Foundry Environments and Platform Configuration
The Foundry resource and its projects
Provision the Microsoft Foundry[1] resource before anything else: it is the top-level Azure resource, and its Azure Resource Manager type is Microsoft.CognitiveServices/accounts. Everything a team builds lives in a project, a child scope inside the resource that groups the models, agents, connections[2], and deployments for one piece of work.
Foundry gives you two project types, and the exam rewards knowing which is the default. A Foundry project is the generally available default and the only type that exposes the Foundry API and Foundry Agent Service. A hub-based project is required only when you need Azure Machine Learning compatibility, managed compute, or open-source model hosting and fine-tuning; for everything else the Foundry project is the right choice (resource types[1]). Choosing a hub-based project just to use prompt flow is a trap: prompt flow is on a retirement path, so it is not a reason to pick a hub for new work.
Do not confuse the Foundry container with the classic ML container. The Azure Machine Learning workspace stays the top-level resource for traditional ML assets such as datasets, jobs, and registered models; generative AI projects belong in a Foundry resource, not a workspace.
Connections: shared access to external resources
You rarely want a raw storage key pasted into every agent. A connection solves that: it is a named, project-scoped object that stores the endpoint and credentials for an external resource, so many agents and components reuse one definition instead of each carrying its own secret (add a connection[2]). Typical targets include Azure Storage, Azure AI Search, Application Insights, Azure Key Vault, and Azure Cosmos DB.
Keyless connections
A connection can authenticate to its target with a Microsoft Entra identity (the resource's managed identity, defined under Identity and access below) instead of an API key. An Entra-based connection keeps secrets out of the connection object and lets Azure role-based access control (RBAC) decide who may use it. When a connection does hold a secret, Foundry stores it in a managed Azure Key Vault that Microsoft provisions for the resource; you can instead bring your own Key Vault, with a limit of one Key Vault connection per resource. Adding any connection requires at least the Foundry User role (or Azure Contributor), the same least-privilege role covered in the next section.
Identity and access: managed identities and RBAC
Two mechanisms govern access to a Foundry resource: the identity the resource uses to reach its own dependencies, and the RBAC roles that decide which people can act on it. This section covers both, starting with the identity.
Managed identities: keyless access
A managed identity is a special kind of service principal in Microsoft Entra ID whose credentials Azure creates and rotates automatically, so a Foundry resource can reach its dependencies (Storage, Key Vault, and more) with no stored secret (managed identities[3]). It comes in two forms:
| Identity type | Lifecycle | Sharing |
|---|---|---|
| System-assigned | Created and deleted with the resource (one to one) | Cannot be shared |
| User-assigned | Standalone Azure resource with its own lifecycle | Attach to many resources |
Prefer Microsoft Entra ID token authentication over API keys for production, and you can disable local (key) authentication so every data-plane call is authorized through Entra ID and RBAC rather than a shared key. As the RBAC docs note, a key grants full access with no role restrictions, which is exactly why keys are harder to scope, rotate, and revoke than an Entra identity (RBAC for Foundry[4]).
Least-privilege built-in roles
Assign the narrowest built-in role that lets a person work (RBAC for Foundry[4]):
- Foundry User (formerly Azure AI User): the least-privilege role for developers building and testing in a project. It performs data actions and reads projects, but cannot create projects, deploy models, or publish agents.
- Foundry Project Manager: the elevated build role. It is the minimum role that can publish agents, and it can conditionally assign the Foundry User role to others. The canonical RBAC matrix does not grant it create-project or model-deployment rights, so do not assume it can. Some doc pages disagree on those two powers; key only its consistent powers, agent publishing plus conditional Foundry User assignment.
- Foundry Account Owner and Foundry Owner: full resource management and model deployment. Account Owner can create projects and deploy models but cannot publish agents; Foundry Owner does everything, including publishing agents.
- Foundry Agent Consumer: least privilege for a principal that only calls an agent's endpoint, with no build rights at all.
A practical mapping: give team members Foundry User at project scope, a team lead Foundry Project Manager when they must publish agents, and a manager Foundry Account Owner to provision and deploy models. Reserve Owner and Contributor for genuine administrators.
Network isolation: managed VNet and private endpoints
By default a Foundry resource is reachable over the public internet. Two independent controls lock it down: an outbound managed VNet and an inbound private endpoint.
Outbound: managed VNet isolation modes
A managed virtual network (VNet) has two isolation modes (configure a managed network[5]):
- Allow internet outbound: agents may reach public endpoints.
- Allow only approved outbound: outbound traffic is limited to approved private endpoints, service tags, and fully qualified domain name (FQDN) rules.
