Overview of Microsoft Foundry as a unified platform for building, optimizing, and governing enterprise AI agents.
Microsoft Foundry is a layered, interoperable platform designed to build and govern AI agents at scale with built-in security. It provides a complete lifecycle from initial setup to full production management.
At the center of the platform is the Foundry Agent Service, an agent-native runtime that manages conversations, tool calls, and content safety. This service is supported by several integrated layers:
Foundry Models: Access to diverse models from providers like OpenAI, Anthropic, Meta, and DeepSeek.
Foundry Tools: Integration for MCP-based (Model Context Protocol) tools and management.
Foundry IQ: Centralized RAG (Retrieval-Augmented Generation) patterns via a single grounding API.
Foundry Control Plane: A centralized dashboard for fleet-wide governance, cost tracking, and policy alerts across all subscriptions.
Enterprise readiness is established before code is written by meeting six foundational categories:
Network Isolation: Virtual Network support, private endpoints, and data exfiltration control.
Identity & Access: Support for User/System Managed Identity and Role-Based Access Control (RBAC).
Data Protection: Encryption through Microsoft-managed or customer-managed keys.
Policies & Monitoring: Integration with Azure Monitor, audit logs, and Azure Policy.
Cost Management: Budgets, alerts, and developer-level visibility.
Deployment: Support for Infrastructure-as-Code via ARM, Bicep, and Terraform.
Foundry introduces several architecturally significant capabilities to build trustworthy agents:
Entra Agent ID Integration: Every agent is automatically assigned a native identity for consistent governance.
AI Gateway: Provides granular controls for token consumption and rate-limiting at the tool level.
Permanent Guardrails: Built-in, non-deletable safety guardrails protect against prompt injection and unsafe content.
Model Router: Dynamically selects the best model for a prompt to balance cost and performance.
Microsoft Entra Agent ID elevates agents to “first-class citizens” in the identity system.
Unpublished Agents: Share a common default identity within a project to simplify early administration.
Published Agents: Gain unique, dedicated identities bound to the application resource.
Governance: Organizations can apply the same controls used for humans—conditional access, identity protection, and lifecycle management—directly to agents.
The Foundry Control Plane manages agents operating at scale.
Unified Visibility: Tracks estimated costs, success rates, and token usage across the organization.
Heterogeneous Support: The plane can govern agents built with open-source tools like LangGraph or CrewAI if they are registered through the AI Gateway.
Policy Enforcement: Administrators can detect and remediate security posture violations, such as agents using API keys instead of Entra ID.
Commerzbank successfully deployed “Ava,” a transactional AI avatar that handles 30,000 monthly conversations with a 75% autonomous resolution rate.
| Feature | Ava (Foundry Agent Service) | Copilot Studio (Low-Code) |
| Development | Pro-Code: Built by developers using Python/C# and the Microsoft Agent Framework. | Low-Code: Built primarily via a graphical interface for business users. |
| UI Layer | Real-time Avatar: Integrated with Azure AI Video Indexer/TTS Avatar to show a digitalized human actress. | Chat Interface: Standardized conversational UI with text and Adaptive Cards. |
| Transactions | Deep Logic: Handles 2FA-secured credit card blocking and account changes directly in the chat. | Action-Oriented: Uses Power Automate connectors for integrations. |
| Knowledge | Strict RAG: Grounded in a “validated knowledge base” (completely separated from the internet/intranet). | Standard RAG: Typically grounded in SharePoint, Dataverse, or web search. |
Second Line of Defense from Day One: Compliance, legal, and fraud prevention teams were involved as collaborators from the start of the project.
Validated Banking Knowledge: The agent does not use the open internet; it relies solely on a completely separated, validated knowledge base to eliminate hallucinations.
Dual-Agent Security Pattern: A dedicated security agent monitors critical actions; a second agent must perform independent reasoning to confirm an alert before human escalation.
Backend Integration: Ava connects directly to core banking systems for account balances and transaction searches through the bank’s existing IT security layer.
