Domain 3 of 5 · Chapter 1 of 3

Foundry Environments and Platform Configuration

The Foundry resource and its projects

Provision the Microsoft Foundry[1] resource before anything else: it is the top-level Azure resource, and its Azure Resource Manager type is Microsoft.CognitiveServices/accounts. Everything a team builds lives in a project, a child scope inside the resource that groups the models, agents, connections[2], and deployments for one piece of work.

Foundry gives you two project types, and the exam rewards knowing which is the default. A Foundry project is the generally available default and the only type that exposes the Foundry API and Foundry Agent Service. A hub-based project is required only when you need Azure Machine Learning compatibility, managed compute, or open-source model hosting and fine-tuning; for everything else the Foundry project is the right choice (resource types[1]). Choosing a hub-based project just to use prompt flow is a trap: prompt flow is on a retirement path, so it is not a reason to pick a hub for new work.

Do not confuse the Foundry container with the classic ML container. The Azure Machine Learning workspace stays the top-level resource for traditional ML assets such as datasets, jobs, and registered models; generative AI projects belong in a Foundry resource, not a workspace.

Foundry resourcetop-level Azure resourceProjectchild scopeModelsAgentsConnectionsDeployments
A Foundry resource is the top-level container; each project groups its own models, agents, connections, and deployments.

Connections: shared access to external resources

You rarely want a raw storage key pasted into every agent. A connection solves that: it is a named, project-scoped object that stores the endpoint and credentials for an external resource, so many agents and components reuse one definition instead of each carrying its own secret (add a connection[2]). Typical targets include Azure Storage, Azure AI Search, Application Insights, Azure Key Vault, and Azure Cosmos DB.

Keyless connections

A connection can authenticate to its target with a Microsoft Entra identity (the resource's managed identity, defined under Identity and access below) instead of an API key. An Entra-based connection keeps secrets out of the connection object and lets Azure role-based access control (RBAC) decide who may use it. When a connection does hold a secret, Foundry stores it in a managed Azure Key Vault that Microsoft provisions for the resource; you can instead bring your own Key Vault, with a limit of one Key Vault connection per resource. Adding any connection requires at least the Foundry User role (or Azure Contributor), the same least-privilege role covered in the next section.

Identity and access: managed identities and RBAC

Two mechanisms govern access to a Foundry resource: the identity the resource uses to reach its own dependencies, and the RBAC roles that decide which people can act on it. This section covers both, starting with the identity.

Managed identities: keyless access

A managed identity is a special kind of service principal in Microsoft Entra ID whose credentials Azure creates and rotates automatically, so a Foundry resource can reach its dependencies (Storage, Key Vault, and more) with no stored secret (managed identities[3]). It comes in two forms:

Identity type Lifecycle Sharing
System-assigned Created and deleted with the resource (one to one) Cannot be shared
User-assigned Standalone Azure resource with its own lifecycle Attach to many resources

Prefer Microsoft Entra ID token authentication over API keys for production, and you can disable local (key) authentication so every data-plane call is authorized through Entra ID and RBAC rather than a shared key. As the RBAC docs note, a key grants full access with no role restrictions, which is exactly why keys are harder to scope, rotate, and revoke than an Entra identity (RBAC for Foundry[4]).

Least-privilege built-in roles

Assign the narrowest built-in role that lets a person work (RBAC for Foundry[4]):

  • Foundry User (formerly Azure AI User): the least-privilege role for developers building and testing in a project. It performs data actions and reads projects, but cannot create projects, deploy models, or publish agents.
  • Foundry Project Manager: the elevated build role. It is the minimum role that can publish agents, and it can conditionally assign the Foundry User role to others. The canonical RBAC matrix does not grant it create-project or model-deployment rights, so do not assume it can. Some doc pages disagree on those two powers; key only its consistent powers, agent publishing plus conditional Foundry User assignment.
  • Foundry Account Owner and Foundry Owner: full resource management and model deployment. Account Owner can create projects and deploy models but cannot publish agents; Foundry Owner does everything, including publishing agents.
  • Foundry Agent Consumer: least privilege for a principal that only calls an agent's endpoint, with no build rights at all.

