Secure Microsoft Foundry Agent Service

In current Microsoft Foundry, secure agents by designing boundaries around the Foundry resource and its Foundry projects. The Foundry resource is the top-level administrative, security, and monitoring boundary for a Microsoft Foundry environment. A Foundry project is a subscope within the resource where teams build agents, tools, workflows, and developer experiences. Assign permissions at the narrowest scope that matches the work: the Foundry resource for shared administration and governance, and the Foundry project for day-to-day agent development.

Earlier hub-based projects (Azure AI Agent Service (classic)) used a hub-based architecture. Hubs and hub-level inheritance should appear only in migration plans for existing classic workloads. For new or migrated workloads, plan controls around Foundry resources and Foundry projects.

Apply security controls at the appropriate boundary:

• Identity and RBAC: Use Microsoft Entra ID. Assign Foundry User, Foundry Project Manager, Foundry Account Owner, or Foundry Owner at Foundry resource or Foundry project scopes. Give users and runtime identities the minimum roles they need; avoid key-based access because keys bypass RBAC restrictions.
• Managed identities, agent identities, and least privilege: Configure the right identity for outbound access to Azure resources and APIs. Authorize the project managed identity for project setup, BYO resources, and connections that explicitly use it. Authorize the shared project agent identity for unpublished agents, the distinct published agent identity for published agents or agent applications, or the signed-in user when a tool uses OAuth OBO. Published agents receive distinct identities, so reassign any required data-source roles after publishing.
• Network controls: Separate inbound private endpoint access from outbound private agent isolation. All Standard setups require BYO Azure Storage, Azure AI Search, and Azure Cosmos DB resources so agent data stays in your Azure tenant. When you combine Standard Setup with private networking, private endpoints for those BYO resources aren't autocreated and must be configured separately. Basic setup can use an inbound private endpoint, but it doesn't provide outbound private isolation for agent traffic. If the Azure AI Search tool uses a private virtual network, use keyless Microsoft Entra authentication with the project managed identity; key-based authentication isn't supported for that path.
• Monitoring and operations: Configure metrics, logs, tracing, and Application Insights so administrators can audit agent runs, tool calls, failures, and policy or safety events at resource and project scopes. Tracing is generally available for prompt agents only; workflow, Hosted, and custom agent tracing is in preview. Restrict access and redact sensitive data because traces can contain prompts, model outputs, tool arguments, tool results, secrets, and personal data.
• Content safety and guardrails: Apply guardrails and content filters to agents and models based on risk. Agent guardrails are in preview. When assigned to an agent, an agentic guardrail fully overrides the underlying model's guardrail for that agent; if no agentic guardrail is assigned, the agent inherits the model's guardrail. Model guardrails alone don't scan tool calls or tool responses. Tool call and tool response scanning works only when configured at those intervention points, only for supported tools, and only for risks supported for agents. Configure Prompt Shields for user prompt attacks and document attacks (indirect prompt injection via untrusted content such as retrieved documents or tool responses). In the guardrails system, document attacks correspond to the Indirect attacks risk category. Apply these controls at the supported intervention points (user input and, for supported tools, tool response).
• Data-source and tool scoping: Limit each agent to approved tools and data sources. Grant Azure Storage, Azure AI Search, API, and MCP access only to the calling identities and indexes, containers, or endpoints needed for the agent's purpose.