|
| 1 | +--- |
| 2 | +title: Azure AI security best practices | Microsoft Docs |
| 3 | +description: This article provides best practices for securing AI workloads in Azure, including Azure OpenAI Service, Azure AI Foundry, and Azure Machine Learning. |
| 4 | +services: security |
| 5 | +author: msmbaldwin |
| 6 | +ms.assetid: |
| 7 | +ms.service: security |
| 8 | +ms.subservice: security-fundamentals |
| 9 | +ms.topic: article |
| 10 | +ms.date: 02/12/2026 |
| 11 | +ms.author: mbaldwin |
| 12 | +ai-usage: ai-assisted |
| 13 | +--- |
| 14 | + |
| 15 | +# Azure AI security best practices |
| 16 | + |
| 17 | +This article provides best practices for securing artificial intelligence (AI) workloads specifically in Azure. As organizations adopt AI capabilities at an unprecedented rate, security teams must proactively gain visibility into AI usage and implement appropriate controls to mitigate risks. |
| 18 | + |
| 19 | +This article focuses on Azure-specific AI security considerations. For comprehensive, platform-agnostic AI security guidance—including organizational strategy, governance frameworks, and the full AI security lifecycle—see [Security for AI](/security/security-for-ai/) in the Microsoft Security documentation. |
| 20 | + |
| 21 | +For each best practice, we explain: |
| 22 | + |
| 23 | +- What the best practice is |
| 24 | +- Why you want to enable that best practice |
| 25 | +- What might be the result if you fail to enable that best practice |
| 26 | +- How you can learn to enable the best practice |
| 27 | + |
| 28 | +This article complements the [AI shared responsibility model](shared-responsibility-ai.md), which explains the division of security responsibilities between you and Microsoft for AI workloads. For prescriptive security controls with Azure Policy enforcement, see [Microsoft Cloud Security Benchmark v2 - Artificial Intelligence Security](/security/benchmark/azure/mcsb-v2-artificial-intelligence-security). |
| 29 | + |
| 30 | +## Enable visibility into AI workloads and usage |
| 31 | + |
| 32 | +Before you can secure AI workloads, you need visibility into what AI applications are being used and built in your organization. |
| 33 | + |
| 34 | +**Best practice**: Use Microsoft Defender for Cloud to discover AI workloads in your Azure environment. |
| 35 | +**Detail**: The Defender Cloud Security Posture Management (CSPM) plan provides AI security posture management capabilities, including discovering the generative AI Bill of Materials (AI BOM), built-in security recommendations, and attack path analysis. For more information, see [AI security posture management with Defender for Cloud](/azure/defender-for-cloud/ai-security-posture). |
| 36 | + |
| 37 | +**Best practice**: Use Microsoft Defender for Cloud Apps to discover SaaS AI applications. |
| 38 | +**Detail**: The Defender for Cloud Apps catalog includes more than a thousand generative AI apps. You can view risk assessments, sanction or block apps, and create policies to detect new AI apps. For more information, see [Govern discovered apps](/defender-cloud-apps/governance-discovery). |
| 39 | + |
| 40 | +**Best practice**: Track AI agent identities with Microsoft Entra Agent ID. |
| 41 | +**Detail**: Microsoft Entra Agent ID provides a unified directory of agent identities created across Microsoft Copilot Studio and Azure AI Foundry, helping you manage agent lifecycle and permissions. |
| 42 | + |
| 43 | +## Secure Azure OpenAI Service deployments |
| 44 | + |
| 45 | +Azure OpenAI Service provides REST API access to powerful language models. Securing these deployments is critical for protecting your data and preventing misuse. |
| 46 | + |
| 47 | +**Best practice**: Use private endpoints for network isolation. |
| 48 | +**Detail**: Configure Azure OpenAI Service to use private endpoints, removing the public endpoint and restricting access to your virtual network. For more information, see [Network and access configuration for Azure OpenAI](/azure/ai-foundry/openai/how-to/on-your-data-configuration). |
| 49 | + |
| 50 | +**Best practice**: Use managed identity for authentication. |