A practical mapping: give team members Foundry User at project scope, a team lead Foundry Project Manager when they must publish agents, and a manager Foundry Account Owner to provision and deploy models. Reserve Owner and Contributor for genuine administrators.

Network isolation: managed VNet and private endpoints

By default a Foundry resource is reachable over the public internet. Two independent controls lock it down: an outbound managed VNet and an inbound private endpoint.

Outbound: managed VNet isolation modes

A managed virtual network (VNet) has two isolation modes (configure a managed network[5]):

  • Allow internet outbound: agents may reach public endpoints.
  • Allow only approved outbound: outbound traffic is limited to approved private endpoints, service tags, and fully qualified domain name (FQDN) rules.

Only Allow only approved outbound turns on automatic data-exfiltration protection; Allow internet outbound does not. When you add an outbound FQDN rule in the approved-outbound mode, Foundry automatically provisions an Azure Firewall to enforce it (Standard SKU by default, or Basic), and Azure Firewall charges then appear on your bill. Note the documented caveat: once you add outbound rules, Microsoft cannot guarantee protection against exfiltration to those specific destinations.

Inbound: private endpoint plus disabling public access

For inbound isolation, create a private endpoint (Azure Private Link) so the resource gets a private IP inside your VNet, then set public network access to Disabled (configure network isolation[6]). A private endpoint alone is not enough: while public network access stays enabled, the public path is still reachable. Do not confuse a private endpoint with a service endpoint: a service endpoint keeps the resource's public IP and only extends your subnet's identity to it, whereas a private endpoint projects the resource into your subnet as a private IP (private endpoint overview[7]). Private endpoints to connected resources such as Storage, Search, and Cosmos DB are not auto-created; add them separately.

Outbound isolationmode?Allow internet outboundpublic endpoints reachableno exfiltration protectionAllow only approved outboundprivate endpoints, service tags, FQDNauto data-exfiltration protectionFQDN rule adds Azure FirewallStandard by default, or BasicInbound: add a private endpointand set public network access to Disabledinternetapproved
Choose an outbound isolation mode, then add a private endpoint and disable public network access for inbound isolation.

Deploy the environment as code with Bicep

Portal click-ops is not repeatable, and a Foundry configuration built by hand cannot be reviewed or promoted across environments. Define the resource, its projects, and model deployments as Bicep templates instead, and deploy them with the Azure CLI (deploy a Foundry resource by using Bicep[8]). A Bicep template for a Foundry environment declares the Microsoft.CognitiveServices/accounts resource and its Microsoft.CognitiveServices/accounts/projects children, so one coordinated deployment recreates identical dev, test, and prod environments.

Deploy a Foundry resource and project with the Azure CLI

# Create the resource group, then deploy the Bicep template into it
az group create --name exampleRG --location eastus
az deployment group create \
  --resource-group exampleRG \
  --template-file main.bicep \
  --parameters aiFoundryName=myai aiProjectName=myai-proj
# ...

az group create provisions the resource group; az deployment group create applies main.bicep into it, passing the resource and project names as parameters. A successful run reports "provisioningState": "Succeeded".

Two facts worth remembering. First, a managed-network Foundry resource has no portal creation experience, so it must be deployed with Bicep or Terraform, or through az rest and the Azure CLI. Second, if you already built a resource in the portal, you can export its configuration to a Bicep file (Automation > Export template) as a starting point rather than authoring one from scratch.

Author Bicepmain.bicepaccounts + projectsaz group createresource groupaz deploymentgroup create--template-fileFoundry resource+ projectrepeatable
From a Bicep template, the Azure CLI provisions the Foundry resource and its project, repeatably across environments.

