---
title: Azure AI Foundry
description: Configure the Advanced Identity Cloud Azure AI Foundry application template to discover and govern AI agents hosted in Azure AI Foundry
component: pingoneaic
page_id: pingoneaic:app-management:applications-agent-governance/azure-ai-foundry
canonical_url: https://docs.pingidentity.com/pingoneaic/app-management/applications-agent-governance/azure-ai-foundry.html
llms_txt: https://docs.pingidentity.com/pingoneaic/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
section_ids:
  prerequisites-aic: Prerequisites in Advanced Identity Cloud
  prerequisites-azure-ai-foundry: Prerequisites in Azure AI Foundry
  register-the-application: Register the application
  configure-the-provisioner: Configure the provisioner
  configure-provisioning-and-reconciliation-resources: Configure provisioning and reconciliation resources
---

# Azure AI Foundry

The Azure AI Foundry application automatically discovers the AI agents you have hosted in Azure AI Foundry. Once discovered, the platform gives you complete visibility into their core components:

* **Capabilities:** Associated tools, knowledge bases, and guardrails.

* **Security and access:** Execution credentials and IAM-based identity bindings.

The application combines identity creation and governance using separate reconciliation processes. A reconciliation on the Account provisioner object type creates and updates agent identities, and a reconciliation on the Agent Tool provisioner object type updates agent tools and entitlements.

## Prerequisites in Advanced Identity Cloud

Before using the Azure AI Foundry application, ensure you've taken these actions:

* Purchased the Agent Governance add-on capability for Advanced Identity Cloud.

* Modified the user managed object with a `custom_iga_identity_type` property in the Alpha realm. Learn more in [Create the identity type](../../identity-governance/administration/iga-agent-governance.html#create-the-identity-type).

* Obtained the Azure AI Foundry connector JAR file. This isn't available to download from Backstage yet, but is available from your Ping Identity representative.

## Prerequisites in Azure AI Foundry

Before you configure the connector, you must register an application with Microsoft Entra and configure the Azure AI Foundry project. You need a Microsoft Azure subscription to complete this procedure.

1. Sign on to the [Azure portal](https://portal.azure.com/) as an administrative user.

2. Select App registrations under Azure services.

3. On the Register an application page, enter a name for the application and select the supported account types.

4. On the new registration page, make a note of the Application (client) ID and the Directory (tenant) ID.

5. Generate a client secret. Select Certificates & secrets > New client secret, enter a description, and click Add. Copy the client secret value.

6. Note the Azure subscription ID and the resource group where your Azure AI Foundry project resides.

## Register the application

1. In the Advanced Identity Cloud admin console, go to [icon: apps, set=material, size=inline] Applications, and click [icon: grid_view, set=material, size=inline] Browse App Catalog.

2. In the Browse App Catalog modal, select an application, and click Next.

3. Review the Application Integration information, and click Next.

4. In the Application Details window, specify the name, description, application owners, and logo for the application.

5. Leave the Authoritative checkbox unselected.

6. Click Create Application.

## Configure the provisioner

1. In the Advanced Identity Cloud admin console, go to [icon: apps, set=material, size=inline] Applications.

2. Click the application you just registered to open the application details page.

3. Click the Provisioning tab, then compare the message displayed with these options:

   * You haven't set up provisioning yet\
     This message indicates that Advanced Identity Cloud has found a connector server with a compatible connector installed, but you haven't set up provisioning yet. In this case, click Set up Provisioning to set up provisioning for the application.

   * No Connector Servers available\
     This message indicates that Advanced Identity Cloud either can't find a connector server to use for provisioning or that it can find a connector server but it doesn't have a compatible connector installed for this application.

     > **Collapse: Show guidance**
     >
     > * If you haven't set up a connector server:
     >
     >   1. [Register a remote server](../../identities/sync-identities.html#task-1-register-a-remote-server)
     >
     >   2. (Optional) [Reset the client secret](../../identities/sync-identities.html#task-2-reset-the-client-secret)
     >
     >   3. [Download a remote server](../../identities/sync-identities.html#task-3-download-a-remote-server)
     >
     >   4. Add the Azure AI Foundry connector JAR file to the remote server's connectors folder.
     >
     >   5. [Configure the remote server](../../identities/sync-identities.html#task-5-configure-a-remote-server)
     >
     >   6. Refresh the Azure AI Foundry application page in your browser, then begin step 3 again.
     >
     > * If you've already set up a connector server:
     >
     >   1. Add the Azure AI Foundry connector JAR file to the remote server's connectors folder, then restart the connector server.
     >
     >   2. Refresh the Azure AI Foundry application page in your browser, then begin step 3 again.

4. In the Connect to Azure AI Foundry modal, enter the following information:

   * Tenant ID: Enter your Entra ID tenant GUID. For example, enter `c9fe364e-8947-4045-8d4d-e281f1edd60e`.

   * Subscription ID: Enter your Azure AI Foundry subscription GUID. For example, `94f2e268-3f99-4b86-b2da-d031500cdf1f`.

