Microsoft AI Services best practices

Best practice rules for AI Services

• Azure Policy Assignments for AI Foundry

  Apply Policy assignments to Azure AI Foundry to enforce consistent configurations and prevent misconfigurations.

• Check for AI Foundry Instances with Admin Permissions

  Ensure that Azure AI Foundry instances don't have administrative privileges.

• Check for Unrestricted Outbound Network Access

  Ensure no Azure AI Foundry instances allow unrestricted outbound network access.

• Disable Local Authentication in Azure AI Foundry

  Avoid using local authentication methods such as access keys for authentication to Azure AI Foundry.

• Disable Public Network Access to OpenAI Service Instances

  Ensure that public network access to OpenAI service instances is disabled.

• Enable Diagnostic Logs for OpenAI Service Instances

  Ensure that Diagnostic Logs are enabled for your Azure OpenAI service instances.

• Enable Dynamic Quota

  Ensure that Dynamic Quota is enabled for Microsoft Azure AI Services instances.

• Enable Encryption using Customer-Managed Keys

  Use Customer Managed Keys (CMKs) to encrypt Azure AI Foundry instances.

• Enable Microsoft Defender for Azure AI Foundry

  Ensure that Microsoft Defender for AI Foundry is enabled at the subscription level.

• OpenAI Encryption using Customer-Managed Keys

  Use Customer Managed Keys (CMKs) to encrypt Azure OpenAI service instances.

• OpenAI Service Instances with Admin Privileges

  Ensure that Azure OpenAI service instances don't have administrative privileges.

• Regenerate API Access Keys for Azure AI Foundry Instances

  Ensure that API access keys for AI Foundry instances are regularly rotated.

• Regenerate API Access Keys for OpenAI Service Instances

  Ensure that your Azure AI services API access keys are regularly rotated.

• Use Managed Identities

  Ensure that Azure AI Foundry instances are using managed identities for authentication.

• Use Managed Identities for OpenAI Service Instances

  Ensure that Azure OpenAI service instances are using managed identities.

• Use Private Endpoints for OpenAI Service Instances

  Ensure that network access to OpenAI service instances is allowed via private endpoints only.

• Use Resource Locks

  Ensure that resource locks are enabled for your production AI Foundry instances.

• Use Tags to Organize AI Foundry Resources

  Ensure there is a tagging strategy in use for identifying and organizing AI Foundry instances by name, purpose, environment, and other criteria.