docs(architect): weekly KB update — 52 files refreshed (2026-04)

Key content changes:
- MLOps: MLflow 3 scorers expanded (RetrievalRelevance, Fluency, multi-turn judges)
- MLflow 3 A/B eval: mirror_traffic GA confirmed, new scorer catalog
- CI/CD: OIDC auth replaces deprecated --sdk-auth (Azure ML GitHub Actions)
- Agent framework A2A: updated SDK patterns (A2ACardResolver, BearerAuth)
- AG-UI backend tool rendering: accurate TOOL_CALL_* event shapes
- Computer Use agents: US region requirement, credentials patterns
- Purview governance: bulk term edit, expire/delete workflows
- CAF AI Secure: 3-phase structure confirmed current
- Copilot Studio: Claude Sonnet 4.5/4.6 GA, new orchestration controls
- M365 manifest: v1.26 GA (April 2026), copilotAgents node
- Power Platform: agent flow capacity enforcement corrected
- Azure Monitor: Simple Log Alerts GA, AMBA for policy-based alerting
- Security Copilot: SCU capacity model (400 SCU/1000 users)
- EU Data Boundary: all EU + EFTA countries confirmed
- gateway-multi-backend: added 4th topology, subscription-level quota note

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

plugins/ms-ai-architect/skills/ms-ai-engineering/references/agent-orchestration/agent-365-governance-and-deployment.md

@@ -45,7 +45,7 @@ Administratorer har 11 lifecycle management actions tilgjengelig i Admin Center:
 | **Delete** | Permanent sletting (inkludert SharePoint Embedded containers) | Irreversibel cleanup (24t propagation) |
 | **Approve Updates** | Godkjenn nye versjoner før deployment | Change management |
 | **Manage Ownerless Agents** | Handling på agenter uten eier | Compliance og sikkerhet |
-| **Reassign** | Tildel ny eier til ownerless/active agents | Kontinuitet |
+| **Reassign** | Tildel ny eier til ownerless/active agents. Kun støttet for Agent Builder-agenter. Ny eier får full edit/delete-tilgang og tilgang til opplastede filer; forrige eier mister ALL tilgang inkl. lesetilgang. *(Verified MCP 2026-04)* | Kontinuitet |
 | **Export Inventory** | Last ned full agent-liste (Excel) | Audit og rapportering |
 
 **Verified (Microsoft Learn, 2026-02)**
@@ -198,7 +198,7 @@ For agenter bygget i Agent Builder med embedded files (knowledge sources):
 | Feil | Konsekvens | Løsning |
 |------|------------|---------|
 | Sletter SharePoint Embedded containers manuelt | Agent-functionality breaks | Aldri slett containers i SharePoint admin center |
-| Blokkerer Microsoft-pinned agents (Researcher/Analyst) | Blokkerer for HELE tenant (kan ikke scope) | Bruk extensibility settings istedenfor Block |
+| Blokkerer Researcher/Analyst feil | Edit users-panelet er deaktivert for disse agentene; de kan kun blokkeres for hele tenant. Scope til enkeltbrukere er ikke mulig. *(Verified MCP 2026-04)* | Bruk Block-action i Admin Center for hele tenant; Work-access styres separat via admin-innstillinger |
 | Glemmer å approve agent updates | Brukere får ikke nye features/bugfixes | Sett opp notification for pending approvals |
 | Ingen policy template ved aktivering | Agents opererer uten governance controls | Alltid bruk minimum Default Template |
 
@@ -354,7 +354,7 @@ New-MgIdentityGovernanceLifecycleWorkflow -BodyParameter $params
 ## Kilder og verifisering
 