Only Allow only approved outbound turns on automatic data-exfiltration protection; Allow internet outbound does not. When you add an outbound FQDN rule in the approved-outbound mode, Foundry automatically provisions an Azure Firewall to enforce it (Standard SKU by default, or Basic), and Azure Firewall charges then appear on your bill. Note the documented caveat: once you add outbound rules, Microsoft cannot guarantee protection against exfiltration to those specific destinations.
Inbound: private endpoint plus disabling public access
For inbound isolation, create a private endpoint (Azure Private Link) so the resource gets a private IP inside your VNet, then set public network access to Disabled (configure network isolation[6]). A private endpoint alone is not enough: while public network access stays enabled, the public path is still reachable. Do not confuse a private endpoint with a service endpoint: a service endpoint keeps the resource's public IP and only extends your subnet's identity to it, whereas a private endpoint projects the resource into your subnet as a private IP (private endpoint overview[7]). Private endpoints to connected resources such as Storage, Search, and Cosmos DB are not auto-created; add them separately.
Deploy the environment as code with Bicep
Portal click-ops is not repeatable, and a Foundry configuration built by hand cannot be reviewed or promoted across environments. Define the resource, its projects, and model deployments as Bicep templates instead, and deploy them with the Azure CLI (deploy a Foundry resource by using Bicep[8]). A Bicep template for a Foundry environment declares the Microsoft.CognitiveServices/accounts resource and its Microsoft.CognitiveServices/accounts/projects children, so one coordinated deployment recreates identical dev, test, and prod environments.
Deploy a Foundry resource and project with the Azure CLI
# Create the resource group, then deploy the Bicep template into it
az group create --name exampleRG --location eastus
az deployment group create \
--resource-group exampleRG \
--template-file main.bicep \
--parameters aiFoundryName=myai aiProjectName=myai-proj
# ...
az group create provisions the resource group; az deployment group create applies main.bicep into it, passing the resource and project names as parameters. A successful run reports "provisioningState": "Succeeded".
Two facts worth remembering. First, a managed-network Foundry resource has no portal creation experience, so it must be deployed with Bicep or Terraform, or through az rest and the Azure CLI. Second, if you already built a resource in the portal, you can export its configuration to a Bicep file (Automation > Export template) as a starting point rather than authoring one from scratch.
Exam-pattern recognition
Most questions on this objective test one of a handful of distinctions. Read the stem for the signal, then pick the answer that matches.
- Container: 'build agents' or 'generative AI' points to a Foundry resource and project, not an Azure Machine Learning workspace. The workspace is only for classic ML assets.
- Project type: a Foundry project is the default; reach for a hub-based project only for Azure ML compatibility, managed compute, or open-source model hosting and fine-tuning. 'To use prompt flow' is not a valid reason.
- Credentials: prefer a shared connection using Microsoft Entra (managed identity) authentication over an API key hard-coded into each agent. Keys grant unscoped access and are harder to rotate and revoke.
- Roles: Foundry User is least privilege for build-and-test; Foundry Project Manager is the minimum role that can publish agents but cannot create projects or deploy models; Foundry Account Owner deploys models but cannot publish agents. Do not answer Owner or Contributor when a Foundry role fits.
- Outbound network: 'prevent data exfiltration' means Allow only approved outbound, never Allow internet outbound. Adding an FQDN rule provisions an Azure Firewall.
- Inbound network: a private endpoint plus public network access set to Disabled. A private endpoint alone, or a service endpoint, leaves the public path open.
- Deployment: 'repeatable across dev, test, and prod' means Bicep with
az deployment group create, not portal click-ops; a managed-network resource has no portal creation UI.
Foundry built-in role capabilities
| Capability | Foundry User | Foundry Project Manager | Foundry Account Owner | Foundry Owner |
|---|---|---|---|---|
| Build and test in a project (data actions) | Yes | Yes | No | Yes |
| Publish agents | No | Yes (minimum role) | No | Yes |
| Create projects or accounts | No | No | Yes | Yes |
| Deploy or manage models | No | No | Yes | Yes |
| Assign roles to others | No | Foundry User only | User, ACR, monitoring | User, ACR, monitoring |
| Typical persona | Developer building and testing | Team lead publishing agents | Manager provisioning and deploying | Full self-serve owner |
Decision tree
Sharp facts the exam loves — give these one last read before exam day.
Cheat sheet
Sharp facts the exam loves — scan these before test day.
- Foundry project is the default; a hub-based project is only for Azure ML / open-model workloads
Microsoft Foundry offers two project types. A Foundry project is the default, generally available choice and the only one that exposes the Foundry API and Foundry Agent Service; a hub-based project is required only when you need Azure Machine Learning compatibility, managed compute, or open-source model hosting and fine-tuning.
