# Azure AI Foundry: using OpenAI models and managing access and costs
{% hint style="warning" %}
To avoid account conflicts, we recommend performing all operations in an **incognito tab** or a new browser "profile" (if applicable, this prevents conflicts from cache and cookies).
{% endhint %}
## 1. Registering an Azure Tenant (for those without Microsoft 365)
If your organization already has Microsoft 365 (M365), it means you already have a corporate Azure Active Directory (Azure AD/Microsoft Entra ID) tenant, which you can use for Azure. Otherwise, you'll need to register a new Azure tenant. Here's how:
* Visit the Azure website ([azure.microsoft.com](https://azure.microsoft.com/)) and create an account. Use a corporate email address to register. The process will guide you through creating a new Azure directory/tenant (called an Azure AD tenant).
* After creating the account, sign in to the Azure portal with the credentials you just set up. Confirm that the Azure AD tenant you created is selected (in the top right, you can generally see the name of the current directory/tenant and switch it if you have more than one).
Note: The Azure AD tenant is the entity that represents your organization within Azure. All internal users and Azure resources will be associated with this tenant.
## 2. Creating a paid Azure subscription
To use advanced services like Azure OpenAI, you must have a paid Azure subscription (e.g. Pay-As-You-Go or an enterprise plan).
Free or trial subscriptions are not enabled for Azure OpenAI, so you need to activate a paid plan from the start.
If you just created your Azure account, you may have activated a trial with free credits during registration. Go to the Subscriptions section in the Azure portal and, if your subscription is listed as Free Trial or Azure for Students, upgrade it to Pay-As-You-Go. You'll be asked to add a payment method (credit card or other) and acknowledge that, once any initial credits are used up, usage will be charged.
Alternatively, if there's no subscription in your tenant, you can create a new one. From the Azure portal, go to Subscriptions and click + Add. Follow the guided process, choosing Pay-As-You-Go as the offer type and providing the required billing details.
Once the paid subscription is activated, make sure the status is active. You're now ready to create Azure resources under this subscription.
Note: Make sure you have Owner or Contributor permissions on the subscription you just created (generally, whoever creates the subscription is the Owner by default). This is required to create and manage resources in the steps that follow.
## 3. Creating a Resource Group for AI resources
A Resource Group is a logical container in Azure where you group related resources. We'll create a Resource Group dedicated to all AI resources (OpenAI, storage, etc.) for the project. It's good practice to use consistent, planned naming conventions, as resource names cannot be changed after creation.
Steps to create a Resource Group:
1. In the Azure portal, in the left menu (or the top-left ≡ menu), select Resource groups.
2. Click the + Create button. A creation form will open.
3. In the Subscription field, make sure you select the active paid subscription where you want to create the AI resources.
4. In the Resource group name field, enter an identifying name. We recommend including a reference to AIsuru. *For example, you could use Prod-AIsuru as the Resource Group name. Avoid spaces and special characters: use letters, numbers, and optionally a hyphen - as a separator.*
5. In the Region field, choose a datacenter preferably in Europe. For example, Sweden Central or West Europe if available. This ensures data remains within the EU.\
\
\&#xNAN;*Note: make sure the chosen region supports the Azure OpenAI services you need. Not all European regions may have all OpenAI models available.*
6. (Optional) You can add tags to organize resources. For example, clicking Next: Tags you could add a Name-Value pair like Name: Infrastructure and Value: AzureAI (or "LLM") to classify this group as AI infrastructure. Tags help later when filtering resources and doing cross-cutting cost analysis.
7. Click Review + create, verify the details are correct (name, region, subscription, tags, etc.), then confirm by clicking Create. The new Resource Group will be created within a few seconds.
Tip: **establish a consistent naming convention for all project resources**. *For example, using a common prefix (such as the company name or project acronym) and suffixes indicating the resource type: e.g. Prod-AIsuru for the resource group, and then the same prefix for resources inside it (e.g. Prod-AIsuru-Hub, Prod-AIsuru-Service, prodaisurustorage, etc.).*
This makes resources easy to identify and clearly indicates which project they belong to. Keep in mind that many Azure resource names cannot be changed after creation, so plan them carefully.
## 4. Creating an Azure AI Hub via Azure AI Foundry
Once the Resource Group is ready, we can create the Azure AI Hub — the core resource of Azure AI Foundry. The hub acts as a container/manager for AI projects and lets you connect the various services (OpenAI, storage, security) needed.
