Seven setup decisions determine whether Microsoft Foundry (formerly Azure AI Foundry) becomes your governed AI platform or your next remediation project.
Networking, identity, data isolation, and cost controls bind to the platform the day it is created. Configure them in the right order, and your teams ship quickly with auditors satisfied. Leave them to chance, and security blocks your first production release. Here is the sequence, the traps inside it, and the questions to put to your platform team this week.
TL;DR
- Foundry locks networking, security, and identity choices in at resource creation, so retrofitting them later means rebuilds
- The working order: topology, setup mode, identity, isolation, model policy, observability, then fleet onboarding
- Every Foundry agent receives a Microsoft Entra Agent ID at build time, which makes identity the control all others depend on
- EU AI Act high-risk deadlines moved to May 2026, yet transparency duties still arrive this year
- A governance assessment before scale-up costs far less than a compliance freeze after it
Why Foundry Governance Can’t Wait Until Production
Three forces make early setup the cheap option: locked-in architecture, agent sprawl, and deadlines that survived the EU’s delay.
Architecture locks in on day one. Microsoft’s architecture documentation is specific: networking, security and model deployment rules live at the resource level, and connected services such as Storage, Key Vault, and AI Search carry separate governance boundaries. A pilot built on open defaults quietly becomes your production standard.
The 30-minute check: list every Foundry resource in your tenant, pull each network configuration, and name an owner. Anything on defaults cannot graduate to production without a rebuild.
Agent sprawl has a number. IDC projects that 1.3 billion AI agents will automate workflows by 2028, and Microsoft’s Ignite briefing called ungoverned agents the new shadow IT (Microsoft, November 2025). Agents also retire fast. Microsoft’s identity team describes lifespans of a few weeks, at a scale user-lifecycle tooling was never built for.
The one-question test: ask your platform lead for a tenant-wide agent inventory. A same-day answer means governance works. A week of silence is the audit finding.
Two duties survived the EU’s delay. Lawmakers agreed a 16-month postponement for new high-risk AI systems on 7 May 2026, with 12 months for AI in regulated products, yet chatbot transparency still lands on 2 August 2026 and AI content labelling on 2 December 2026.
The free win: switch on tracing and evaluation logging this quarter (step 6 below). Evidence accumulates while your teams ship.
Foundry Control Plane vs Agent 365: Who Owns What
The platform assumes an organisational design. Decide yours before anyone configures a thing.
Two planes, two audiences. Foundry Control Plane serves your developers and AI engineers with observability, runtime controls and fleet operations. Agent 365 serves IT and security administrators with an agent registry, identity governance and tenant-wide policy. The payoff is consolidation: one role-aware interface replaces individual Azure portal blades and separate per-project views.
The decision to make this week: put a named owner on each plane, in writing. The natural mapping is your head of platform engineering on Control Plane and your CISO or IT director on Agent 365, with a standing monthly review where both sign off on guardrail changes.
The 2 am test. An agent misbehaves out of hours: who is authorised to pause it, and in which portal? Write the escalation path before the first agent ships, because an incident is a poor moment to learn that two teams each assumed the other held the kill switch.
No parallel security stack. Both planes run on the same foundations: Microsoft Entra, Defender and Purview, so agent signals land in consoles your security team already staffs. Governance reuses tooling you have licensed and trained for, which is a line item your CFO will appreciate.
One register, even for outside agents. Agents built beyond Foundry join the same register through the AI gateway; step 7 covers the mechanics. One question for your next architecture review: are our LangChain and third-party agents registered, or invisible?
Resource above, projects below. Governance lives at the resource level, while projects give teams bounded spaces that reuse approved model deployments without repeated IT setup. Mirror it organisationally: your platform team owns the resource, product teams own their projects, and neither blocks the other.
How to Set Up Microsoft Foundry: The 7-Step Sequence
Steps 1 and 2 fix your architecture, 3 and 4 protect your data, and 5 to 7 put you in control of operations. Each step ends with an action or a test you can hand to your team this week.
1. Map Your Resource Topology Before Anyone Builds
Topology is a business decision, so make it before engineers make it for you. Decide how Foundry resources map to subscriptions, business units and environments ahead of the first deployment. A structured rollout plan protects you from security gaps, cost overruns and access sprawl, and regions should follow the model and feature availability.
Do this week: A 90-minute topology workshop producing a one-page map with a named owner per resource. Drift now has an address.
2. Choose Standard Setup for Anything Touching Real Data
Data classification picks the mode, never team preference. The basic setup runs on platform-managed storage and is well-suited to rapid prototyping. The standard setup gives you fine-grained control over your data using your own Azure resources. The trap is that nobody decides, so the pilot’s convenience mode becomes production posture.