Trap Choosing a hub-based project 'to use prompt flow' — prompt flow is on a retirement path (support ends 2027-04-20), so it is not a reason to pick a hub project for new work.
14 questions test this
- A generative AI team must run the Foundry Agent Service under a generally available service level for a production agent, and they want the project type that also gives first-class access to the Found
- Your organization's governance policy forbids using preview features for any production workload. A team needs to run agents built on the Foundry Agent Service in production and call the Foundry API.
- A team plans to bring an open-weight foundation model from the model catalog into Microsoft Foundry, host it, and fine-tune it on Azure Machine Learning managed compute so they control the underlying
- A team is planning a brand-new agent solution in Microsoft Foundry. A developer proposes provisioning a hub-based project specifically so the team can build the orchestration in prompt flow, the tool
- A team must build generative AI features but also needs Azure Machine Learning compatibility, including managed compute and the Azure Machine Learning studio tooling, within the same project. A plain
- A team has historically used a hub-based project, but they are starting a new use case that only needs to build agents and work with Foundry Models, with no Azure Machine Learning or managed-compute r
- An engineer is selecting a project type for a new customer-facing assistant that calls foundation models and uses the Foundry Agent Service. A colleague suggests a hub-based project, but the team conf
- An organization is beginning its first generative AI initiative and wants a single top-level Azure resource that will hold its Foundry projects and centrally govern networking, security, and model dep
- An administrator must decide where to configure security, connectivity to other Azure services, and model deployments so that the settings apply across a team's generative AI work, while individual us
- A developer wants to independently spin up an environment to prototype ideas with foundation models without provisioning extra Azure resources or waiting for an administrator to build shared infrastru
- While planning a new generative AI application, a developer recommends creating a hub-based project so the team can use prompt flow to author and compare prompt variants. The application only needs to
- A team currently works in a hub-based project created a year ago. New agent and model-centric capabilities, including the generally available Foundry Agent Service and Foundry API, are landing only on
- A development team is starting a brand-new generative AI application in Microsoft Foundry. They need to build agents with the Foundry Agent Service and call models through the Foundry API, and they wa
- An ML team wants to deploy an open-source Hugging Face model to managed compute in Microsoft Foundry and fine-tune it with Azure Machine Learning compatibility. The default Foundry project type does n
- The Foundry resource is the top-level Azure resource that contains projects
A Microsoft Foundry resource is the top-level Azure resource you create first; projects are child scopes inside it that group models, agents, connections, and deployments. The Azure Machine Learning workspace remains the top-level resource for classic ML assets, not for generative AI work.
Trap Treating the Azure Machine Learning workspace as the container for Foundry generative-AI projects.
8 questions test this
- A developer working inside an existing Microsoft Foundry resource wants to keep two use cases - a support-ticket agent and a document-summarization agent - separated, each with its own files, evaluati
- A platform administrator manages several Foundry projects that different teams use to build agents. The administrator must apply one shared set of model deployments, network security rules, and connec
- Within one company, a data science group trains classic (non-generative) machine learning models such as AutoML regression and scikit-learn classifiers, registering datasets, components, and scheduled
- An engineer is about to start building generative AI agents and plans to place the new Foundry projects inside the team's existing Azure Machine Learning workspace, assuming the workspace is their con
- An organization is beginning its first generative AI initiative and wants a single top-level Azure resource that will hold its Foundry projects and centrally govern networking, security, and model dep
- An administrator must decide where to configure security, connectivity to other Azure services, and model deployments so that the settings apply across a team's generative AI work, while individual us
- A data platform group already uses an Azure Machine Learning workspace as the top-level resource for its classic ML assets, such as datasets, components, and training jobs. A separate team is now star
- A development team is starting a brand-new generative AI application in Microsoft Foundry. They need to build agents with the Foundry Agent Service and call models through the Foundry API, and they wa
A Foundry connection is a named, project-scoped object that stores the endpoint and credentials for an external dependency such as Azure Storage, Azure AI Search, or Application Insights, so components and agents reuse the connection instead of embedding secrets in each definition.
Trap Hard-coding a resource key into each agent or prompt rather than referencing one shared connection.
