>
    Strata Copilot
    Integrate Microsoft Foundry
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Administration
    4. Integrate Microsoft Foundry
    Download PDF
    Prisma AIRS

    Integrate Microsoft Foundry

    Table of Contents

    Integrate Microsoft Foundry

    Learn about Prisma AIRS AI Runtime Microsoft Foundry integration.
    Where Can I Use This?What Do I Need?
    • Prisma AIRS AI Runtime Security
    Prisma AIRS AI Runtime integrates with Microsoft Foundry. Microsoft Foundry represents a unified Azure platform-as-a-service offering for enterprise AI operations, model builders and application development. It unifies agents, models and tools under a single management grouping while supporting built-in enterprise readiness capabilities. Refer to the Microsoft documentation for more information.
    With this integration, Prisma AIRS natively scans prompts and model responses in Microsoft Foundry using the Prisma AIRS API. This integration delivers real-time threat detection as developers build, test and deploy AI applications, providing instant protection for:
    • prompt injections to block attempts to manipulate AI behavior through malicious prompts.
    • sensitive data loss to prevent PII, credentials and confidential information from being exposed.
    • malicious code and URLS to detect and stop harmful code or dangerous links in outputs.
    • toxic content to identify and block offensive or inappropriate responses.
    • custom topics that define and filter specific content categories relevant to your organizational policies.
    • agents and MCP to inspect LLM assistant output for risks like sensitive data and malicious code that could be sent to downstream agent tools.
    Prerequisites
    To leverage this functionality, you’ll need to:
    • Purchase software NGFW credits. Refer to the activation and onboarding page for more information.
    • create a Prisma AIRS deployment profile.
    • create an app and API key for Microsoft Foundry.
    • create and configure to link the profile newly created API key.
      You can optionally create a service account for the Strata Cloud Manager (SCM) tenant to receive a client ID and client credential key for OAuth token generation.
    To integrate Prisma AIRS with Microsoft Foundry you need to configure Strata Cloud Manager (SCM) first, then access the Microsoft application to complete the configuration.
    Current Limitations
    The following limitations exist:
    • A detection latency limit exists when any detections exceeding a 300ms round trip are rejected. Palo Alto Networks is working with Microsoft to address this limitation; to resolve this issue, only enable prompt injection and toxic content on security profiles that are linked to Microsoft Foundry.
    • The first detector that returns a threat prevents the other detectors from executing on that payload. The first detector that returns a block cancels out the verdict of other detectors. For example, if a threat contains both a prompt injection and toxic content, but the prompt injection executes first, the verdict (visible in the violation and session views) returned to Microsoft Foundry shows prompt injection exclusively; this functionality conserves latency for Microsoft Foundry users.
    • Exclusivity text does not support the handling of images, audio files, or any other modalities.
    • No agent I/O at launch. Microsoft Foundry integration currently supports the handling of prompts and model responses. Tool calls and responses will be supported in a later release.
    • The following Azure regions are supported:
      • USA: West 1, West 2, and West 3 via USA AIRS endpoint. No current support for Central and East.
      • Europe: Supported across all regions via EU AIRS endpoint.
      • Asia: Southeast Asia, East Asia via Singapore AIRS endpoint.

    Configure Prisma AIRS for Microsoft Foundry Integration using SCM

    To configure Prisma AIRS for Microsoft Foundry integration using SCM:
    1. Ensure that you have purchased the appropriate software NGFW credits.
    2. Create a deployment profile for the AI Runtime API where the credits are allocated.
    3. Associate the deployment profile with a specific SCM tenant on the Palo Alto Networks Hub; this process links the deployment profile to your SCM tenant.
    4. Activate the deployment profile in SCM; this process generates a new API key; you’ll use this key when configuring Microsoft Foundry.
    5. Create an API security profile (as part of deployment profile you created in Step 3) to indicate which security features you want to enable in Microsoft Foundry.
    6. Set the default profile (in Step 5) for any future requests using that API key.
      Setting the default profile simplifies future requests if a profile name is not explicitly provided during the onboarding process.
    7. Optionally create a service account for the SCM tenant to receive a client ID and client credential key for OAuth token generation. This process (part of the onboarding and activating a cloud account) allows for token-based authentication instead of using only the API key.
      After you obtain the necessary credentials and generate the API key, configure the integration between Prisma AIRS and Microsoft Foundry.

    Configure Microsoft Foundry for Prisma AIRS Integration

    With the appropriate credentials and the generated API key you can configure the integration between Prisma AIRS and Azure AI Foundry. Before setting up the integration for the first time, ensure that you:
    • Setup an Azure subscription. You must have the Owner role for the subscription. The subscription must be allowlisted.
    • Create at least one key vault and ensure that you have the Key Vault Administrator role.
    • Create a Foundry project. Create a project (West US 1/2/3 is recommended for US regions) and verify that you have the Azure AI User and Azure AI Account Owner roles.
    • Setup a Managed Identity. Create at least one user-assigned Managed Identity and attach it to the Foundry in Azure portal; Foundry>Resource Management>Identity.
    • Navigate to 3P Integration in Microsoft Foundry; in Foundry>Build>Guardrails you'll see a new tab (Integrations) next to Guardrails and Blocklists.
    1. Log into the Microsoft Foundry site.
    2. Select Guardrails > Integrations.
    3. In the Add an Integration page, click Add.
    4. In Step 1 Configuration, use the drop-down menu to select Palo Alto Networks. Select Key Vault.
      You can view the previously created API key (see step 4 in the section Configure Prisma AIRS for Microsoft Foundry using SCM).
    5. In Step 2, click Edit and configure the following:
      1. Select Key Vault; you need the Owner role on the subscription and the Key Vault Administrator role.
      2. Select a Managed Identity. If none exist, create one and attach it to Foundry.
      3. Add or remove the endpoint and API key in the table.
      4. Click Next then proceed to the next step.
    6. Select a Guardrail with a model attached so you can test using that model (note the model name).
    7. Click Save.
      After saving, confirm that:
      • PANW appears in the list view.
      • The status shows Running. If you see Error or Warning check the tooltip for guidance.
      • Click the PANW entry to review details.
      You can test the configuring using Playground:
      1. Navigate to the Playground.
      2. Test the Guardrail that includes the 3P Integration using your own prompts or the provided examples.
      3. To reassign to a different Guardrail, click the three dots () and follow the Edit workflow. Ensure that the Guardrail has a model attached.
        Capabilities are only configurable using Prisma AIRS. You cannot configure individual controls like you can when using Foundry native Guardrails.

    © 2026 Palo Alto Networks, Inc. All rights reserved.