|
| 1 | +--- |
| 2 | +title: Built-in enterprise readiness with standard agent setup |
| 3 | +titleSuffix: Azure AI Foundry |
| 4 | +description: Learn about the enterprise features of the standard setup |
| 5 | +manager: nitinme |
| 6 | +author: fosteramanda |
| 7 | +ms.author: fosteramanda |
| 8 | +ms.service: azure-ai-agent-service |
| 9 | +ms.topic: conceptual |
| 10 | +ms.date: 05/05/2025 |
| 11 | +ms.custom: azure-ai-agents |
| 12 | +--- |
| 13 | + |
| 14 | +# Built-in enterprise readiness with standard agent setup |
| 15 | + |
| 16 | +Standard Agent Setup offers enterprise-grade security, compliance, and control. This configuration uses customer-managed, single-tenant resources to store agent state and ensures all data remains within your control. |
| 17 | + |
| 18 | +In this setup: |
| 19 | +* Agent states (files, threads, vector stores) are stored in your own Azure resources. |
| 20 | +* Available with both public networking and private networking (Bring Your Own virtual network) options. |
| 21 | + |
| 22 | +## Leveraging your own resources for storing customer data |
| 23 | +Both standard setup configurations are designed to give you complete control over sensitive data by requiring the use of your own Azure resources. The required Bring Your Own (BYO) resources include: |
| 24 | +* BYO File Storage: All files uploaded by developers (during agent configuration) or end-users (during interactions) are stored directly in the customer’s Azure Storage account. |
| 25 | +* BYO Search: All vector stores created by the agent leverage the customer’s Azure AI Search resource. |
| 26 | +* BYO Thread Storage: All customer messages and conversation history will be stored in the customer’s own Azure Cosmos DB account. |
| 27 | + |
| 28 | +By bundling these BYO features (file storage, search, and thread storage), the standard setup guarantees that your deployment is secure by default. All data processed by Azure AI Agent Service is automatically stored at rest in your own Azure resources, helping you meet internal policies, compliance requirements, and enterprise security standards. |
| 29 | + |
| 30 | +## Project-Level Data Isolation |
| 31 | + |
| 32 | +Azure AI Foundry enforces project-level data isolation by default. When you configure your own resources in the project capability host: |
| 33 | +* **Azure Storage**: Two Blob containers are automatically provisioned: |
| 34 | + * One for uploaded files |
| 35 | + * One for intermediate system data (for example, chunks, embeddings) |
| 36 | +* **Azure Cosmos DB**: Three containers are provisioned under a dedicated enterprise_memory database: |
| 37 | + * thread-message-store: End-user conversations |
| 38 | + * system-thread-message-store: Internal system messages |
| 39 | + * agent-entity-store: Model inputs and outputs |
| 40 | + |
| 41 | +This default behavior was chosen to reduce configuration complexity while still enforcing strict data boundaries—ensuring each project has a clean, isolated storage footprint without requiring manual setup. |
| 42 | + |
| 43 | +## Capability hosts |
| 44 | +**Capability hosts** are sub-resources on both the Account and Project, enabling interaction with the Azure AI Agent Service. |
| 45 | +- **Account Capability Host**: The account capability host has an empty request body except for the parameter capabilityHostKind="Agents". |
| 46 | +- **Project Capability Host**: Specifies resources for storing agent state, either managed multitenant (basic setup) or customer-owned (standard setup), single-tenant resource. Think of project capability host as the project settings. |
| 47 | + |
| 48 | +### Limitations |
| 49 | +- **Update Not Supported**: Cannot update the capability host for a project or account. |
| 50 | + |
| 51 | + |
| 52 | +## Step by Step Provisioning Process |
| 53 | +1. Create project dependent resources for standard setup |
| 54 | + * Create new (or pass in resource ID of existing) Cosmos DB resource |
| 55 | + * Create new (or pass in resource ID of existing) Azure Storage resource |
| 56 | + * Create new (or pass in resource ID of existing) Azure AI Search resource |
| 57 | + * Create a new Key Vault resource |
| 58 | + * [Optional]: Create new application insights resource |
| 59 | + * [Optional]: pass in resource ID of existing AI Foundry resource |
| 60 | +2. Create Azure AI Foundry Resource (cognitive service/accounts kind=AIServices) |
| 61 | +3. Create Account-level connections |
| 62 | + * Create account connection to Application Insights resource |
| 63 | +4. Deploy gpt-4o or other agent compatible model |
| 64 | +5. Create Project (cognitive service/accounts/project) |
| 65 | +6. Create project connections |
| 66 | + * [if provided] Project connection to AI Foundry resource |
| 67 | + * Create project connection to Azure Storage account |
| 68 | + * Create project connection to Azure AI Search account |
| 69 | + * Create project connection to Cosmos DB account |
| 70 | +7. Assign the project-managed identity (including for SMI) the following roles: |
| 71 | + * Cosmos DB Operator at the scope of the account level for the Cosmos DB account resource |
| 72 | + * Storage Account Contributor at the scope of the account level for the Storage Account resource |
| 73 | +8. Set Account capability host with empty properties section. |
| 74 | +9. Set Project capability host with properties Cosmos DB, Azure Storage, AI Search connections |
| 75 | +10. Assign the Project Managed Identity (both for SMI and UMI) the following roles on the specified resource scopes: |
| 76 | + * Azure AI Search (can be assigned either before or after capHost creation) |
| 77 | + * Assign roles: Search Index Data Contributor, Search Service Contributor |
| 78 | + * Azure Blob Storage Container: `<workspaceId>-azureml-blobstore` |
| 79 | + * Assign role: Storage Blob Data Contributor |
| 80 | + * Azure Blob Storage Container: `<workspaceId>- agents-blobstore` |
| 81 | + * Assign role: Storage Blob Data Owner |
| 82 | + * Cosmos DB for NoSQL container: `<'${projectWorkspaceId}>-thread-message-store'` |
| 83 | + * Assign role: Cosmos DB Built-in Data Contributor |
| 84 | + * Cosmos DB for NoSQL container: `<'${projectWorkspaceId}>-thread-message-store'` |
| 85 | + * Assign role: Cosmos DB Built-in Data Contributor |
| 86 | + * Cosmos DB for NoSQL container: `<'${projectWorkspaceId}>-agent-entity-store'` |
| 87 | + * Assign role: Cosmos DB Built-in Data Contributor |
| 88 | +11. Once all resources are provisioned, all developers who want to create/edit agents in the project should be assigned the role: Azure AI User on the project scope. |
0 commit comments