27 questions test this
- A Microsoft Foundry project's agents already reuse an existing connection to reach the team's Azure AI Search service. Leadership now requires those same agents to also send their traces and metrics t
- A Microsoft Foundry project hosts several agents that all query the same Azure AI Search service to ground their answers. Your security team requires that the search endpoint and its key live in exact
- A Microsoft Foundry project must call a third-party, non-Azure REST service that authenticates with an API key. You want the key stored securely inside the project and referenced by name, together wit
- In a Microsoft Foundry project, several components and agents each paste the same Azure Storage account key directly into their definitions. Each new component copies the key again, and any change to
- During a design review for a Microsoft Foundry project, a teammate asks you to explain what a connection actually is before the team standardizes on using them for every external dependency such as Az
- A security review of a Microsoft Foundry project finds that the same Azure AI Search key has been pasted into a dozen different agent definitions. You must remove the duplicated secret from the defini
- A reviewer asks how a Foundry connection keeps an external resource's API key from being exposed inside the agent and prompt definitions that reuse it. The project uses key-based authentication and ha
- You are provisioning a standard Microsoft Foundry agent that must store the vector indexes it builds in a resource in your own subscription, and the agent has to authenticate to that resource through
- You are deploying a Standard Agent in a Microsoft Foundry project so that the agent keeps its uploaded files and its retrieval index in your own Azure Storage and Azure AI Search resources for data re
- Your team needs server-side tracing turned on for every agent in a Microsoft Foundry project so that latency and tool calls are captured for debugging, and you want this to work without changing each
- You are adding a remote MCP server tool to a Foundry agent so it can call an external developer API that requires a bearer token on every request. Several agents in the project will use the same serve
- A Foundry agent must answer questions about breaking news and other information published after the model's training cutoff, drawing on current public web results rather than any internal index. The t
- Within one Microsoft Foundry project, several components and a prompt-based workflow all need to call the same external Azure AI Search dependency. You want each component to reuse the same stored aut
- A team integrates a Foundry agent with a non-Microsoft REST service used in a LangChain flow. They must store the service's endpoint URL, an API version label, and its access key together as one reusa
- A Microsoft Foundry project's agents must call GPT-4o deployments hosted in an existing Azure OpenAI resource that already lives in the same subscription. You want every agent to reach those model dep
- An operations team runs a Foundry generative-AI application in production and wants distributed tracing of each request, including LLM calls, tool invocations, latency, and errors, so they can diagnos
- An MLOps engineer is grounding a Foundry agent in the company's internal product manuals so it can answer support questions with citations from that proprietary content. The documents are already load
- You are configuring the Azure AI Search knowledge tool on a Microsoft Foundry agent so it can retrieve documents from an existing search index and return cited answers. The tool must reach the search
- You are creating a Foundry connection from a project to an Azure AI Search service that will be used inside a private virtual network. Security policy forbids storing static resource keys and requires
- A data science team is operationalizing several Foundry agents in one project. Today each agent definition embeds the same Azure AI Search admin key directly in its configuration, and rotating that ke
- By default a Microsoft Foundry project stores its connection secrets in a platform-managed key vault. Your security team's governance standard requires that the secrets backing the project's connectio
- Two separate Microsoft Foundry projects on your team each need to use the same Azure AI Search service, and your governance standard says one project must never inherit another project's stored creden
- A Foundry project team is deploying a Standard agent that must read a large collection of raw PDF manuals, product images, and installer files that currently sit in a cloud storage account. The team n
- A new engineer joins a Microsoft Foundry project and needs to build a component that reads from the project's Azure Storage account. Project policy forbids sharing raw storage keys with individuals, y
- An MLOps engineer must let a Microsoft Foundry agent answer employee questions by grounding its responses in documents that live in the company's internal SharePoint site, while keeping each employee'
- Your team standardizes several Microsoft Foundry agents on models served directly from OpenAI's own hosted platform rather than an Azure OpenAI resource. You must store the OpenAI account's API creden
- You configure a standard Microsoft Foundry agent whose conversation threads and messages must persist in your own Azure Cosmos DB account for compliance. The agent has to authenticate to Cosmos DB wit
- A connection can authenticate with an Entra identity instead of a key
A Foundry connection can authenticate to its target resource with a Microsoft Entra identity (the resource's managed identity) rather than an API key, keeping secrets out of the connection object and letting Azure RBAC govern who can use it.
- System-assigned vs user-assigned managed identity for a Foundry resource
A Foundry resource can use a system-assigned managed identity (created and deleted with the resource, one-to-one) or a user-assigned managed identity (a standalone Azure resource you can attach to several resources and manage independently) to access dependencies such as Storage or Key Vault without stored credentials.
Trap Using an account key or SAS token where a managed identity is required for keyless, credential-free access.
