The era of AI agents has arrived — and it’s accelerating fast. Organizations are moving beyond simple chatbots that merely respond to requests and toward intelligent agents that can reason, act, and adapt without human supervision. 

These agents can analyze data, call tools, orchestrate workflows, and make autonomous decisions in real time. As a result, agents are becoming integral members of teams, augmenting and amplifying human capabilities across organizations at scale. 

But the very strengths that make agents so powerful — their autonomy, intelligence, and ability to operate like virtual teammates — also introduce new risks. Enterprises need a platform that doesn’t just enable agent development but governs it from the start, ensuring security, accountability, and trust at every layer. 

That’s where Microsoft Foundry comes in.

A unified platform for enterprise-ready agents 

Microsoft Foundry is a unified, interoperable platform for building, optimizing, and governing AI apps and agents at scale. At its core is Foundry Agent Service, which connects models, tools, knowledge, and frameworks into a single, observable runtime.  

Microsoft Foundry enables companies to shift-left, with security, safety, and governance integrated from the beginning of a developer's workflow. It delivers enterprise-grade controls from setup through production, giving customers the trust, flexibility, and confidence to innovate. 

Foundry provides a blueprint for trustworthy agents

1. Setup: Start with the right foundation 

Enterprise customers have stringent networking, compliance, and security requirements that must be met before they can even start testing AI capabilities. Microsoft Foundry Agent Service provides a flexible setup experience designed to meet organizations where they are — whether you’re a startup prioritizing speed and simplicity or an enterprise with strict data and compliance needs. 

Data Control

Basic Setup: Ideal for rapid prototyping and getting started quickly. This mode uses platform-managed storage. 

Standard Setup: Enables fine-grained control over your data by using your own Azure resources and configurations. 

Networking

Bring Your Own Virtual Network (BYO VNet) or enable a Managed Virtual Network (Managed VNet) to enable full network isolation and strict data exfiltration control, ensuring that sensitive information remains within your organization’s trusted boundaries. Using your own virtual network for agents and evaluation workloads in Foundry allows the networking controls to be in your hands, including setting up your own Firewall to control egress traffic, virtual network peering, and setting NSGs and UDRs for managing network traffic.  

Managed virtual network (preview) creates a virtual network in the Microsoft tenant to handle the egress traffic of your agents. The managed virtual network handles the hassle of setting up network isolation for your Foundry resource and agents, such as setting up the subnet range, IP selection, and subnet delegation. 

Secrets Management

Choose between a Managed Key Vault or Bring Your Own Key Vault to manage secrets and access credentials in a way that aligns with your organization’s security policies. These credentials are critical for establishing secure connections to external resources and tools integrated via the Model Context Protocol (MCP). 

Encryption 

Data is always encrypted in transit and at rest using Microsoft-managed keys by default. For enhanced ownership and control, customers can opt for Customer Managed Keys (CMK) to enable key rotation and fine-tuned data governance. 

Model Governance with AI Gateway 

Foundry supports Bring Your Own AI Gateway (preview) so enterprises can integrate their existing Foundry and Azure OpenAI model endpoints into Foundry Agent Service behind an AI Gateway for maximum flexibility, control, and governance.  

Authentication 

Foundry enforces keyless authentication using Microsoft Entra ID for all end-users wanting to access agents.  

Enterprise capabilities in Microsoft Foundry

2. Development: Build agents you trust 

Once the environment is configured, Foundry provides tools to develop, control, and evaluate agents before putting them into production. 

Microsoft Entra Agent ID 

Every agent in Foundry is assigned a Microsoft Entra Agent ID — a new identity type purpose-built for the security and operational needs of enterprise-scale AI agents. With an agent identity, agents can be recognized, authenticated, and governed just like users, allowing IT teams to enforce familiar controls such as Conditional Access, Identity Protection, Identity Governance, and network policies. In the Microsoft Entra admin center, you will manage your agent inventory which lists all agents in your tenant including those created in Foundry, Copilot Studio, and any 3P agent you register.

Unpublished agents (shared agent identity): All unpublished or in-development Foundry agents within the same project share a common agent identity. This design simplifies permission management because unpublished agents typically require the same access patterns and permission configurations. The shared identity approach provides several benefits: 

• Simplified administration: Administrators can centrally manage permissions for all in-development agents within a project 

• Reduced identity sprawl: Using a single identity per project prevents unnecessary identity creation during early experimentation 

• Developer autonomy: Once the shared identity is configured, developers can independently build and test agents without repeatedly configuring new permissions

Published Agents (unique agent identity): When you want to share an agent with others as a stable offering, publish it to an agent application. Once published, the agent gets assigned a unique agent identity, tied to the agent application. This establishes durable, auditable boundaries for production agents and enables independent lifecycle, compliance, and monitoring controls. 

An agent identity in the Microsoft Entra admin center

Observability: Tracing, Evaluation, and Monitoring

Microsoft Foundry provides a comprehensive observability layer that gives teams deep visibility into agent performance, quality, and operational health across development and production. Foundry’s observability stack brings together traces, logs, evaluations, and safety signals to help developers and administrators understand exactly how an agent arrived at an answer, which tools it used, and where issues may be emerging. This includes: 

• Tracing: Track every step of an agent response including prompts, tool calls, tool responses, and output generation to understand decision paths, latency contributors, and failure points.  

• Evaluations: Foundry provides a comprehensive library of built-in evaluators that measure coherence, groundedness, relevance, safety risks, security vulnerabilities, and agent-specific behaviors such as task adherence or tool-call accuracy. These evaluations help teams catch regressions early, benchmark model quality, and validate that agents behave as intended before moving to production.