| 51 | +**Detail**: Configure applications to authenticate using Microsoft Entra managed identities instead of API keys, eliminating the need to manage and rotate secrets. For more information, see [Configure Azure OpenAI Service with Microsoft Entra ID authentication](/azure/ai-services/openai/how-to/managed-identity). |
| 52 | + |
| 53 | +**Best practice**: Implement multi-layered content filtering. |
| 54 | +**Detail**: Deploy content filtering at multiple stages to create defense-in-depth: |
| 55 | + |
| 56 | +- **Input filtering**: Use Azure AI Content Safety to analyze prompts for malicious content, including prompt injection attempts and jailbreak attacks |
| 57 | +- **Output filtering**: Configure Azure OpenAI content filtering to block harmful responses before delivery |
| 58 | +- **API gateway controls**: Use Azure API Management to enforce rate-limiting and schema validation |
| 59 | + |
| 60 | +For more information, see [Content filtering](/azure/ai-services/openai/concepts/content-filter) and [Azure AI Content Safety](/azure/ai-services/content-safety/overview). |
| 61 | + |
| 62 | +**Best practice**: Use safety meta-prompts to guide model behavior. |
| 63 | +**Detail**: Design system prompts that clearly define the model's role, include explicit instructions to reject malicious inputs, and instruct the model to prioritize system instructions over user inputs. Use spotlighting techniques to isolate untrusted data within prompts and integrate [Prompt Shields](/azure/ai-services/content-safety/concepts/jailbreak-detection) to detect jailbreak attempts. |
| 64 | + |
| 65 | +**Best practice**: Monitor usage with diagnostic logs. |
| 66 | +**Detail**: Enable diagnostic logging to track API requests, token usage, content filtering results, and errors. Send logs to Azure Monitor for analysis and alerting. For more information, see [Monitor Azure OpenAI](/azure/ai-foundry/openai/how-to/monitor-openai). |
| 67 | + |
| 68 | +## Secure Azure AI Foundry and Azure Machine Learning |
| 69 | + |
| 70 | +Azure AI Foundry and Azure Machine Learning provide platforms for building and deploying AI applications. Securing these environments requires attention to network isolation, access control, and model governance. |
| 71 | + |
| 72 | +**Best practice**: Use managed network isolation. |
| 73 | +**Detail**: Create Azure AI Foundry hubs and Azure Machine Learning workspaces with managed virtual networks that provide private endpoints for dependent services and outbound traffic control. For more information, see [Managed network isolation for Azure AI Foundry](/azure/ai-studio/how-to/configure-managed-network) and [Configure a private endpoint for Azure Machine Learning](/azure/machine-learning/how-to-configure-private-link). |
| 74 | + |
| 75 | +**Best practice**: Implement least-privilege access control. |
| 76 | +**Detail**: Configure RBAC using built-in roles and assign permissions at the project or workspace level. Use Microsoft Entra Agent ID for AI agent identity management, applying scoped, short-lived tokens for agent function access. For more information, see [Role-based access control for Microsoft Foundry](/azure/ai-foundry/concepts/rbac-foundry). |
| 77 | + |
| 78 | +**Best practice**: Deploy only approved AI models. |
| 79 | +**Detail**: Use Azure Machine Learning model registry to track model provenance, verification status, and approval history. Configure automated scanning to validate model integrity and test against adversarial inputs before deployment. Deploy the "[Preview]: Azure Machine Learning Deployments should only use approved Registry Models" Azure Policy to enforce governance. For more information, see [Model management and deployment](/azure/machine-learning/concept-model-management-and-deployment). |
| 80 | + |
| 81 | +**Best practice**: Secure compute resources. |
| 82 | +**Detail**: Configure compute instances without public IPs, use managed identity authentication, enable user isolation for shared clusters, and encrypt disks with customer-managed keys. For more information, see [Secure an Azure Machine Learning training environment](/azure/machine-learning/how-to-secure-training-vnet). |
| 83 | + |
| 84 | +## Implement AI-specific threat protection |
| 85 | + |