12 questions test this
- A production application hosted on Azure must call your Microsoft Foundry inference endpoint. Company policy prohibits storing any API keys or secrets in the application's configuration or code, and e
- A newly created Microsoft Foundry project must connect to its associated Azure Storage account and Azure Key Vault so it can store prompt-flow data and retrieve secrets. Company policy forbids placing
- Your team provisions a single Microsoft Foundry resource that must read training data from one dedicated Azure Storage account, with no credentials kept in code or connection strings. The security tea
- Your MLOps pipeline deploys new Microsoft Foundry resources on demand, and each new resource must already have permission to a shared Azure Storage account the moment it is created, with no manual rol
- Your MLOps platform tears down and recreates a Microsoft Foundry resource on every release so it always matches the latest template. Each rebuilt resource must keep the exact same access to a shared A
- During a Microsoft Foundry platform design review, an architect asks which identity option is a standalone Azure resource that has its own independent lifecycle and can be attached to several differen
- Your organization runs many independent Microsoft Foundry resources, one per project team. Security requires that each resource authenticate to its own dependencies with a distinct identity that no ot
- Your platform team runs several Microsoft Foundry resources across development, test, and production, and wants all of them to authenticate to a shared Azure Key Vault by using one identity with a sin
- An MLOps engineer provisions a single Microsoft Foundry resource that must read training data from one Azure Storage account and pull secrets from one Key Vault without any stored connection strings o
- A self-contained Microsoft Foundry resource hosts one workload that needs credential-free access to a single storage account. The team wants an identity that requires no separate object to create, adm
- An MLOps engineer configures a Microsoft Foundry agent that must call downstream tools and its Foundry project using a managed identity, with no secret stored anywhere in the workload. The team also w
- Your team provisions a dedicated Microsoft Foundry resource for a short-lived proof of concept that must read data from one Azure Storage account without any stored credentials. When the proof of conc
- Prefer Microsoft Entra (keyless) authentication over API keys
For production Foundry access, Microsoft Entra ID token authentication with a managed identity is preferred over API keys; you can disable local (key) authentication so every data-plane call is authorized through Entra ID and RBAC rather than a shared secret.
Trap Assuming API keys are as safe as Entra ID — keys cannot be scoped by RBAC and are harder to rotate or revoke per user.
12 questions test this
- A production application hosted on Azure must call your Microsoft Foundry inference endpoint. Company policy prohibits storing any API keys or secrets in the application's configuration or code, and e
- A newly created Microsoft Foundry project must connect to its associated Azure Storage account and Azure Key Vault so it can store prompt-flow data and retrieve secrets. Company policy forbids placing
- A developer argues that the shared API key on a Microsoft Foundry resource is 'just as safe' as Microsoft Entra ID because the key is long and random. As the MLOps lead, you must counter this with the
- A developer must build and run agents against a production Microsoft Foundry resource and also start evaluation runs on it. In Foundry, the Agents service and evaluations are not supported with key-ba
- A new developer needs to build and test agents against a production Microsoft Foundry resource but must not receive broad control-plane rights or the resource's shared key. You want to grant only the
- Your organization is moving a Microsoft Foundry inference workload into production. The security team mandates that every data-plane call be attributable to an individual principal, authorized by leas
- An organization has migrated every client of a production Microsoft Foundry resource to Microsoft Entra ID token authentication and verified that no workload still depends on a key. To satisfy a compl
- You migrated every client of a production Microsoft Foundry resource to Microsoft Entra ID token authentication. Compliance now requires that the resource reject any request that still presents a reso
- An MLOps engineer provisions a single Microsoft Foundry resource that must read training data from one Azure Storage account and pull secrets from one Key Vault without any stored connection strings o
- An MLOps engineer configures a Microsoft Foundry agent that must call downstream tools and its Foundry project using a managed identity, with no secret stored anywhere in the workload. The team also w
- A production application authenticates its data-plane calls to a Microsoft Foundry resource with a single shared API key that every service instance embeds. Security now requires per-user attribution
- Your team provisions a dedicated Microsoft Foundry resource for a short-lived proof of concept that must read data from one Azure Storage account without any stored credentials. When the proof of conc
- Foundry User grants the minimum permissions to use a project and its models
The built-in Foundry User role (formerly Azure AI User) grants the least-privilege access needed to work inside a project and call its deployed models; assign it to team members who build and test rather than granting a broad Owner or Contributor role.
Trap Granting Owner or Contributor for everyday build-and-test work, over-provisioning access beyond what Foundry User already allows.