During the AI Hub creation, we'll have the opportunity to simultaneously create linked resources (Azure OpenAI service, Storage account, and Key Vault), which we'll cover in detail in the next step.
To create a new Azure AI Hub:
1. In the Azure portal, search for Azure AI Foundry using the global search bar at the top (type "Azure AI Foundry" and select the appropriate result). Alternatively, navigate through the AI services categories in the main menu.
2. On the Azure AI Foundry page, click the + Create Azure AI button (in some cases it may appear as + New Azure AI). Then, choose to create a Hub (when asked what type of resource to create, select Hub rather than Project, since we want to create the centralized hub first).
3. Enter Hub details (Basics): a creation form for the Azure AI Hub will open. Fill in the key fields:
1. Subscription: select the subscription to bill costs to (the one created earlier).
2. Resource Group: select the dedicated Resource Group (created in the previous step, e.g. Prod-AIsuru).
3. Region: choose the same geographic area as the Resource Group, for consistency (e.g. Sweden Central, so all resources remain in the EU).
4. Name: give the Hub a name. Follow the naming convention: typically the Resource Group name followed by "-Hub". For example: Prod-AIsuru-Hub.
5. Friendly Name: you can enter a more readable descriptive name, such as "Prod AIsuru Corporate Hub". This helps identify the hub in the portal, but it's not the resource ID.
6. Default project resource group: specify which Resource Group projects created in this Hub should use by default. Typically, enter the same Resource Group name from step 3 (Prod-AIsuru). This ensures that future resources created by projects are also allocated to that group.
4. Link an Azure OpenAI service: in the same Hub creation screen, you'll find a field for linking an AI service, such as Azure OpenAI Service. Since we don't have one yet, we need to create one:
1. Click the Create New link under the Azure OpenAI Service field (it may be labeled Azure AI Services). A side panel will open to create a new Azure OpenAI service.
2. In the Name field of this panel, enter a name for the OpenAI resource. Follow the convention: for example, use the Resource Group name followed by "-Service" (e.g. Prod-AIsuru-Service).
3. Make sure the Subscription and Resource Group in this panel are correct (they should be pre-filled with the ones selected for the Hub). The region will be the same as the Hub.
4. Click Save to confirm the creation of the linked Azure OpenAI Service resource.
5. Configure the Storage Account: after saving the OpenAI service link, move to the next tab in the Hub creation wizard. There should be a Storage section:
1. Click Next: Storage if the wizard hasn't moved there automatically.
2. Here you're asked to select a Storage Account. Click Create New under the Storage account field to create a dedicated one. A side panel will open to create the storage:
1. Name: enter a name for the Storage Account. This name must be globally unique and has restrictions (only lowercase letters and numbers, between 3 and 24 characters, no spaces or hyphens). *One approach is to use the project prefix without hyphens. For example, if the resource group is Prod-AIsuru, you could use something like prodaisurustorage (keeping it all lowercase without -).*
2. Replication: choose the desired redundancy level. For test or initial environments, you can select Locally-redundant storage (LRS), which keeps three copies of data within the same data center (basic option).
3. Leave other parameters at their defaults (e.g. Performance: Standard). Click Save to create the Storage Account.
6. After storage, the wizard will move to the Key Vault section:
1. Click Next: Networking if prompted, and configure network access. Generally, for getting started, you can leave the hub in Public access (Public endpoint) mode as-is (this allows the hub and services to be managed without requiring a dedicated virtual network; you can restrict access later if needed).
2. Click Next: Encryption.
3. In the Encryption section, leave the option requiring a customer-managed key unchecked. This means Microsoft-managed keys will be used to encrypt data.
4. Click Next: Identity.
5. In the Identity section, you can leave the default settings. Click Next: Tags.
6. In the Tags section, you can assign tags to the Hub resource and the linked resources you're creating. For example: Name = Infrastructure and Value = LLM (adjust as needed). These tags will help you identify and filter resources (e.g. in cost reports).
7. Click Next: Review + create to view the final summary.
7. Review and create the Azure AI Hub: in the summary form, carefully check all parameters and resources that will be created: the Hub name, region, Resource Group, OpenAI service name, Storage, Key Vault name, etc. In particular, verify that the Region is correct (matching your data residency requirements) and that names follow your chosen convention.