Exam-pattern recognition

Most questions on this objective test one of a handful of distinctions. Read the stem for the signal, then pick the answer that matches.

  • Container: 'build agents' or 'generative AI' points to a Foundry resource and project, not an Azure Machine Learning workspace. The workspace is only for classic ML assets.
  • Project type: a Foundry project is the default; reach for a hub-based project only for Azure ML compatibility, managed compute, or open-source model hosting and fine-tuning. 'To use prompt flow' is not a valid reason.
  • Credentials: prefer a shared connection using Microsoft Entra (managed identity) authentication over an API key hard-coded into each agent. Keys grant unscoped access and are harder to rotate and revoke.
  • Roles: Foundry User is least privilege for build-and-test; Foundry Project Manager is the minimum role that can publish agents but cannot create projects or deploy models; Foundry Account Owner deploys models but cannot publish agents. Do not answer Owner or Contributor when a Foundry role fits.
  • Outbound network: 'prevent data exfiltration' means Allow only approved outbound, never Allow internet outbound. Adding an FQDN rule provisions an Azure Firewall.
  • Inbound network: a private endpoint plus public network access set to Disabled. A private endpoint alone, or a service endpoint, leaves the public path open.
  • Deployment: 'repeatable across dev, test, and prod' means Bicep with az deployment group create, not portal click-ops; a managed-network resource has no portal creation UI.

Foundry built-in role capabilities

CapabilityFoundry UserFoundry Project ManagerFoundry Account OwnerFoundry Owner
Build and test in a project (data actions)YesYesNoYes
Publish agentsNoYes (minimum role)NoYes
Create projects or accountsNoNoYesYes
Deploy or manage modelsNoNoYesYes
Assign roles to othersNoFoundry User onlyUser, ACR, monitoringUser, ACR, monitoring
Typical personaDeveloper building and testingTeam lead publishing agentsManager provisioning and deployingFull self-serve owner

Decision tree

Only calls an agentendpoint?Foundry Agent Consumerendpoint calls onlyFull self-serve:build and deploy models?Foundry Ownerbuild and full adminAdminister only:create projects, deploy?Foundry Account Ownerprovision and deploy, no buildMust publish agents?Foundry Userbuild and testFoundry Project Managerpublish agents (minimum)YesNoYesNoYesNoNoYes

Sharp facts the exam loves — give these one last read before exam day.

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Foundry project is the default; a hub-based project is only for Azure ML / open-model workloads

Microsoft Foundry offers two project types. A Foundry project is the default, generally available choice and the only one that exposes the Foundry API and Foundry Agent Service; a hub-based project is required only when you need Azure Machine Learning compatibility, managed compute, or open-source model hosting and fine-tuning.

Trap Choosing a hub-based project 'to use prompt flow' — prompt flow is on a retirement path (support ends 2027-04-20), so it is not a reason to pick a hub project for new work.

14 questions test this
The Foundry resource is the top-level Azure resource that contains projects

A Microsoft Foundry resource is the top-level Azure resource you create first; projects are child scopes inside it that group models, agents, connections, and deployments. The Azure Machine Learning workspace remains the top-level resource for classic ML assets, not for generative AI work.

Trap Treating the Azure Machine Learning workspace as the container for Foundry generative-AI projects.

8 questions test this
A connection stores authentication to an external resource for reuse across a project

A Foundry connection is a named, project-scoped object that stores the endpoint and credentials for an external dependency such as Azure Storage, Azure AI Search, or Application Insights, so components and agents reuse the connection instead of embedding secrets in each definition.

Trap Hard-coding a resource key into each agent or prompt rather than referencing one shared connection.

27 questions test this
A connection can authenticate with an Entra identity instead of a key

A Foundry connection can authenticate to its target resource with a Microsoft Entra identity (the resource's managed identity) rather than an API key, keeping secrets out of the connection object and letting Azure RBAC govern who can use it.