13 questions test this
- In Microsoft Foundry, developers finish an agent that must be published as an Agent Application with a stable callable endpoint. Your governance rules say the publisher should receive the least-privil
- You are configuring a new Microsoft Foundry project. At runtime the project's system-assigned managed identity must call the project's deployed models and use its resources, but it should hold only th
- A team lead in Microsoft Foundry must both build and develop within their team's project and onboard new developers by granting them the Foundry User role, all without being assigned the subscription
- A senior developer in Microsoft Foundry needs to both build and iterate on agents inside a project and publish finished agents as Agent Applications with stable endpoints, but should not be able to cr
- A team lead in Microsoft Foundry must build and test agents in their team's project and also onboard new teammates by granting them the Foundry User role themselves, without waiting on a subscription
- A developer already holds the Contributor role on a Microsoft Foundry resource but receives 403 errors when creating an agent and calling a deployed model in a project. You determine the failure is a
- You administer a Microsoft Foundry resource. A group of developers needs to work inside a single project, building and testing agents and calling the project's already-deployed models, but they should
- A colleague is provisioning access for a small team in a Microsoft Foundry project. Because the team spends most of its time calling the project's deployed models, the colleague proposes granting only
- A developer with the Foundry User role finished building and testing an agent in a Microsoft Foundry project and now needs to publish it as an Agent Application with a stable endpoint for others to ca
- You are planning role assignments for a new Microsoft Foundry project. A colleague suggests giving every developer the Foundry Project Manager role so they have room to grow. In practice these develop
- In Microsoft Foundry, a developer who holds the Foundry User role tries to deploy a model from the model catalog to the resource, but the action is blocked. You need to grant the role that is required
- In a Microsoft Foundry project, one team of developers must build agents, iterate on them, and test them against the project's deployed models, while a separate downstream service principal only needs
- After you create a Microsoft Foundry project, its system-assigned managed identity must access the parent Foundry resource at runtime so the project can use deployed models and features. Following Mic
- Foundry Project Manager is the elevated build role whose distinctive power is publishing agents
The Foundry Project Manager role (formerly Azure AI Project Manager) is the elevated developer role: it is the minimum role that can publish agents (Foundry Account Owner cannot publish) and it can conditionally assign the Foundry User role to others. Microsoft pages currently disagree on whether it can also create projects or manage model deployments - the canonical rbac-foundry matrix (2026-07) marks both as NOT granted - so questions must not anchor on those claims; Foundry Account Owner and Foundry Owner cover full resource management and model deployment.
Trap Assuming Project Manager can create projects or deploy models; the canonical RBAC matrix denies both, and its distinctive documented power is agent publishing plus conditional Foundry User assignment.
8 questions test this
- In Microsoft Foundry, developers finish an agent that must be published as an Agent Application with a stable callable endpoint. Your governance rules say the publisher should receive the least-privil
- A team lead in Microsoft Foundry must both build and develop within their team's project and onboard new developers by granting them the Foundry User role, all without being assigned the subscription
- Your automation assigns Foundry roles by their role definition IDs. During the Foundry rename rollout, you notice the Azure portal shows 'Azure AI Project Manager' in one blade and 'Foundry Project Ma
- A senior developer in Microsoft Foundry needs to both build and iterate on agents inside a project and publish finished agents as Agent Applications with stable endpoints, but should not be able to cr
- A team lead in Microsoft Foundry must build and test agents in their team's project and also onboard new teammates by granting them the Foundry User role themselves, without waiting on a subscription
- A developer with the Foundry User role finished building and testing an agent in a Microsoft Foundry project and now needs to publish it as an Agent Application with a stable endpoint for others to ca
- You are planning role assignments for a new Microsoft Foundry project. A colleague suggests giving every developer the Foundry Project Manager role so they have room to grow. In practice these develop
- In Microsoft Foundry, a developer who holds the Foundry User role tries to deploy a model from the model catalog to the resource, but the action is blocked. You need to grant the role that is required
- Managed VNet isolation modes: Allow internet outbound vs Allow only approved outbound
A Foundry managed virtual network supports two isolation modes: Allow internet outbound (agents may reach public endpoints) and Allow only approved outbound (outbound is limited to approved private endpoints and FQDN rules). Only Allow only approved outbound enables automatic data-exfiltration protection, and adding an outbound FQDN rule automatically provisions an Azure Firewall.
Trap Believing Allow internet outbound provides data-exfiltration protection — only Allow only approved outbound does.