8. If everything is correct, click Create to start the deployment.
9. Azure will begin creating the AI Hub and, at the same time, the Azure OpenAI service, Key Vault, and Storage Account (if you created them in the wizard). This may take a few minutes. When done, you'll see all the new resources in the Resource Group (e.g. Prod-AIsuru-Hub, Prod-AIsuru-Service for OpenAI, prodaisurustorage, Prod-AIsuru-KV for the Key Vault, etc.).
Once creation is complete, you have an Azure AI Hub configured with the necessary services. The hub is now ready to host one or more Azure AI Foundry projects.
**Important**: We chose to create the Azure AI Hub manually so we could specify all the details (such as EU region and custom names). Alternatively, Azure AI Foundry also lets you create a Foundry project directly, automatically creating a default hub. However, for enterprise environments, it's advisable to have explicit control over the Hub (hub-based project) to centralize resource and configuration management.
### 4.5. Creating linked resources: Azure OpenAI Service, Storage Account, Key Vault
This point is largely already covered in step 4, since we created the linked resources during the AI Hub creation. Here's a brief recap of each to make sure everything is correctly configured:
* **Azure OpenAI Service**: this service provides access to OpenAI models via the Azure endpoint. In our case, we created the Azure OpenAI resource named e.g. Prod-AIsuru-Service. You can verify its presence by going to the Resource Group and checking for a resource of type Azure OpenAI (or Cognitive Services with provider Microsoft.OpenAI). Opening it, on the Overview page you should see details like the endpoint URL and region.\
\
\&#xNAN;*Note: if during Hub creation you chose not to create the OpenAI service immediately (skipping that link), you can always create it manually later. In that case, go to Create a resource in the portal, search for Azure OpenAI, and create the service selecting the same subscription, Resource Group, and region. You should be able to proceed directly without external approval forms for compatible Pay-As-You-Go accounts.*
* **Storage Account**: we created a storage account (e.g. prodaisurustorage) to store data generated or required by the AI Hub/Foundry (e.g. configuration files, logs, fine-tuning datasets, etc.). Verify the storage was created correctly in the expected region with LRS replication. No specific configuration is needed at this point, but make sure not to delete this storage — it's essential for the AI project to function.
* **Key Vault**: a Key Vault was created (e.g. Prod-AIsuru-KV) to securely store keys and secrets related to the AI project. For example, the Azure OpenAI API key will be kept in the Key Vault. No immediate manual configuration is needed here, but you can check the Secrets section of the Key Vault to see the necessary keys appear after model deployment.\
\
\&#xNAN;*Note: The Key Vault and the Azure AI Hub are connected via managed identity, allowing Foundry to retrieve keys without exposing them directly.*
In summary, by the end of step 4 you should have all these resources ready. Just make sure they're all present in the Resource Group and in an Active state. If anything wasn't created or shows an error, you may need to recreate it or check permissions (e.g. for the OpenAI service, verify you have access to the service in your subscription).
## 5. Creating and configuring the Azure AI Foundry project
Now that the base infrastructure is ready (Hub and linked services), we can create an **Azure AI project** inside the AI Hub via the Azure AI Foundry portal. The project is the workspace where you'll actually perform development operations, model deployments, etc. Here are the steps:
1. **Access the Azure AI Hub you just created**: from the Azure portal, navigate to the Resource Group you created and click on the Azure AI Hub resource (e.g. Prod-AIsuru-Hub). The hub's detail page will open. Among the various information, you should see the Launch Azure AI Foundry button.
2. Click **Launch Azure AI Foundry**. This will open the Azure AI Foundry web console associated with your hub — a dedicated interface for managing AI projects.
3. **Create a new project**: if this is your first time accessing and no projects exist in the hub, Azure AI Foundry will show a message like "You'll need a project to keep working". On this screen, you need to provide a name for the new project:
1. In the Project name field, enter an identifying name. Following our naming convention, you can use the Resource Group name with the "-Project" suffix. For example: Prod-AIsuru-Project. *Make sure the correct hub is selected — there should only be the one you created.*
2. Click Create a project to confirm.
4. **Wait for setup**: the project will be created inside the hub and may take a moment to initialize the environment. Once created, you'll be taken to the Azure AI Foundry project view.