   * Resource Group: Enter your Azure AI Foundry resource group. The expected format is `/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.CognitiveServices/accounts/<foundry-resource-name>`.

   * Project Location: Enter your Azure AI Foundry project location. For example, `eastus`, `westeurope`, or `australiacentral`.

   * Client ID: Enter the client ID of the Azure App Registration used to authenticate with Azure AI Foundry. For example, `2d7b3e1c-4f8a-41a9-bc2e-0e9f57a34d12`.

   * Client Secret: Enter the client secret of the Azure App Registration used to authenticate with Azure AI Foundry.

   * Use Managed Identity: Select this checkbox to authenticate securely using Azure's keyless infrastructure tokens. This leverages Microsoft Entra ID to grant access based on the application host's environment permissions, eliminating the security risks and administrative overhead of storing and rotating a static client ID and client secret.

   * Agent Service Endpoint: Enter the base URL for the Azure AI Foundry project you want to connect to. The expected format is `https://<resource>.services.ai.azure.com/api/projects/<project>`.

   * Agent API Flavor: Choose one of the following options to specify which API endpoint to use for agent discovery:

     * Enter `classic` to scan for native, security-governed agents (`/agents`).

     * Enter `new` to scan for stateful models relying on the Azure OpenAI Assistants architecture (`/assistants`).

     * Enter `both` to ingest your entire AI footprint across both endpoint versions.

   * Scan Offline Inventory: Select this checkbox to perform a deep metadata scan of your workspace asset registry and deployment blueprints. This allows the application to extract and catalog underlying identity bindings, service accounts, data connections, and tool credentials. This ensures full security governance even over inactive or pre-production assets.

   * Tools Inventory URL: Specify the secure HTTPS endpoint used to retrieve the JSON catalog of your agents' custom tools and API connectors. This must be an Azure Blob Storage Shared Access Signature (SAS) URL or an Azure Function HTTP trigger URL that provides authorized read-access to your tools manifest.

   * Agent API Version: Specify the data plane API version used to interact with your agents' inference and execution routes. This field defaults to `v1` to match the native Azure AI Foundry Assistants and thread management endpoint specifications.

5. (Optional) Click Show advanced settings to set any of the following options:

   > **Collapse: Show advanced settings options**
   >
   > **Application specific settings**
   >
   > | Option             | Description                                                                          |
   > | ------------------ | ------------------------------------------------------------------------------------ |
   > | Exclude Unmodified | Select this option to synchronize only the modified properties on a target resource. |
   >
   > **Pool configuration**
   >
   > | Field                                   | Description                                                                                                                                                                           |
   > | --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   > | Max idle and active container instances | The maximum number of idle and active container instances. The default value is `10`.                                                                                                 |
   > | Max Idle Connector Instances            | The maximum number of idle connector instances. The default value is `10`.                                                                                                            |
   > | Set Timeout Period                      | Select to enable a timeout period for the connection. After enabling, configure the following:- Timeout period (ms): The timeout period in milliseconds.                              |
   > | Set Minimum Idle Time                   | Select to set a minimum time (in milliseconds) before an idle object is removed. After enabling, configure the following:- Min idle time (ms): The minimum idle time in milliseconds. |
   > | Min Idle Instances                      | The minimum number of idle connector instances.                                                                                                                                       |
   >
   > **Result Handler configuration**
   >
   > | Field                                                                   | Description                                                                       |
   > | ----------------------------------------------------------------------- | --------------------------------------------------------------------------------- |
   > | Enable for connectors with the attribute normalizer interface           | Enables the attribute normalizer interface for supported connectors.              |
   > | Enable local filtering/search features                                  | Enables local filtering and search capabilities.                                  |
   > | Enable case insensitive filter                                          | Configures filters to ignore case sensitivity.                                    |
   > | Enable configuration of search attributes; disable for local connectors | Enables search attribute configuration. Disable this option for local connectors. |
   >
   > 1. In the Operation Timeouts (ms) area, select the operations to enforce timeouts on and enter the duration in milliseconds.
   >
   >    Available operations include Create, Validate, Test, Enable a Script on the Connector, Schema, Delete, Update, Sync, Authenticate, Get, Enable a Script on the Target, and Search.
   >
   > 2. In the Operation Rate Limits area, select the operations to enforce rate limits on.
   >
   >    You can enforce limits on specific operations, including Create, Validate, Test, Script on Connector, Schema, Delete, Update, Sync, Authenticate, Get, Script on Target, and Search.
   >
   >    For each selected operation, configure the following fields:
   >
   >    | Field           | Description                        |
   >    | --------------- | ---------------------------------- |
   >    | Request Limit   | Requests allowed over time.        |
   >    | Request Period  | Limit resets after this time (ms). |
   >    | Request Timeout | Time before exception thrown (ms). |

6. Click Connect.

7. Verify that the status shows Connected.

## Configure provisioning and reconciliation resources

To configure provisioning and reconciliation resources, follow the instructions in [Onboard AI agents](../../identity-governance/administration/iga-agent-governance.html#onboard-ai-agents) in the Agent Governance documentation.