15 questions test this
- In a Foundry managed virtual network, the platform created managed private endpoints so agents can reach Azure Storage privately. An engineer opens the subscription's network resources to inspect the
- Your organization wants Foundry agents to reach only a curated list of external domains and requires that no team has to deploy, patch, or operate a firewall themselves. You are choosing how to contro
- Your Foundry managed virtual network runs in Allow only approved outbound mode, and you add an outbound rule that permits egress to a specific approved fully qualified domain name your agents must cal
- You enable a Microsoft Foundry managed virtual network so that agents in your projects can reach a curated set of approved Azure resources but must not send data to arbitrary public endpoints. You nee
- An enterprise networking team must inspect and log all outbound traffic from Foundry agents through the company's own Azure Firewall instance and apply user-defined routes. They evaluate the Foundry m
- Your security team requires that agents in a Microsoft Foundry project reach only an approved Azure Storage account and one approved external API, with automatic data-exfiltration protection so nothin
- A team deploys a Microsoft Foundry resource with its managed virtual network in Allow only approved outbound mode. Because outbound traffic is now restricted to approved destinations, the team is conc
- A Foundry managed virtual network runs in Allow only approved outbound mode. An agent must read data from an Azure Storage account that has public network access disabled, and all connectivity must st
- In a Foundry managed virtual network set to Allow only approved outbound, an agent must be allowed to reach an Azure platform service that publishes a large, changing set of public IP ranges, and you
- You are provisioning a Microsoft Foundry managed virtual network for a development team whose agents must be able to call many public endpoints across the internet. Unrestricted outbound access is acc
- Your Microsoft Foundry managed virtual network is running in Allow only approved outbound mode. Agents in the project must query a specific Azure AI Search service over a private connection that keeps
- Your Foundry managed virtual network is set to Allow only approved outbound. An agent must reach a specific external SaaS API by its fully qualified domain name over HTTPS, so you plan to add an outbo
- Your Foundry agents legitimately need broad, unrestricted connectivity to many public internet endpoints, and the workload has no data-exfiltration or curated-destination requirement. You are enabling
- A machine learning team enabled a Microsoft Foundry managed virtual network for their Foundry resource in Allow only approved outbound mode. A new development workload now requires the project's agent
- After enabling a Foundry managed virtual network, an engineer opens the Azure portal to find the network interface (NIC) and private IP that the managed private endpoint to the storage account created
- Use a private endpoint and disable public network access to reach Foundry privately
To keep traffic off the public internet, create a private endpoint for the Foundry resource and set public network access to Disabled, so the resource is reachable only over a private IP inside your virtual network. Managed private endpoints created by the managed VNet are fully Microsoft-managed and do not expose a customer-visible network interface (NIC).
Trap Using a service endpoint instead of a private endpoint, or leaving public network access enabled after adding the private endpoint.
16 questions test this
- In a Foundry managed virtual network, the platform created managed private endpoints so agents can reach Azure Storage privately. An engineer opens the subscription's network resources to inspect the
- A team enabled a Microsoft Foundry managed virtual network in Allow only approved outbound mode, and the platform created managed private endpoints so the project's agents reach Azure Storage and Azur
- An engineer added a private endpoint to a Foundry resource and confirmed that clients inside the virtual network can reach it over the private IP. However, a penetration test shows the resource still
- A teammate added a private endpoint to a Microsoft Foundry resource, but a security scan shows the resource is still reachable from the public internet. The private endpoint connection is Approved and
- Your security team requires that agents in a Microsoft Foundry project reach only an approved Azure Storage account and one approved external API, with automatic data-exfiltration protection so nothin
- A team enabled a virtual network service endpoint for a Microsoft Foundry resource, expecting it to give the resource a private IP in their subnet and let them disable public network access. Testing s
- A team deploys a Microsoft Foundry resource with its managed virtual network in Allow only approved outbound mode. Because outbound traffic is now restricted to approved destinations, the team is conc
- You disabled public network access on a Microsoft Foundry resource and put it behind a private endpoint in an Azure virtual network. Data scientists working from the corporate on-premises network now
- A Foundry managed virtual network runs in Allow only approved outbound mode. An agent must read data from an Azure Storage account that has public network access disabled, and all connectivity must st
- You must connect your Foundry resource to a virtual network so client traffic reaches it over a private IP address from your VNet, and you also intend to disable the resource's public endpoint entirel
- Your Microsoft Foundry managed virtual network is running in Allow only approved outbound mode. Agents in the project must query a specific Azure AI Search service over a private connection that keeps
- A security review requires that all client traffic to your Foundry resource stay off the public internet and reach the resource only over a private IP address from your existing virtual network. You m
- Your compliance policy requires that all client access to a Microsoft Foundry resource stay on your private network and never traverse the public internet. Data scientists connect from an Azure virtua
- You must lock down a Microsoft Foundry resource so the general public internet cannot reach it, yet a small, fixed set of administrator workstation IP addresses at headquarters must still connect for
- After you create a private endpoint for a Foundry resource and disable its public network access, an application team worries they must rewrite their code to use a new private hostname or IP address.