The storage mode is only one of the graduation decisions; the guide to moving Azure AI Foundry experiments into production covers the rest.
Do this week: Add one line to your platform standards: anything above internal classification runs on Standard. A single sentence closes the gap permanently.
3. Give Every Agent an Identity on Day One
An agent without an identity cannot be audited, restricted or revoked. Start with least-privilege RBAC roles and managed identities for people and services. Foundry automatically extends the discipline: every agent receives a Microsoft Entra Agent ID at build time, appears in the Control Plane, and is granted conditional permissions aligned with your existing governance model.
The release gate: No Agent ID, no production. Then run the revocation test: pick any live agent and ask who can disable it, and how fast. The answer should take minutes, never a meeting.
4. Keep Sensitive Data Off Public Endpoints
The secure path must be the default path. Purview data security and compliance policies extend to AI interactions, so agents operate under the same protections as your users and devices. Retrieval traffic stays inside the fence too: model calls and enrichment flows can run within approved private boundaries using Shared Private Link and Network Security Perimeter.
Do this week: Bake private endpoints into the landing-zone template, then request the list of public endpoints touching AI workloads. The correct list is short. The ideal list is empty.
5. Decide Which Models Your Teams May Deploy
A catalogue of more than 11,000 models, including Anthropic’s Claude, is freedom that needs a policy. Approve a short list per use-case class, name one exception approver, and constrain behaviour at runtime: agent-level guardrails and tool-level controls run through the AI Gateway, with token-based rate limits per model deployment.
Do this week: Publish the approved model list, even if it holds three entries. Experimentation continues; procurement-grade control begins.
6. Switch On Observability Before Production Traffic
Telemetry configured before launch prevents incidents; added afterwards, it merely explains them. End-to-end tracing built on OpenTelemetry captures every agent interaction, with built-in evaluators for coherence, relevance, groundedness, and safety. Security rides the same rails: Defender extends posture management to Foundry agents, with attack-path analysis and detection for jailbreak attempts.
Do this week: Set evaluator thresholds as a production gate and route Defender signals into your existing SOC channel. No new dashboard, no new headcount, and the audit file writes itself.
7. Bring Every Agent Under One Control Plane
Per-project views stop scaling the moment your second team ships. Foundry Control Plane pulls inventory, observability, compliance and security into one place, tracking active agents, compliance posture and cost efficiency across the estate. Outsiders join the register too: agents built elsewhere connect through the AI gateway, which proxies traffic via Azure API Management for policy enforcement and telemetry.
Registration covers the governance half; the build half sits in our guide to deploying multi-step AI systems.
The test: Compare agents visible in the Control Plane against agents generating token spend. Any gap is shadow AI, measured in pounds. Zero gap gives you one number the board can trust.
Microsoft Foundry Cost Control: Set Token Quotas First
Token consumption is the new cloud bill, and it compounds between reviews. Gartner expects over 40% of agentic AI projects to be cancelled by the end of 2027, naming escalating costs and inadequate risk controls among the causes.
The awkward part is that spending scales with success, so a useful agent and a runaway one look identical on an invoice. Control Plane tracks cost, token usage and resource consumption across your entire AI environment, meaning the meters and brakes exist from day one. Use them at setup.
Two moves cover it. Map every Foundry project to a cost centre with a named budget owner, and set token ceilings that alert that owner directly. Then report one number upstairs: cost per resolved ticket or completed run, since raw token counts mean little to a board. A pilot delights the board, then the invoice alarms the CFO. An afternoon on quotas now saves a quarter of remediation later.
Microsoft Foundry Compliance: What Auditors Will Ask
Every foundation in the sequence answers a question that an auditor will eventually put in writing. The mapping looks like this:
McKinsey’s Global Survey on AI found that only 27% of organisations using gen AI review all outputs before use, and a similar share checks a fifth or less. Most organisations, in other words, could not evidence the first row of that table today.
Classification varies by use case, so check these rows against your own risk register rather than assuming coverage. The economics favour starting early: evidence generated continuously costs little, while evidence reconstructed under a deadline costs a programme.
3 Foundry Setup Mistakes to Avoid
- The default became the standard. The basic setup drifts into production because nobody owns the upgrade decision. The fix is step 2: one classification rule in your platform standards, written before the pilot starts.
- The fleet nobody registered. Agents ship before Control Plane onboarding, and security discovers the unmanaged estate by accident. The fix is steps 3 and 7: registration joins the release gate, so an unregistered agent simply cannot ship.