• Monitoring: The Agent Monitoring Dashboard in Microsoft Foundry provides real-time insights into the operational health, performance, and compliance of your AI agents. This dashboard can track token usage, latency, evaluation metrics, and security posture across multi-agent systems.  

• AI red teaming: Foundry’s AI Red Teaming Agent can be used to probe agents with adversarial queries to detect jailbreaks, prompt attacks, and security vulnerabilities.

Agent Guardrails and Controls

Microsoft Foundry offers safety and security guardrails that can be applied to core models, including image generation models, and agents. Guardrails consist of controls that define three things: 

• What risk to detect (e.g., harmful content, prompt attacks, data leakage) 

• Where to scan for it (user input, tool calls, tool responses, or model output) 

• What action to take (annotate or block) 

Foundry automatically applies a default safety guardrail to all models and agents, mitigating a broad range of risks — including hate and fairness issues, sexual or violent content, self-harm, protected text/code material, and prompt-injection attempts. For organizations that require more granular control, Foundry supports custom guardrails. These allow teams to tune detection levels, selectively enable or disable risks, and apply different safety policies at the model or agent level. 

Create custom guardrails

Tool Controls with AI Gateway

To enforce tool-level controls, connect AI Gateway to your Foundry project. Once connected, all MCP and OpenAPI tools automatically receive an AI Gateway endpoint, allowing administrators to control how agents call these tools, where they can be accessed from, and who is authorized to use them. 

You can configure inbound, backend, outbound, and error-handling policies — for example, restricting which IPs can call an API, setting error-handling rules, or applying rate-limiting policies to control how often a tool can be invoked within a given time window. 

3. Publish: Securely share your agents with end users 

Once the proper controls are in place and testing is complete, the agent is ready to be promoted to production. At this stage, enterprises need a secure, governed way to publish and share agents with teammates or customers. 

Publishing an agent to an Agent Application 

Anyone with the Azure AI User role on a Foundry project can interact with all agents inside that project, with conversations and state shared across users. This model is ideal for development scenarios like authoring, debugging, and testing, but it is not suitable for distributing agents to broader audiences. 

Publishing promotes an agent from a development asset into a managed Azure resource with a dedicated endpoint, independent identity, and governance capabilities. When an agent is published, Foundry creates an Agent Application resource designed for secure, scalable distribution. This resource provides a stable endpoint, a unique agent identity with full audit trails, cross-team sharing capabilities, integration with the Entra Agent Registry, and isolation of user data. Instead of granting access to the entire Foundry project, you grant users access only to the Agent Application resource.

Integrate with M365/A365

Once your agent is published, you can integrate it into Microsoft 365 or Agent 365. This enables developers to seamlessly deploy agents from Foundry into Microsoft productivity experiences like M365 Copilot or Teams. Users can access and interact with these agents in the canvases they already use every day, providing enterprise-ready distribution with familiar governance and trust boundaries. 

One-click publishing to M365 and Teams

4. Production: Govern your agent fleet at scale 

As organizations expand from a handful of agents to hundreds or thousands, visibility and control become essential. The Foundry Control Plane delivers a unified, real-time view of a company's entire agent ecosystem — spanning Foundry-built and third-party agents. 

Key capabilities include: 

• Comprehensive agent inventory: View and govern 100% of your agent fleet with sortable, filterable data views. Foundry Control Plane gives developers a clear understanding of every agent—whether built in Foundry, Microsoft Agent Framework, LangChain, or LangGraph—and surfaces them in one place, regardless of where they’re hosted or which cloud they run on. 

• Operational control: Pause or disable an agent when a risk is detected. 

• Real-time alerts: Get notified about policy, evaluation, and security alerts. 

• Policy compliance management: Enforce organization-wide AI content policies and model policies to only allow developers to build agents with approved models in your enterprise.  

• Cost and ROI insights: Real-time cost charts in Foundry give an accurate view of spending across all agents in a project or subscription, with drill-down capabilities to see costs at the individual agent or run level. 

• Agent behavior controls: Apply consistent guardrails across inputs, outputs, and now tool interactions. 

• Health and quality metrics: Review performance and reliability scores for each agent, with drilldowns for deeper analysis and corrective action. 

Foundry Control Plane brings everything together into a single, connected experience, enabling teams to observe, control, secure, and operate their entire agent fleet. Its capabilities work together seamlessly to help organizations build and manage AI systems that are both powerful and responsibly governed. 

Foundry Agent Control Plane Overview

Build agents with confidence

Microsoft Foundry unifies identity, governance, security, observability, and operational control into a single end-to-end platform purpose-built for enterprise AI. With Foundry, companies can choose the setup model that matches their security and compliance posture, apply agent-level guardrails and tool-level controls with AI Gateway, securely publish and share agents across Microsoft 365 and A365, and govern their entire agent fleet through the Foundry Control Plane. At the center of this system is Microsoft Entra Agent ID, ensuring every agent has a managed identity.

With these capabilities, organizations can deploy autonomous agents at scale — knowing every interaction is traceable, every risk is mitigated, and every agent is fully accountable. Whether you're building your first agent or managing a fleet of thousands, Foundry provides the foundation to innovate boldly while meeting the trust, compliance, and operational excellence enterprises require. The future of work is one where people and agents collaborate seamlessly — and Microsoft Foundry gives you the platform to build it with confidence.

Learn more

• To dive deeper, watch the Ignite 2025 session: Entra Agent ID and other enterprise superpowers in Microsoft Foundry.
• To learn more, visit Microsoft Learn and explore resources including the AI Agents for Beginners, Microsoft Agent Framework, and course materials that help you build and operate agents responsibly.