 ### Microsoft Learn (Verified, 2026-02)
-- [Agent Registry i Microsoft 365 Admin Center](https://learn.microsoft.com/en-us/microsoft-365/admin/manage/agent-registry) – **Confidence: Verified (2026-04)** — Oppdatert: Risks column (M365 E7), ownerless agent management, Researcher with Computer Use admin configuration, sensitivity labels for embedded files, GraphAPI for Agent Registry (preview)
+- [Agent Registry i Microsoft 365 Admin Center](https://learn.microsoft.com/en-us/microsoft-365/admin/manage/agent-registry) – **Confidence: Verified (2026-04)** — Oppdatert: Risks column (M365 E7), ownerless agent management, Researcher with Computer Use admin configuration, sensitivity labels for embedded files, GraphAPI for Agent Registry (preview), Reassign kun for Agent Builder-agenter, Application/Delegated permissions-tab i agent details
 - [Microsoft 365 Copilot Agents Deployment Blueprint](https://learn.microsoft.com/en-us/copilot/microsoft-365/agent-essentials/m365-agents-blueprint) – **Confidence: Verified**
 - [Copilot Control System Management Controls](https://learn.microsoft.com/en-us/copilot/microsoft-365/copilot-control-system/management-controls) – **Confidence: Verified**
 - [Microsoft Entra Agent ID and Agent Identity Platform](https://learn.microsoft.com/en-us/microsoft-agent-365/admin/capabilities-entra) – **Confidence: Verified**
@@ -367,5 +367,5 @@ New-MgIdentityGovernanceLifecycleWorkflow -BodyParameter $params
 - **Kostnadsoptimalisering** – Baseline (generelle prinsipper, ikke produkt-spesifikke priser fra Microsoft Learn)
 - **Modenhetsnivå-anbefalinger** – Baseline (syntetisert fra Microsoft Maturity Framework-prinsipper)
 
-**Total MCP calls:** 3 (microsoft_docs_search x3, microsoft_docs_fetch x2, microsoft_code_sample_search x1)
+**Total MCP calls:** 4 (microsoft_docs_search x3, microsoft_docs_fetch x3, microsoft_code_sample_search x1)
 **Unique URLs:** 7 Microsoft Learn-artikler

plugins/ms-ai-architect/skills/ms-ai-engineering/references/agent-orchestration/agent-to-agent-a2a-protocol.md

@@ -172,11 +172,20 @@ A2A skiller mellom **meldinger** (messages) for rask, synkron kommunikasjon, og
 
 ```python
 import asyncio
+import httpx
+from a2a.client import A2ACardResolver
 from agent_framework.a2a import A2AAgent
 
 async def main():
+    a2a_host = "https://agents.nav.no/saksbehandler/a2a"
+
+    # Discover remote agent capabilities via AgentCard
+    async with httpx.AsyncClient(timeout=60.0) as http_client:
+        resolver = A2ACardResolver(httpx_client=http_client, base_url=a2a_host)
+        agent_card = await resolver.get_agent_card()  # Verified MCP 2026-04
+
     # Koble til ekstern A2A-agent
-    async with A2AAgent(name="saksbehandler", url="https://agents.nav.no/saksbehandler/a2a") as agent:
+    async with A2AAgent(name=agent_card.name, agent_card=agent_card, url=a2a_host) as agent:
 
         # Synkron streaming
         async with agent.run("Hva er min dagpengesats?", stream=True) as stream:
@@ -586,6 +595,25 @@ Hver etat eier og drifter sin egen agent. Felles inngangsagent orkestrerer via A
 
 ## Installasjon og SDK-er
 
+```python
+# Autentisert A2A-kall (AuthInterceptor-mønster) — Verified MCP 2026-04
+from a2a.client.auth.interceptor import AuthInterceptor
+
+class BearerAuth(AuthInterceptor):
+    def __init__(self, token: str):
+        self.token = token
+    async def intercept(self, request):
+        request.headers["Authorization"] = f"Bearer {self.token}"
+        return request
+
+async with A2AAgent(
+    name="secure-agent",
+    url="https://secure-a2a-agent.example.com",
+    auth_interceptor=BearerAuth("your-token"),
+) as agent:
+    response = await agent.run("Hello!")
+```
+
 ```bash
 # Python — Agent Framework
 pip install agent-framework-a2a --pre
@@ -603,13 +631,15 @@ pip install microsoft-teams-a2a
 **.NET (Semantic Kernel):**
 
 ```csharp
+// Agent card tilgjengelig på: GET /a2a/my-agent/v1/card
+// Message endpoint:          POST /a2a/my-agent/v1/message:stream
 app.MapA2A(agent, "/a2a/my-agent", agentCard: new()
 {
     Name = "Min Agent",
     Description = "Hjelpsom assistent for norsk offentlig sektor",
     Version = "1.0",
     Capabilities = new() { Streaming = true }
-});
+});  // Verified MCP 2026-04
 ```
 
 ---
@@ -638,9 +668,9 @@ app.MapA2A(agent, "/a2a/my-agent", agentCard: new()
    - https://learn.microsoft.com/azure/api-management/agent-to-agent-api
    - Confidence: **Verified** (APIM preview-støtte, februar 2026)
 