System-assigned vs user-assigned managed identity for a Foundry resource

A Foundry resource can use a system-assigned managed identity (created and deleted with the resource, one-to-one) or a user-assigned managed identity (a standalone Azure resource you can attach to several resources and manage independently) to access dependencies such as Storage or Key Vault without stored credentials.

Trap Using an account key or SAS token where a managed identity is required for keyless, credential-free access.

12 questions test this
Prefer Microsoft Entra (keyless) authentication over API keys

For production Foundry access, Microsoft Entra ID token authentication with a managed identity is preferred over API keys; you can disable local (key) authentication so every data-plane call is authorized through Entra ID and RBAC rather than a shared secret.

Trap Assuming API keys are as safe as Entra ID — keys cannot be scoped by RBAC and are harder to rotate or revoke per user.

12 questions test this
Foundry User grants the minimum permissions to use a project and its models

The built-in Foundry User role (formerly Azure AI User) grants the least-privilege access needed to work inside a project and call its deployed models; assign it to team members who build and test rather than granting a broad Owner or Contributor role.

Trap Granting Owner or Contributor for everyday build-and-test work, over-provisioning access beyond what Foundry User already allows.

13 questions test this
Foundry Project Manager is the elevated build role whose distinctive power is publishing agents

The Foundry Project Manager role (formerly Azure AI Project Manager) is the elevated developer role: it is the minimum role that can publish agents (Foundry Account Owner cannot publish) and it can conditionally assign the Foundry User role to others. Microsoft pages currently disagree on whether it can also create projects or manage model deployments - the canonical rbac-foundry matrix (2026-07) marks both as NOT granted - so questions must not anchor on those claims; Foundry Account Owner and Foundry Owner cover full resource management and model deployment.

Trap Assuming Project Manager can create projects or deploy models; the canonical RBAC matrix denies both, and its distinctive documented power is agent publishing plus conditional Foundry User assignment.

8 questions test this
Managed VNet isolation modes: Allow internet outbound vs Allow only approved outbound

A Foundry managed virtual network supports two isolation modes: Allow internet outbound (agents may reach public endpoints) and Allow only approved outbound (outbound is limited to approved private endpoints and FQDN rules). Only Allow only approved outbound enables automatic data-exfiltration protection, and adding an outbound FQDN rule automatically provisions an Azure Firewall.

Trap Believing Allow internet outbound provides data-exfiltration protection — only Allow only approved outbound does.

15 questions test this
Use a private endpoint and disable public network access to reach Foundry privately

To keep traffic off the public internet, create a private endpoint for the Foundry resource and set public network access to Disabled, so the resource is reachable only over a private IP inside your virtual network. Managed private endpoints created by the managed VNet are fully Microsoft-managed and do not expose a customer-visible network interface (NIC).

Trap Using a service endpoint instead of a private endpoint, or leaving public network access enabled after adding the private endpoint.

16 questions test this
Provision Foundry resources repeatably with Bicep templates and Azure CLI

Define Foundry resources, projects, and model deployments as Bicep templates and deploy them with the Azure CLI (for example az deployment group create) so environments are versioned, reviewable, and reproducible. A managed-network Foundry resource currently has no portal creation UI and must be deployed via Bicep or Terraform, or with az rest / Azure CLI.

Trap Relying on portal click-ops, which is not source-controlled or repeatable across dev/test/prod environments.

21 questions test this

Also tested in

References

  1. Choose an Azure resource type for Foundry (classic) - Microsoft Foundry (classic) portal
  2. Add a new connection to your project - Microsoft Foundry
  3. Managed identities for Azure resources
  4. Role-based access control for Microsoft Foundry - Microsoft Foundry
  5. How to configure a managed network for a hub (classic) - Microsoft Foundry (classic) portal
  6. How to configure network isolation for Microsoft Foundry - Microsoft Foundry
  7. What is a private endpoint? - Azure Private Link
  8. Quickstart: Deploy a Foundry resource by using Bicep - Microsoft Foundry