Standard Agent Setup Standard Agent Setup provides enterprise-grade security and data control by using customer-managed, single-tenant Azure resources to store all agent state and data.
Overview In Standard Setup:
All agent data (conversations, files, vector stores) stays in your Azure resources You own and control the storage, database, and search resourcesData never leaves your tenant without your explicit configurationEnterprise security features are enabled by default
Bring Your Own (BYO) Resources Standard Setup requires three customer-managed Azure resources:
Azure Storage Account Purpose : Store all uploaded files and system dataWhat’s stored :
Files uploaded by developers during agent configuration
Files uploaded by end-users during interactions
Intermediate processing data (chunks, embeddings)
Requirements :
Standard or Premium performance tier
Blob storage enabled
Minimum: General Purpose v2
Containers created automatically :
<workspace-id>-azureml-blobstore: User files<workspace-id>-agents-blobstore: System data
Azure Cosmos DB for NoSQL Purpose : Store conversation history and agent metadataWhat’s stored :
End-user conversations (messages and responses)
Internal system messages
Agent metadata (instructions, tools, configurations)
Requirements :
Minimum total throughput : 3,000 RU/sSupported modes: Provisioned Throughput or Serverless
NoSQL API
Each project requires 3 containers × 1,000 RU/s = 3,000 RU/s minimum. If deploying multiple projects under the same Foundry account, multiply accordingly (e.g., 2 projects = 6,000 RU/s).
Containers created automatically :
thread-message-store: End-user conversationssystem-thread-message-store: Internal system messagesagent-entity-store: Agent configurations
Azure AI Search Purpose : Create and manage vector stores for file searchWhat’s stored :
Vector embeddings from uploaded documents
Search indexes for file search tool
Chunk metadata and references
Requirements :
Basic tier or higher
Sufficient capacity for expected vector data
Project-Level Data Isolation Standard Setup enforces strict data boundaries:
Each project gets isolated containers in Storage and Cosmos DBData cannot cross project boundaries Projects cannot access each other’s resources Simplifies compliance and access control
This default behavior reduces setup complexity while maintaining strict security.
Setup Process Option 1: Bicep Template (Recommended) Deploy a complete Standard Setup using Azure Bicep:
Clone the template repository
git clone https://github.com/azure-ai-foundry/foundry-samples.git cd foundry-samples/infrastructure/infrastructure-setup-bicep/41-standard-agent-setup
Customize parameters (optional)
Edit main.bicep to use existing resources: // Use existing Azure OpenAI param existingAoaiResourceId string = '/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.CognitiveServices/accounts/{name}' // Use existing Storage param aiStorageAccountResourceId string = '/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Storage/storageAccounts/{name}' // Use existing Cosmos DB param cosmosDBResourceId string = '/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.DocumentDB/databaseAccounts/{name}' // Use existing AI Search param aiSearchServiceResourceId string = '/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Search/searchServices/{name}'
Deploy
az deployment group create \ --resource-group < your-resource-grou p > \ --template-file main.bicep
This creates:
Foundry account and project
Azure Storage, Cosmos DB, and AI Search (if not provided)
GPT-4.1 model deployment
All required connections
Role assignments
Capability hosts
Option 2: Manual Setup For granular control, set up resources manually:
Create Azure Resources
# Create Storage Account az storage account create \ --name < storage-nam e > \ --resource-group < r g > \ --sku Standard_LRS # Create Cosmos DB az cosmosdb create \ --name < cosmos-nam e > \ --resource-group < r g > \ --default-consistency-level Session \ --throughput 3000 # Create AI Search az search service create \ --name < search-nam e > \ --resource-group < r g > \ --sku basic
Create Foundry Resource and Project
# Create Foundry account az cognitiveservices account create \ --name < foundry-accoun t > \ --resource-group < r g > \ --kind AIServices \ --sku S0 # Create project az ml workspace create \ --name < project-nam e > \ --resource-group < r g > \ --type project
Create Project Connections
Create connections to your resources: # Storage connection az ml connection create \ --file storage-connection.yml \ --resource-group < r g > \ --workspace-name < project-nam e > # Cosmos DB connection az ml connection create \ --file cosmos-connection.yml \ --resource-group < r g > \ --workspace-name < project-nam e > # AI Search connection az ml connection create \ --file search-connection.yml \ --resource-group < r g > \ --workspace-name < project-nam e >
Assign RBAC Roles
Grant the project’s managed identity access: PROJECT_IDENTITY = $( az ml workspace show \ --name < project-nam e > \ --resource-group < r g > \ --query identity.principalId -o tsv ) # Storage permissions az role assignment create \ --assignee $PROJECT_IDENTITY \ --role "Storage Blob Data Contributor" \ --scope /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Storage/storageAccounts/{storage} # Cosmos DB permissions az cosmosdb sql role assignment create \ --account-name < cosmos-nam e > \ --resource-group < r g > \ --role-definition-name "Cosmos DB Built-in Data Contributor" \ --principal-id $PROJECT_IDENTITY # AI Search permissions az role assignment create \ --assignee $PROJECT_IDENTITY \ --role "Search Index Data Contributor" \ --scope /subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Search/searchServices/{search}
Create Capability Hosts
# Account capability host az cognitiveservices account capability-host create \ --account-name < foundry-accoun t > \ --resource-group < r g > \ --capability-host-kind Agents # Project capability host az ml capability-host create \ --workspace-name < project-nam e > \ --resource-group < r g > \ --properties '{"cosmos_connection": "<cosmos-conn>", "storage_connection": "<storage-conn>", "search_connection": "<search-conn>"}'
Using Existing Resources You can integrate existing Azure resources into Standard Setup:
Existing Azure Storage
Get Resource ID
az storage account show \ --resource-group < r g > \ --name < storage-nam e > \ --query id --output tsv
Update Template
Set aiStorageAccountResourceId parameter in the Bicep template
Existing Cosmos DB Verify your Cosmos DB has sufficient throughput: minimum 3,000 RU/s per project.
Get Resource ID
az cosmosdb show \ --resource-group < r g > \ --name < cosmos-nam e > \ --query id --output tsv
Update Template
Set cosmosDBResourceId parameter in the Bicep template
Existing AI Search
Get Resource ID
az search service show \ --resource-group < r g > \ --name < search-nam e > \ --query id --output tsv
Update Template
Set aiSearchServiceResourceId parameter in the Bicep template
Required Permissions To deploy Standard Setup, you need:
Action Required Role Create account and project Azure AI Account Owner Assign RBAC for resources Role Based Access Control Administrator Create and edit agents Azure AI User
Limitations
Capability host cannot be updated after creation. Changes require recreating the project.Cosmos DB throughput must meet minimum requirements or provisioning will fail.Azure Policy restrictions on CMK-encrypted indexes may prevent automatic index creation. Next Steps
Environment Setup Complete environment configuration guide
Virtual Networks Add private network isolation
Create Agent Build your first agent
Use Your Resources Detailed resource configuration