Tool Execution<Support custom tool executors / tool execution interception> #6848
-
MotivationI'm evaluating Microsoft Agent Framework for an enterprise agent platform. One requirement is that the framework should allow the LLM to decide which tool to call, but not execute the tool automatically. Instead, I would like the build custom workflow to intercept the tool call, perform custom logic, execute the tool externally, and then return the result back to the agent. This is needed for scenarios such as:
Desired execution flowThe important part is that the framework should emit the tool call without executing it. Current behaviorFrom the documentation, it appears that:
However, I couldn't find an extension point that allows replacing the default tool executor or intercepting every tool invocation before execution. Another option would be exposing tool calls as events, allowing the host application to execute them and submit the result back to the agent. QuestionIs there already a supported way to implement this? If not, is a custom tool execution pipeline or tool executor planned for a future release? |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments
-
|
This is the extension point I would want for the same class of enterprise platform use case. Approval-before-execution is useful, but it is not quite the same as host-owned execution. The distinction I would make in the API is:
For RBAC, tenant policy, secret handling, or remote execution, the important property is that the framework does not collapse "LLM selected a tool" and "tool side effect happened" into one internal step. Those need to be separate states with an operation id between them. A useful minimum contract would be something like a Disclosure: I work on Armorer Labs. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @kardwalker, Yes, for Python workflows the supported pattern for this is declaration-only tools plus the workflow
When the model selects that tool, the workflow pauses and emits a Sketch: from agent_framework import Agent, Content, FunctionTool, WorkflowBuilder
lookup_customer = FunctionTool(
name="lookup_customer",
func=None,
description="Lookup customer information through the host-controlled service.",
input_model={
"type": "object",
"properties": {
"customer_id": {"type": "string"},
},
"required": ["customer_id"],
},
)
agent = Agent(
client=client,
instructions="Use lookup_customer when customer data is needed.",
tools=[lookup_customer],
)
workflow = WorkflowBuilder(start_executor=agent).build()
result = await workflow.run("Find customer C123")
requests = result.get_request_info_events()
responses = {}
for event in requests:
call = event.data
args = call.parse_arguments()
external_result = await execute_tool_externally(
name=call.name,
arguments=args,
call_id=call.call_id,
)
responses[event.request_id] = Content.from_function_result(
call_id=call.call_id,
result=external_result,
)
result = await workflow.run(responses=responses)There is a sample of this exact shape in samples/03-workflows/human-in-the-loop/agents_with_declaration_only_tools.py. |
Beta Was this translation helpful? Give feedback.
-
|
Tool Execution with support for custom tool executors and tool execution interception offers greater flexibility for adapting workflows to different needs. It allows users to customize how tools run while maintaining better control over execution. I’ve found this especially useful when exploring utilities like jjsploit, as a configurable execution system can improve organization, consistency, and the overall user experience. |
Beta Was this translation helpful? Give feedback.
-
|
Tool execution interception and support for custom tool executors make workflows more flexible and easier to customize. For users exploring automation, a Roblox script executor iOS solution with reliable execution, smooth compatibility, and consistent updates can improve the overall experience. When implemented thoughtfully, these features help create a more streamlined and user-friendly environment. |
Beta Was this translation helpful? Give feedback.
Hi @kardwalker,
Yes, for Python workflows the supported pattern for this is declaration-only tools plus the workflow
request_info/responseshandshake.approval_mode="always_require"is a different feature: it pauses for approval, but once approved the framework executes the registered local tool. For host-owned execution, define the tool as aFunctionToolwithfunc=Noneand an input schema. The schema is still advertised to the model, but there is no implementation for the framework to execute.When the model selects that tool, the workflow pauses and emits a
request_infoevent containing thefunction_call. The host can inspect the tool name, arguments, andcall_id, run RBAC/policy/appr…