK deployments. The error gives the model no indication that it should retry the same work as a direct tool call instead.Impact
This effectively breaks any multi-step investigation workflow in BYOK mode:
task(likely trained on patterns wheretaskworks)taskalways fails in BYOK modeRelated Issues
task)