Enterprise AI Agents in Azure

6th March 2026

Overview of Microsoft Foundry as a unified platform for building, optimizing, and governing enterprise AI agents.

Microsoft Foundry: The Enterprise AI Agent Factory

Microsoft Foundry is a layered, interoperable platform designed to build and govern AI agents at scale with built-in security. It provides a complete lifecycle from initial setup to full production management.

The Core Architecture

At the center of the platform is the Foundry Agent Service, an agent-native runtime that manages conversations, tool calls, and content safety. This service is supported by several integrated layers:

  • Foundry Models: Access to diverse models from providers like OpenAI, Anthropic, Meta, and DeepSeek.
  • Foundry Tools: Integration for MCP-based (Model Context Protocol) tools and management.
  • Foundry IQ: Centralized RAG (Retrieval-Augmented Generation) patterns via a single grounding API.
  • Foundry Control Plane: A centralized dashboard for fleet-wide governance, cost tracking, and policy alerts across all subscriptions.

The Four Stages of the Agent Lifecycle

Stage 1: Setup and Foundation

Enterprise readiness is established before code is written by meeting six foundational categories:

  • Network Isolation: Virtual Network support, private endpoints, and data exfiltration control.
  • Identity & Access: Support for User/System Managed Identity and Role-Based Access Control (RBAC).
  • Data Protection: Encryption through Microsoft-managed or customer-managed keys.
  • Policies & Monitoring: Integration with Azure Monitor, audit logs, and Azure Policy.
  • Cost Management: Budgets, alerts, and developer-level visibility.
  • Deployment: Support for Infrastructure-as-Code via ARM, Bicep, and Terraform.

Stage 2: Secure Development

Foundry introduces several architecturally significant capabilities to build trustworthy agents:

  • Entra Agent ID Integration: Every agent is automatically assigned a native identity for consistent governance.
  • AI Gateway: Provides granular controls for token consumption and rate-limiting at the tool level.
  • Permanent Guardrails: Built-in, non-deletable safety guardrails protect against prompt injection and unsafe content.
  • Model Router: Dynamically selects the best model for a prompt to balance cost and performance.

Stage 3: Publishing and Identity

Microsoft Entra Agent ID elevates agents to “first-class citizens” in the identity system.

  • Unpublished Agents: Share a common default identity within a project to simplify early administration.
  • Published Agents: Gain unique, dedicated identities bound to the application resource.
  • Governance: Organizations can apply the same controls used for humans—conditional access, identity protection, and lifecycle management—directly to agents.

Stage 4: Production and Fleet Governance

The Foundry Control Plane manages agents operating at scale.

  • Unified Visibility: Tracks estimated costs, success rates, and token usage across the organization.
  • Heterogeneous Support: The plane can govern agents built with open-source tools like LangGraph or CrewAI if they are registered through the AI Gateway.
  • Policy Enforcement: Administrators can detect and remediate security posture violations, such as agents using API keys instead of Entra ID.

Case Study: Commerzbank’s “Ava”

Commerzbank successfully deployed “Ava,” a transactional AI avatar that handles 30,000 monthly conversations with a 75% autonomous resolution rate.

FeatureAva (Foundry Agent Service)Copilot Studio (Low-Code)
DevelopmentPro-Code: Built by developers using Python/C# and the Microsoft Agent Framework.LowCode: Built primarily via a graphical interface for business users.
UI LayerReal-time Avatar: Integrated with Azure AI Video Indexer/TTS Avatar to show a digitalized human actress.Chat Interface: Standardized conversational UI with text and Adaptive Cards.
TransactionsDeep Logic: Handles 2FA-secured credit card blocking and account changes directly in the chat.Action-Oriented: Uses Power Automate connectors for integrations.
KnowledgeStrict RAG: Grounded in a “validated knowledge base” (completely separated from the internet/intranet).Standard RAG: Typically grounded in SharePoint, Dataverse, or web search.

Success Factors for Regulated Industries

  1. Second Line of Defense from Day One: Compliance, legal, and fraud prevention teams were involved as collaborators from the start of the project.
  2. Validated Banking Knowledge: The agent does not use the open internet; it relies solely on a completely separated, validated knowledge base to eliminate hallucinations.
  3. Dual-Agent Security Pattern: A dedicated security agent monitors critical actions; a second agent must perform independent reasoning to confirm an alert before human escalation.
  4. Backend Integration: Ava connects directly to core banking systems for account balances and transaction searches through the bank’s existing IT security layer.