This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Choose the best response for each question.
A team member needs least-privilege access to build and test agents in an existing Foundry project. Which role should you assign?
Foundry User at the project scope, with Reader on the Foundry resource if resource discovery is required.
Foundry Project Manager at the Foundry resource scope.
Foundry Owner at the subscription scope.
Which baseline role assignment is required for a Foundry project's managed identity to access Foundry Agent Service features before adding tool-specific or Hosted-agent-specific permissions?
Assign Foundry User on the Foundry resource to the project's managed identity.
Assign Azure AI Administrator to the project's managed identity.
Assign Cognitive Services User to the project's managed identity.
You want Foundry RBAC restrictions to apply when users and applications access a project. Which authentication approach should you use?
Use Microsoft Entra ID authentication and avoid key-based authentication for callers that should be constrained by RBAC.
Use account keys because keys inherit the caller's Foundry role assignments.
Use public network access because network access enforces Foundry RBAC.
Which configuration describes current Standard Setup with private networking for Foundry Agent Service?
Disable public network access, use private endpoints and private DNS, inject the agent runtime into a subnet delegated to Microsoft.App/environments, and bring your own Azure Storage, Azure AI Search, and Azure Cosmos DB resources.
Enable public network access and rely only on network security groups for agent runtime isolation.
Create only a private endpoint for the Foundry resource; BYO storage, search, and database resources are optional for private networking.
An agent uses files in Azure Blob Storage and indexes in Azure AI Search. How should you grant access to those data sources?
Assign least-privilege Azure RBAC data roles to the identity used by the project or agent, such as Storage Blob Data Reader for Blob data and the required Azure AI Search roles.
Grant the Foundry User role only; connected data sources automatically inherit all project permissions.
Store data-source keys in the agent instructions so the model can use them when needed.
Which control helps reduce prompt-injection risk from user prompts and untrusted documents or tool responses?
Assign a Foundry guardrail to the agent and enable Prompt Shields for user prompt and document attacks at the relevant intervention points.
Disable private endpoints after deployment so guardrails can inspect public traffic.
Use keys instead of Microsoft Entra ID because keys prevent prompt injection.
You must answer all questions before checking your work.
Was this page helpful?
Need help with this topic?
Want to try using Ask Learn to clarify or guide you through this topic?