- The ownership gap. Engineers configure their plane, IT configures Agent 365, and no shared policy connects the two. The fix sits in the ownership table above: two named owners and a monthly review where both sign off.
Each is a sequencing failure, which is why order matters as much as settings.
Get Foundry Governance Right the First Time
Platforms supply the controls. Outcomes come from configuring them in the right order, against your risk profile, before scale makes every gap expensive.
The sequence above is the method behind Deployflow’s agentic AI development services: governance configured first, agents shipped on top of it.
On a national-scale energy AI programme built on Azure AI and processing petabyte workloads across H100 clusters, every environment auto-inherits security, networking and governance policies with zero manual steps. GitOps tracks each change for the regulator. New AI use cases now land without re-engineering the core platform.
The same approach took a national AI intelligence platform from proof of concept to production within 12 months for a multi-billion-dollar UAE public sector organisation.
Governance done first is what made both programmes fast.
If agents on Foundry sit on your roadmap, book an AI governance assessment: you will get a clear view of the gaps across topology, identity and observability, plus a prioritised setup sequence your team can execute, whether you deliver it yourselves or with us.
Prefer to size the financial exposure first? Foundry spends land on your Azure invoice, so start with a cloud cost review.
Frequently Asked Questions About Microsoft Foundry
How much does Microsoft Foundry cost?
There is no separate licence fee for Microsoft Foundry; you pay for what you consume.
Model inference is billed per token on pay-as-you-go rates that vary by model, with provisioned throughput available where you need predictable capacity at scale. On top of inference sit the usual Azure charges for connected services such as storage, search and compute, plus fine-tuning where used. Budgeting, therefore, depends less on a price list and more on the quotas and cost-centre mapping covered earlier in this article. Pricing changes frequently, so verify current rates against the Azure pricing calculator before committing forecasts.
What is the difference between Microsoft Foundry and Copilot Studio?
Copilot Studio is a low-code tool for business users building agents within the Microsoft 365 ecosystem; Foundry is a code-first platform for engineering teams that need full control over models, infrastructure, and orchestration.
Choose Copilot Studio when the agent extends Microsoft 365 workflows, and speed matters more than customisation. Choose Foundry when you need the open model catalogue, your own networking and data architecture, or agents embedded in your products. Many enterprises run both, and governance does not split: Agent 365 provides unified management and security posture across Foundry, Copilot Studio and partner agents. The ownership decisions in this article apply either way.
Can we migrate existing Azure OpenAI deployments to Microsoft Foundry?
Yes, and without rebuilding: an Azure OpenAI resource upgrades to a Foundry resource while preserving your endpoint, API keys and existing state. Applications keep working through the change, which removes the usual migration risk. The upgrade unlocks the wider model catalogue, the agent service and Control Plane visibility for workloads that previously sat outside it.
One caution: the upgraded resource inherits whatever network and identity posture it had before, so an upgrade is the right time to run the seven-step review, not a reason to skip it.
Is Microsoft Foundry compliant with ISO 27001 and GDPR?
The platform inherits Azure’s certification portfolio, including ISO 27001, and Microsoft’s standard data protection terms cover GDPR commitments; your deployment is a separate question. Certification of the underlying platform does not automatically transfer to what you build on it. Responsibility for identity design, network isolation, data classification and audit evidence sits with you, which is precisely what the setup sequence in this article establishes. Confirm the services you use are in scope for the certifications you rely on via Microsoft’s Trust Center, and map your own controls to your risk register as covered in the auditor section above.
How long does it take to set up Microsoft Foundry for an enterprise?
A single project can run in under a day; an enterprise-grade foundation typically takes a few weeks.
The spread comes from what already exists: organisations with a mature Azure landing zone, established RBAC and a private networking pattern move fast, while those designing identity and isolation from scratch need security review cycles that no tooling shortens. The seven steps in this article are the work itself, and steps 1 to 4 consume most of the calendar. A governance assessment at the start compresses the timeline by surfacing the gaps before they become mid-build surprises.
Explore our BLOG
Recent articles
Your Legacy Codebase Can Support Continuous Integration Right Now: Here’s How
You can introduce continuous integration to a legacy codebase without waiting for modernisation to finish....
read full article
From Chatbots to Agents: What the Shift Means for Your Engineering Team
Moving from a chatbot to an AI agent changes four things in your engineering team:...
read full article
Governed AI on Microsoft Foundry: 7 Setups to Get Right First
Seven setup decisions determine whether Microsoft Foundry (formerly Azure AI Foundry) becomes your governed AI...
read full article