Sample clients for the Work IQ API — Microsoft's AI-native interface to Microsoft 365 work intelligence.
| Sample | Language | Protocol | Description |
|---|---|---|---|
| dotnet/a2a/ | C# | A2A (Agent-to-Agent) | Interactive agent session using the open A2A protocol over JSON-RPC |
| dotnet/rest/ | C# | REST | Interactive chat using the Copilot Chat API with sync and streaming modes |
| rust/a2a/ | Rust | A2A (Agent-to-Agent) | Interactive agent session with device code auth, token caching, and SSE streaming |
| Sample | Protocol | Description |
|---|---|---|
| swift/a2a/ | A2A (Agent-to-Agent) | SwiftUI iOS/iPadOS chat app using A2A v0.3 with streaming responses |
| Sample | Protocol | Description |
|---|---|---|
| rust/a2a/ | A2A (Agent-to-Agent) | Interactive agent session with device code auth, token caching, and SSE streaming |
Current state: Work IQ is accessed through the Microsoft Graph API at
graph.microsoft.com. All samples use Graph endpoints and Graph authentication today.What's coming: A dedicated Work IQ gateway (
workiq.svc.cloud.microsoft) with its own app registration, scopes (WorkIQAgent.Ask), and endpoint. When available, these samples will be updated with the new endpoint and auth model. Your integration code will change minimally — different token audience and endpoint URL, same protocols.
The Chat API is only available to users with a Microsoft 365 Copilot add-on license. Users without the license will get access denied errors. See licensing docs.
Register an app in Azure portal > Microsoft Entra ID > App registrations:
- Supported account types: Accounts in any organizational directory (multi-tenant)
- Redirect URI:
http://localhost(type: Web) for browser-based auth, or leave empty for WAM - API permissions: Add the following delegated Microsoft Graph permissions:
| Permission | Description |
|---|---|
Sites.Read.All |
Read SharePoint sites |
Mail.Read |
Read user mail |
People.Read.All |
Read people data |
OnlineMeetingTranscript.Read.All |
Read meeting transcripts |
Chat.Read |
Read Teams chats |
ChannelMessage.Read.All |
Read Teams channel messages |
ExternalItem.Read.All |
Read external connector items |
All seven are required. Missing any one will result in auth errors. See permissions docs.
After adding permissions, click Grant admin consent for [your tenant].
- dotnet/ samples: .NET 8.0 SDK or later
- rust/ samples: Rust toolchain (stable)
Uses the Windows broker for silent SSO. No browser popup for returning users.
cd dotnet/a2a
dotnet run -- --graph --token WAM --appid <your-app-client-id>cd rust/a2a
cargo run -- --appid <your-app-client-id>
# Follow the on-screen instructions to authenticate in a browserAcquire a token externally (e.g., via Graph Explorer, az account get-access-token, or your own MSAL code) and pass it directly:
# .NET
cd dotnet/a2a
dotnet run -- --graph --token eyJ0eXAiOiJKV1Qi...
# Rust
cd rust/a2a
cargo run -- --token eyJ0eXAiOiJKV1Qi...The token must have:
- Audience:
https://graph.microsoft.com - Scopes: all 7 delegated permissions listed above
| Issue | Cause | Fix |
|---|---|---|
AADSTS65001: consent required |
Admin hasn't consented to the required permissions | Grant admin consent in Azure portal: Entra ID > App registrations > your app > API permissions > Grant admin consent |
403 Forbidden |
Missing Copilot license or missing permissions | Verify the user has a Copilot license and all 7 permissions are consented |
| Empty or degraded responses | License just assigned, index not ready | Wait 15-30 minutes after license assignment for propagation |
401 Unauthorized |
Token audience mismatch | Ensure token audience is https://graph.microsoft.com |