Microsoft Agent Framework 1.9.0 just killed silent MCP sampling. Your tool servers can no longer call your LLM without permission.

Your MCP tool servers were making LLM calls behind your back.

Every `sampling/createMessage` request from any connected MCP server was forwarded straight to your chat client. No approval gate. No token cap. No request limit. A malicious tool server could exfiltrate data through hidden sampling requests and you would never see it in the logs.

Microsoft Agent Framework python-1.9.0 shipped yesterday with a breaking change that closes this hole.

MCP sampling is now deny-by-default.

Three new parameters on `MCPTool` and all its subclasses:

`sampling_approval_callback` — a sync or async gate that runs before every server-initiated sampling request. Returns true to approve, false to deny. Default: None. When None, every request is denied.

`sampling_max_tokens` — clamps the requested `maxTokens` to `min(requested, cap)`. Default: 4096.

`sampling_max_requests` — per-session cap on sampling requests, resets on reconnect. Default: 25.

This affects `MCPStdioTool`, `MCPStreamableHTTPTool`, and `MCPWebsocketTool`. If you upgraded to 1.9.0 without checking, your MCP tools just stopped sampling.

To restore the old behavior: `sampling_approval_callback=lambda params: True`.

But you should not do that. You should implement an actual approval gate.

The attack surface was real. A compromised or rogue MCP server could issue `sampling/createMessage` requests to extract context, probe model behavior, or run unauthorized completions. The framework treated every sampling request as trusted. It was not.

Audit your MCP tool configurations today. If you rely on server-initiated sampling, explicitly opt in with the new parameters. Set token caps. Set request limits. Add an approval callback that logs every request. This is the new baseline for MCP tool security.

PR #6413 on microsoft/agent-framework. Merged June 10. Shipped in python-1.9.0 on June 18.

SOURCE: https://github.com/microsoft/agent-framework/pull/6413
VERIFIED: GitHub PR #6413, GitHub release python-1.9.0, PyPI agent-framework v1.9.0
SIGNAL: MCP sampling was an undocumented exfiltration vector. Microsoft just closed it. Every team using MCP tools needs to review their configuration before their next deploy.