-6. **Agent Framework — A2A Integration (Python)**
+6. **Agent Framework — A2A Integration (Python og C#)**
    - https://learn.microsoft.com/agent-framework/integrations/a2a
-   - Confidence: **Verified** (offisiell SDK-dokumentasjon, februar 2026)
+   - Confidence: **Verified (MCP 2026-04)** — A2ACardResolver-pattern (Python), A2AAgent med agent_card-parameter, AuthInterceptor for sikret kall, MapA2A /v1/card og /v1/message:stream endepunkt-paths (.NET), NuGet-pakker Microsoft.Agents.AI.Hosting.A2A og .AspNetCore
 
 7. **Semantic Kernel Agent Orchestration**
    - https://learn.microsoft.com/semantic-kernel/frameworks/agent/agent-orchestration/

plugins/ms-ai-architect/skills/ms-ai-engineering/references/agent-orchestration/computer-using-agents-cua.md

@@ -107,6 +107,8 @@ if "pending_safety_checks" in response:
 
 Copilot Studio tilbyr CUA som et lavkode **Computer Use Tool** — ingen koding nødvendig.
 
+**Krav (preview):** Tilgjengelig kun for miljøer der regionen er satt til **United States**. Generativ orkestrering (generative orchestrator) må aktiveres på agenten. *(Verified MCP 2026-04)*
+
 ### Oppsett
 
 1. Gå til **Tools** i agenten → **Add tool** → **New tool** → **Computer use**
@@ -125,9 +127,9 @@ Copilot Studio tilbyr CUA som et lavkode **Computer Use Tool** — ingen koding
 |---------------|-------------|
 | **Maker-provided credentials** | Agenten bruker makerens innloggingsinfo (for autonome agenter) |
 | **End user credentials** | Brukeren logger inn selv (for konversasjonelle agenter) |
-| **Intern Power Platform-lagring** | Kryptert intern lagring — ingen forhåndskonfigurasjon nødvendig |
-| **Azure Key Vault** | Passord lagres i Key Vault — anbefalt for produksjonsmiljøer |
-| **Access control** | Begrens hvilke nettsider/applikasjoner CUA kan operere på |
+| **Intern Power Platform-lagring** | Kryptert intern lagring — ingen forhåndskonfigurasjon nødvendig. Oppgi URL/app-navn + brukernavn + passord; wildcard (*) støttes for subdomener (f.eks. *.contoso.com). *(Verified MCP 2026-04)* |
+| **Azure Key Vault** | Passord lagres i Key Vault — anbefalt for produksjonsmiljøer. Krever PowerPlatform resource provider registrert i Azure-abonnementet. *(Verified MCP 2026-04)* |
+| **Access control** | Begrens hvilke nettsider/applikasjoner CUA kan operere på. Wildcards støttes (*.contoso.com). Desktop apps angis ved produkt-/prosessnavn (f.eks. "Microsoft Edge" eller "msedge"). *(Verified MCP 2026-04)* |
 
 ### Lisensiering (Copilot Studio, preview)
 
@@ -485,7 +487,7 @@ Kostnader basert på:
 
 2. **Automate web and desktop apps with computer use — Copilot Studio**
    - https://learn.microsoft.com/microsoft-copilot-studio/computer-use
-   - Confidence: **Verified** (offisiell Copilot Studio preview-dokumentasjon, oppdatert 2026-04: støttede modeller, credentials, access control-semantikk)
+   - Confidence: **Verified** (offisiell Copilot Studio preview-dokumentasjon, oppdatert 2026-04: støttede modeller, credentials intern/Key Vault-detaljer, access control wildcard/desktop, US-only region-krav, generativ orkestrering påkrevd)
 
 3. **Configure where computer use runs**
    - https://learn.microsoft.com/microsoft-copilot-studio/configure-where-computer-use-runs

plugins/ms-ai-architect/skills/ms-ai-engineering/references/agent-orchestration/tool-use-and-function-calling-patterns.md

@@ -209,32 +209,55 @@ var result = await mainAgent.RunAsync("Hvordan er været i Oslo?");
 
 AG-UI backend tool rendering stoetter HITL via to mekanismer:
 
