[Teams Chatbot] Reduce hosted agent log noise and use AAD-only Cosmos auth#16230
Merged
Merged
Conversation
Container startup logs were flooded with benign, non-actionable messages and Cosmos DB still supported key-based auth. This cleans both up. Log noise (agents/chat_agent): - init.py: raise A365 exporter logger to CRITICAL to drop repeated insufficient_scope 403 errors (severity 3) emitted until the agent identity is granted Agent365.Observability.OtelWrite. - init.py: raise microsoft.opentelemetry._distro logger to ERROR to drop the benign "No module named 'agents'" warning (openai-agents SDK is not installed / not used). - Dockerfile: set OTEL_EXPERIMENTAL_RESOURCE_DETECTORS=otel so the Azure VM resource detector no longer probes IMDS (169.254.169.254), which always fails with Connection refused in a Foundry hosted container. Cosmos DB auth (utils/azure_cosmosdb.py): - Remove key-based auth path (_get_cosmos_credential + Key Vault lookup); authenticate exclusively via get_credential() (AAD / managed identity). Note: the A365 exporter suppression is a workaround. The root cause is a missing Agent365.Observability.OtelWrite app-role assignment on the agent identities, which requires a directory admin to grant.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR reduces operational log noise in the Teams chatbot hosted container and simplifies Cosmos DB authentication by removing the Key Vault key-based fallback in favor of AAD/managed identity only.
Changes:
- Suppresses specific high-volume OpenTelemetry/A365-related loggers by setting per-logger severity thresholds.
- Removes Cosmos DB key-based auth retrieval (Key Vault
AZURE-COSMOSDB-KEY) and usesget_credential()exclusively. - Sets
OTEL_EXPERIMENTAL_RESOURCE_DETECTORS=otelin the chat agent container to avoid IMDS probing in hosted environments.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| tools/sdk-ai-bots/azure-sdk-qa-bot-agent/utils/azure_cosmosdb.py | Removes Key Vault key retrieval path; Cosmos client now uses AAD credential only. |
| tools/sdk-ai-bots/azure-sdk-qa-bot-agent/agents/chat_agent/init.py | Refactors noisy logger suppression to per-logger configurable levels; adds A365-related suppressions. |
| tools/sdk-ai-bots/azure-sdk-qa-bot-agent/agents/chat_agent/Dockerfile | Sets OTEL resource detector env var to prevent IMDS/VM detector startup noise/latency. |
lirenhe
approved these changes
Jul 2, 2026
Member
Author
|
/check-enforcer override |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolve the issues found by SRE agent
microsoft.opentelemetry.a365.core.exporters.agent365_exporter, original log is below. It's caused by agent lacks Agent 365 observability permissions(doc), Currently we do not need export telemetry to Microsoft Agent 365, and the permission requires Global Administrator or Application Administrator role in Microsoft Entra ID, so we could suppress this error now.Changes
Log noise reduction (
agents/chat_agent/)init.py— convert the noisy-logger suppression loop to(logger_name, level)tuples and add two entries:microsoft.opentelemetry.a365.core.exporters.agent365_exporter→CRITICAL: drops the repeatedinsufficient_scope403 errors (severity 3) emitted until the agent identity is grantedAgent365.Observability.OtelWrite.microsoft.opentelemetry._distro→ERROR: drops the benignNo module named 'agents'warning (theopenai-agentsSDK is not installed / not used by this agent).Dockerfile— setENV OTEL_EXPERIMENTAL_RESOURCE_DETECTORS=otelso the Azure VM resource detector no longer probes IMDS (169.254.169.254), which always fails withConnection refusedin a Foundry hosted container (not a VM). Removes the failed HTTP call and its startup latency.Cosmos DB auth (
utils/azure_cosmosdb.py)_get_cosmos_credential()+ Key VaultAZURE-COSMOSDB-KEYlookup) and the now-unusedget_secretimport.get_credential()(AAD / managed identity).