| 86 | +AI workloads face unique threats including prompt injection, jailbreak attacks, and model manipulation. Implement threat detection and continuous testing specifically designed for AI. |
| 87 | + |
| 88 | +**Best practice**: Use Microsoft Defender for Cloud AI threat protection. |
| 89 | +**Detail**: Deploy Microsoft Defender for AI Services to detect prompt injection attacks, sensitive data exposure, and anomalous API usage patterns. For more information, see [AI threat protection with Microsoft Defender for Cloud](/azure/defender-for-cloud/ai-threat-protection). |
| 90 | + |
| 91 | +**Best practice**: Implement continuous AI red teaming. |
| 92 | +**Detail**: Conduct regular adversarial testing using specialized tools: |
| 93 | + |
| 94 | +- [PyRIT (Python Risk Identification Tool for GenAI)](https://azure.github.io/PyRIT/) for automated adversarial testing |
| 95 | +- [Azure AI Red Teaming Agent](https://devblogs.microsoft.com/foundry/ai-red-teaming-agent-preview/) for targeted attack simulations |
| 96 | + |
| 97 | +Integrate red teaming into CI/CD pipelines to validate security before deployment. Test against known attack patterns from [MITRE ATLAS](https://atlas.mitre.org/) and the [OWASP Top 10 for LLM](https://owasp.org/www-project-top-10-for-large-language-model-applications/). |
| 98 | + |
| 99 | +**Best practice**: Implement human-in-the-loop for critical actions. |
| 100 | +**Detail**: For high-risk AI operations such as external data transfers or system configuration changes, design workflows using Azure Logic Apps or Power Automate that pause for human review and approval before execution. |
| 101 | + |
| 102 | +**Best practice**: Monitor for risky AI usage patterns. |
| 103 | +**Detail**: Use Microsoft Purview Insider Risk Management with the Risky AI usage policy template to detect and investigate risk activities related to AI. For more information, see [Insider risk management policy templates](/purview/insider-risk-management-policy-templates#risky-ai-usage-preview). |
| 104 | + |
| 105 | +## Protect sensitive data in AI interactions |
| 106 | + |
| 107 | +AI applications often interact with sensitive data. Implement data protection controls to prevent data loss and ensure compliance. |
| 108 | + |
| 109 | +**Best practice**: Use Microsoft Purview Data Security Posture Management (DSPM) for AI. |
| 110 | +**Detail**: DSPM for AI provides insights into AI activity, ready-to-use policies to protect data in prompts, and data risk assessments for potential oversharing. For more information, see [Data Security Posture Management for AI](/purview/ai-microsoft-purview). |
| 111 | + |
| 112 | +**Best practice**: Apply sensitivity labels and DLP policies. |
| 113 | +**Detail**: Extend Microsoft Purview sensitivity labels to data accessed by AI applications and configure DLP policies to detect and block sensitive data in AI prompts. For more information, see [Get started with sensitivity labels](/purview/get-started-with-sensitivity-labels). |
| 114 | + |
| 115 | +## Govern AI for compliance |
| 116 | + |
| 117 | +AI applications must comply with regulatory requirements and organizational policies. |
| 118 | + |
| 119 | +**Best practice**: Implement responsible AI controls. |
| 120 | +**Detail**: Follow Microsoft's responsible AI principles for fairness, transparency, privacy, and accountability. For more information, see [Microsoft Responsible AI Standard](https://www.microsoft.com/ai/principles-and-approach/). |
| 121 | + |
| 122 | +**Best practice**: Maintain audit trails. |
| 123 | +**Detail**: Enable auditing for AI services: Microsoft Purview Audit captures Copilot interactions, Azure Monitor tracks Azure AI service usage, and Defender for Cloud Apps monitors SaaS AI activity. For more information, see [Audit log activities](/purview/audit-log-activities). |
| 124 | + |
| 125 | +## Next steps |
| 126 | + |
| 127 | +- Learn about the [AI shared responsibility model](shared-responsibility-ai.md) |
| 128 | +- Review [Microsoft Cloud Security Benchmark v2 - Artificial Intelligence Security](/security/benchmark/azure/mcsb-v2-artificial-intelligence-security) |
| 129 | +- Explore [Security for AI](/security/security-for-ai/) for comprehensive AI security guidance |
0 commit comments