Built-in Enterprise Readiness with Azure AI Agent Service

Introduction 

In today's rapidly evolving AI landscape, enterprises are increasingly seeking greater control and flexibility over their data and resources. A key barrier to enterprise adoption of AI technology is the concern over data protection. A Principal Technology Specialist supporting leading financial services companies at Microsoft explains,  

“It doesn't matter how useful any particular technology is. If it doesn’t meet their stringent security requirements, financial services customers cannot and will not adopt it. It's critical that services are designed from the ground up with these requirements in mind.” 

This post explores how Azure AI Agent Service addresses these concerns by offering: 

• Two distinct Standard Agent Setup configurations tailored to your organization's networking policy. 

• Bundled Bring Your Own (BYO) resources that ensure all sensitive data remains under your control. 

• A streamlined deployment process with customizable Bicep and ARM templates. 

We’re also excited to introduce the public preview of private network isolation (BYO-VNet) in Azure AI Agent Service, ensuring AI agents operate entirely within your own private network and eliminating exposure to the public internet while maintaining full control over network configurations.  

Azure AI Agent Service’s Standard Setup  

Azure AI Agent Service offers two configurations, with this guide focusing on the Standard Agent Setup designed for enterprises with strict data governance requirements.  

All agents created using our service are stateful, meaning they retain information across interactions. However, in Standard Agent Setup, agent states are automatically stored in customer-managed, single-tenant resources. The new Standard Agent Setup with Private Networking ensures built-in enterprise readiness by requiring customers to use their own resources for storing data, as well as supporting the use of their own virtual network. This setup enhances security, compliance, and customization, enabling businesses to tailor their solutions to meet specific needs. 

There are two configurations available for the Standard Agent Setup: 

• Standard Agent Setup with Public Networking: This configuration allows for public network access, making it easier to connect and integrate with external resources and services. 

• [New] Standard Agent Setup with Private Networking: This configuration ensures private network access, providing an additional layer of security and control over network configurations and access. 

Templates for both configurations are available in our documentation. With a one-click “Deploy to Azure” experience, these templates automatically configure and provision all the required resources. Furthermore, they can also be downloaded and customized to accommodate additional organizational policies. 

Leveraging Your Own Resources for Storing Customer Data 

BYO Data Storage Components  

Both Standard Setup configurations are designed to give you complete control over sensitive data by requiring the use of your own Azure resources. The required BYO resources include:  

• BYO File Storage: All files uploaded by developers (during agent configuration) or end-users (during interactions) are stored directly in the customer’s Azure Blob Storage account.  

• BYO Search: All vector stores created by the agent leverage the customer’s Azure AI Search resource.  

• [Coming soon] BYO Thread Storage: Finally, the upcoming BYO Thread Storage feature will allow customers to store their conversation history in their own Azure Cosmos DB account.  

By bundling these BYO features (file storage, search, and thread storage), the Standard Setup guarantees that your deployment is secure by default.  

Private Network Isolation (BYO VNet) for Secure Connectivity  

For enterprises that require private network access, Azure AI Agent Service introduces private network isolation, which enables AI agents to operate entirely within a dedicated, isolated virtual network. By leveraging private network isolation (BYO VNet), organizations can enforce custom security policies, ensuring that AI agents operate within their trusted infrastructure.  

BYO VNet, also known as custom VNet support with injection, is a new private network isolation implementation in Azure AI Foundry. Unlike traditional chatbots and AI applications, the stakes are significantly higher when it comes to AI agents because they can take actions on your behalf. Evolving enterprise risk-tolerance, compliance, and governance requirements now demand a higher level of control than ever before.  

This new implementation was chosen because it provides full customer control over network security and routing.  By provisioning two subnets within the customer’s environment, all inbound and outbound traffic remains entirely within their environment, allowing AI agents to securely interact with your sensitive customer data under your terms.  

Conclusion 

Our goal is to accelerate the development and deployment of AI agents without compromising critical security requirements. With our one-click "Deploy to Azure" templates, customers can quickly set up their agent environment while still maintaining full control over their networking and data. 

For organizations with stringent security policies, our private network isolation feature adds an additional layer of protection, guaranteeing all agent interactions occur within their own dedicated, controlled environment.  

We understand security needs vary widely across use cases—an AI agent summarizing meeting notes has vastly different requirements than one performing high-stakes actions like trading Bitcoin on your behalf. That's why we prioritize transparency and control in how our service handles your sensitive data, empowering you to make the best decision for your use case. 

For detailed instructions and templates, refer to the Azure documentation and deployment guides. As you embark on this journey of customization, these steps will help you maximize the potential of Azure AI Agent Service within your enterprise.  

Next Steps  

1. Explore the Azure AI Agent Service documentation
2. Deploy a Standard Agent with Private Network Isolation using our templates