Azure AI Foundry

Azure AI Foundry agents are supported by Zenity AI Detection & Response. Below are the technical steps required to set up permissions and network access for Zenity into your organization AI Foundry resources.

Prerequisites

  1. An existing Microsoft tenant (initially Power Platform)<>Zenity integration based on one of the following (click and follow in case no integration exists):
  2. Service Principal
  3. Managed App Consent

Step-by-step guide

Step 1: Create Azure custom IAM role

  1. In case you wish to grant permissions by subscription, go to the subscriptions page in Azure portal. Otherwise (permissions by management group), go to the management groups page.
  2. Click “Access control (IAM)” -> Add -> Add custom role.
    image
  3. Name your role and click Next.
  4. In the Permissions tab, click “add permissions” and add the following:
Permission Purpose
Microsoft.CognitiveServices/accounts/read Discover new AI Foundry resources automatically
Microsoft.CognitiveServices/accounts/AIServices/agents/read Fetch runtime interaction data from AI Foundry agents such as threads, runs, messages etc.
Microsoft.CognitiveServices/accounts/AIServices/connections/read Fetch AI Foundry connections which agents use to authenticate
  1. Select the “Assignable scopes” tab and confirm the scope of the role’s permissions: subscription(s) and/or management group(s).
  2. Click the “Review + create” tab, Review and click “Create”.

Step 2: connect the newly created role with the Zenity principal

This step grants the service principal or multi-tenant application principal used by Zenity the permissions into AI Foundry as defined in the role.

  1. In case you wish to grant permissions by subscription, go to the subscriptions page in Azure portal. Otherwise (permissions by management group), go to the management groups page.
  2. Click “Access control (IAM)” -> Add -> Add role assignment.
  3. Insert the newly created custom role name, and select it.
  4. Select the “Members” tab:
  5. Set “Assignment access to” select “User, group or service principal” option.
  6. Click “+ Select members” and add the name of the principal used in the Microsoft\<>Zenity integration. (this can be found in the Entra Admin Center.
  7. Select the “Assignment type” tab, choose the options as shown below:
  8. “Selected role” \=> your choice of custom role
  9. "Assignment type” \=> on “Active”
  10. “Assignment duration” \=> on “Permanent”

image

  1. Select the “Review + assign” tab, review your changes and click “Review + assign”.

Note: if permissions are granted by subscription, make sure to repeat these steps for each one.

Step 3: Set Network Access

In addition to permissions, network access must be allowed, in order for Zenity to reach your AI Foundry resources. Networking can be managed as granularly as by the individual foundry resource, so make sure to allow access for Zentity into all foundry resources.

Note: by default ingress networking is allowed from all networks, however in most cases it is then manually restricted, therefore make sure access is allowed for Zenity.

Option 1: manual setting

  1. Go to the AI foundries page under AI Foundry portal.
  2. Click on each foundry, then click Networking, then click the “Firewalls and virtual networks” tab.
  3. If “All networks” is selected, Zenity has access and you can move to the next resource.
  4. If the setting is Disabled or Selected networks and private endpoints, update as follows:
    1. Set “Firewall” to “Selected networks and private endpoints”.
    2. Under “Address range”, add the following Zenity IP ranges:
      1. 18.200.62.37
      2. 52.31.196.233
      3. 108.128.206.229
      4. 99.81.56.225
  5. Ensure “Allow Azure services on the trusted services list to access this account” is checked.

image