-**C# - ApprovalRequiredAIFunction:**
+**C# - AIFunctionFactory med serializerOptions (Verified MCP 2026-04):**
 ```csharp
-// Tool som krever human approval
-var approvalTool = ApprovalRequiredAIFunction.Create(DeleteRecord);
-
-// Workflow emitter RequestInfoEvent med ToolApprovalRequestContent
-await foreach (var evt in workflow.WatchStreamAsync()) {
-    if (evt is RequestInfoEvent req && req.Data is ToolApprovalRequestContent tc) {
-        bool approved = await AskUserApproval(tc.ToolName);
-        await handle.SendResponseAsync(req.Request.CreateResponse(approved));
-    }
+// Definer tool med Description-attributter
+[Description("Search for restaurants in a location.")]
+static RestaurantSearchResponse SearchRestaurants(
+    [Description("The restaurant search request")] RestaurantSearchRequest request)
+{
+    // implementasjon
 }
+
+// Registrer tool - NB: serializerOptions PÅKREVD for komplekse typer
+var jsonOptions = app.Services.GetRequiredService<IOptions<JsonOptions>>().Value;
+AITool[] tools = [
+    AIFunctionFactory.Create(SearchRestaurants, serializerOptions: jsonOptions.SerializerOptions)
+];
+
+// FunctionCallContent og FunctionResultContent streames til klient
+// FunctionCallContent: .Name, .Arguments (key-value pairs)
+// FunctionResultContent: .CallId, .Result eller .Exception
 ```
 
-**Python - @tool med approval_mode:**
+**Python - @tool decorator (Verified MCP 2026-04):**
 ```python
-@tool(approval_mode="always_require")
-def delete_record(record_id: str) -> str:
-    # Sletter en post - krever alltid menneskelig godkjenning
-    return db.delete(record_id)
+from typing import Annotated
+from pydantic import Field
+from agent_framework import tool
 
-# Workflow pauser og emitter function_approval_request event
-# Klient-loop maa haandtere og respondere
+@tool
+def get_weather(
+    location: Annotated[str, Field(description="The city")],
+) -> str:
+    """Get the current weather for a location."""
+    return f"The weather in {location} is 22 degrees C."
+
+# Klasse-baserte tools for gruppering
+class WeatherTools:
+    @tool
+    def get_current_weather(self, location: Annotated[str, Field(description="City")]) -> str:
+        """Get current weather."""
+        return f"Current weather in {location}: Sunny"
 ```
 
-**Backend tool events streames til klient i sanntid:** TOOL_CALL_START, TOOL_CALL_ARGS, TOOL_CALL_END, TOOL_CALL_RESULT.
+**Backend tool events streames til klient i sanntid (Verified MCP 2026-04):**
+```json
+{"type": "TOOL_CALL_START", "toolCallId": "call_abc123", "toolCallName": "get_weather"}
+{"type": "TOOL_CALL_ARGS",  "toolCallId": "call_abc123", "delta": "{"location": "Oslo"}"}
+{"type": "TOOL_CALL_END",   "toolCallId": "call_abc123"}
+{"type": "TOOL_CALL_RESULT","toolCallId": "call_abc123", "content": "The weather in Oslo is 22C."}
+```
 
 ---
 
@@ -428,7 +451,7 @@ def update_citizen_record(ssn: str, field: str, value: str) -> str:
 1. [Azure OpenAI Function Calling](https://learn.microsoft.com/en-us/azure/ai-foundry/openai/how-to/function-calling) — **Verified 2026-02**
 2. [Semantic Kernel Agent Functions](https://learn.microsoft.com/en-us/semantic-kernel/frameworks/agent/agent-functions) — **Verified 2026-02**
 3. [Agent Framework - Agent as Function Tool](https://learn.microsoft.com/en-us/agent-framework/tutorials/agents/agent-as-function-tool) — **Verified 2026-02**
-4. [AG-UI Backend Tool Rendering](https://learn.microsoft.com/en-us/agent-framework/integrations/ag-ui/backend-tool-rendering) — **Verified 2026-04** (backend tool streaming, ApprovalRequiredAIFunction C#, @tool(approval_mode) Python, TOOL_CALL_* events)
+4. [AG-UI Backend Tool Rendering](https://learn.microsoft.com/en-us/agent-framework/integrations/ag-ui/backend-tool-rendering) — **Verified (MCP 2026-04)** — AIFunctionFactory.Create() med serializerOptions for komplekse typer (C#), @tool decorator med Annotated/Field (Python), TOOL_CALL_START/ARGS/END/RESULT events, FunctionCallContent/.Arguments og FunctionResultContent/.Result (C#), klasse-baserte tools-moenster (Python)
 5. [Azure OpenAI Assistants Function Calling](https://learn.microsoft.com/en-us/azure/ai-foundry/openai/how-to/assistant-functions) — **Verified 2026-02**
 6. [Structured Outputs](https://learn.microsoft.com/en-us/azure/ai-foundry/openai/how-to/structured-outputs) — **Verified 2026-02**