On .NET Live - Demystifying Microsoft Agent Framework Middleware

TL;DR

• 1

  There are six middleware slots, not just three: Microsoft Agent Framework has shared-function, response, and function-calling middleware at both the chat client layer and the agent layer, and Daniel says picking the right layer matters as much as writing the guardrail itself.

• 2

  Chat client and agent middleware see different worlds: Chat client middleware is lower level and agent-agnostic, while agent middleware has access to session history and agent identity, which makes it the better place for persistent sanitization and per-agent policy.

• 3

  Shared-function, response, and function-calling each do a different job: Daniel's mental model is prepare, handle, invoke. Shared-function can inspect input only, response middleware can also alter or short-circuit output, and function-calling middleware intercepts tool execution with full message context.

• 4

  Middleware is what stops real production failures: In the 'Robbie' robot demo, guardrails remove email addresses before they hit the model, clamp unsafe backward movement from 10 meters to 5, and throw when token use crosses a low 2,000-token budget.

• 5

  Ordering middleware is not optional: Daniel recommends running shared-function first, response second, and function-calling last, because the wrong order can trigger middleware more often than expected, especially at the HTTP and tool-call level.

• 6

  Agent Framework improves on Semantic Kernel with more testability and built-in runtime features: Daniel highlights interface-first design, lighter plumbing, workflow checkpoints, resumable sessions, and built-in AI context and chat history providers as concrete upgrades.