- After enabling a Foundry managed virtual network, an engineer opens the Azure portal to find the network interface (NIC) and private IP that the managed private endpoint to the storage account created
- Provision Foundry resources repeatably with Bicep templates and Azure CLI
Define Foundry resources, projects, and model deployments as Bicep templates and deploy them with the Azure CLI (for example az deployment group create) so environments are versioned, reviewable, and reproducible. A managed-network Foundry resource currently has no portal creation UI and must be deployed via Bicep or Terraform, or with az rest / Azure CLI.
Trap Relying on portal click-ops, which is not source-controlled or repeatable across dev/test/prod environments.
21 questions test this
- Your security team requires a Microsoft Foundry resource that uses a Microsoft-managed virtual network for outbound isolation of the Agent service. You also need the whole setup to be source-controlle
- An MLOps engineer already provisions a Microsoft Foundry resource and project with a Bicep template. The team now wants the specific model deployment, such as which model, version, and SKU, captured i
- Your team redeploys the same Microsoft Foundry environment definition many times a week as part of continuous delivery. You need an approach where rerunning the deployment with unchanged inputs leaves
- Your MLOps team must roll out the same Azure OpenAI model deployment - identical model, version, and deployment settings - into several Microsoft Foundry resources across regions, and be able to recre
- Before applying a change to a production Microsoft Foundry environment that is managed with a Bicep template, your team wants to see exactly which resources a deployment would add, modify, or delete,
- Your company has standardized on Terraform as its single infrastructure-as-code tool for every cloud platform, and a governance policy forbids provisioning cloud resources through the Azure portal. A
- You authored a single Bicep template that defines a Microsoft Foundry resource, one project, and a model deployment, all intended to live together inside one existing resource group named rg-foundry-p
- Your organization wants Microsoft Foundry environments to be provisioned automatically by its release pipeline for dev, test, and production, with no engineer clicking through the Azure portal during
- Your security team requires a Microsoft Foundry resource that uses managed virtual network isolation for its Agent workloads. When you open the Azure portal to create it, you find there is currently n
- Auditors require that every change made to your production Microsoft Foundry environment be traceable to a specific, reviewable record and be reproducible on demand, and your team wants to avoid maint
- Your platform team must stand up identical Microsoft Foundry resources and projects across separate development, test, and production subscriptions. Leadership requires that every environment change b
- You maintain a Bicep template that provisions a Microsoft Foundry resource and project. The dev, test, and production deployments are identical except for the resource names, the region, and the SKU.
- A Microsoft Foundry environment is defined in a Bicep template that your team stores in Git and treats as the source of truth. During an incident, an engineer changed several settings on the Foundry r
- Your organization wants Microsoft Foundry infrastructure provisioned through an automated CI/CD pipeline. The requirements are that every infrastructure change is submitted as a pull request and peer-
- A colleague already created a Microsoft Foundry resource and project by clicking through the Azure portal, and it is configured correctly. Leadership now wants this exact configuration reused as repea
- A regional outage takes down the Azure region that hosts your production Microsoft Foundry resource, project, and model deployment. Your recovery plan requires you to rebuild the entire environment in
- Your MLOps platform team repeatedly provisions Microsoft Foundry environments by clicking through the Azure portal, and small inconsistencies keep slipping in, so dev, test, and production gradually d
- A platform team must stand up three identical Microsoft Foundry environments for development, test, and production, each containing the same Foundry resource, project, and model deployments. Every cha
- Before you apply an updated Bicep template that changes a shared Microsoft Foundry resource in production, your change-management process requires you to see exactly which resources the deployment wil
- Over the past year your three Microsoft Foundry environments were each adjusted directly in the Azure portal whenever a fix was needed. They have quietly drifted apart, and a change that works in test
- Your team is starting to manage Microsoft Foundry with infrastructure as code, but the current Foundry resource and project were set up in the Azure portal and no Bicep or ARM template for them exists
Also tested in
References
- Choose an Azure resource type for Foundry (classic) - Microsoft Foundry (classic) portal
- Add a new connection to your project - Microsoft Foundry
- Managed identities for Azure resources
- Role-based access control for Microsoft Foundry - Microsoft Foundry
- How to configure a managed network for a hub (classic) - Microsoft Foundry (classic) portal
- How to configure network isolation for Microsoft Foundry - Microsoft Foundry
- What is a private endpoint? - Azure Private Link
- Quickstart: Deploy a Foundry resource by using Bicep - Microsoft Foundry