5. **Check the project structure**: in the Azure AI Foundry console, you should now see your project name. On the left side, there's a menu with several sections (e.g. Overview, Models + endpoints, Data, Prompt flow, etc.). Make sure you recognize the main elements:
1. Overview: the project's home page with a summary and quick links.
2. Models + endpoints: the section where you'll manage deployed models and API endpoints.
3. Management Center: where you set project parameters, access, quotas, etc.
At this point, your Azure AI project is configured and ready. In the next step, we'll deploy an OpenAI model to the project.
## 6. Deploying an OpenAI model (e.g. GPT-4o-mini) on Azure AI Foundry
With the project created, we can **deploy an OpenAI model** and make it available via an endpoint for applications. Azure AI Foundry makes this process straightforward. Let's use GPT-4o-mini as an example, though the steps are similar for other models.
Steps to deploy a model in the project:
1. **Access the Models + endpoints section**: in the left panel of the Azure AI Foundry console (inside your project), click Models + endpoints. Here you'll see the list of models and endpoints (initially empty since you haven't deployed anything yet).
2. At the top of the page, click **+ Deploy model**. Options will appear — choose Deploy base model (deploying a pre-trained base model without initial fine-tuning).
3. **Select the model**: a list of available models will appear. Scroll and select GPT-4o-mini (or another model of your choice). You can use the search bar to find it if the list is long.
4. Click **Confirm** to move to the next screen.
5. Customize capacity (optional): in the deployment configuration screen, a Customize button may appear next to parameters like Capacity or Rate limit. Click it to adjust advanced settings:
1. Tokens per Minute Rate Limit: set the maximum allowed value. Check the displayed limit and, if possible, set it to the maximum available, unless you want to intentionally limit it.
2. Content filter: if present, you can leave the content filter active (usually active by default to moderate unwanted outputs).
6. Click the **Deploy** button to start the deployment of the chosen model with the specified configurations. Azure will begin provisioning the necessary infrastructure and preparing the model. This process may take a few minutes.
7. Once done, in the Models + endpoints section you should see the model in the list with a status of Deployed/Running.
8. **Deploy additional models** (optional): if you need more models, you can repeat the process for each additional one. The hub/project supports multiple simultaneous deployments, keeping in mind that each will consume quota and budget separately.
*Note: OpenAI models on Azure are continuously updated and expanded. Choose your model based on your requirements and make sure it's supported in your Azure OpenAI service's region.* [*You can check the Azure documentation for the list of models supported per region*](https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/models?tabs=global-standard%2Cstandard-chat-completions#model-summary-table-and-region-availability)*.*
## 7. Getting the Endpoint, API Key, and Model Name
After deploying a model, you'll need three key pieces of information to use it via API: the Endpoint URL, the API Key, and the Model name (deployment name).
Here's how to get them:
1. Access the resource inside Azure AI Foundry.
2. On the resource's homepage, you can see:
1. API Key: copy it and keep it handy.
2. The endpoint: on AIsuru you'll enter a slightly different endpoint, but copy and save the service name (e.g. if the endpoint is , you'll need to save "Prod-AIsuru-service").
3. To get the model name, go to the Models + endpoints section of the project: in the table, the second column should show the model name for all previously deployed models.
## 8. Setting up on AIsuru
To add a new model on AIsuru, you'll need to enter the following parameters:
* API Key: paste the API key you saved earlier.
* Model: paste the model name you saved earlier.
* Endpoint: replace the service name with the string you saved earlier and the model name with the deployment name 👉 https\://{service\_name}.services.ai.azure.com/openai/deployments/{model\_deployment\_name}
You can follow the guide in the [AIsuru](mailto:undefined) documentation to be walked through [creating and deploying models](/en/generative-ai/advanced/create-and-manage-model-configurations.md) step by step.
## 9. Managing internal users in the Azure organization
In an enterprise context, multiple people will likely want to access or collaborate on the Azure AI project (developers, data scientists, etc.). It's important to know how to create new users in the tenant and assign them appropriate permissions on the resources (hub, project, etc.).
### Adding new internal users to the Azure tenant
1. In the Azure portal, search for Azure Active Directory (or Users and groups if you have shortcuts). Go to the Users section of your tenant.
2. Click + New user. Fill in the required details: the user's name, username (which will become the login, typically formatted as or the corporate domain if present), and choose a method for the password (you can auto-generate it and then share it securely with the user).\
\
\&#xNAN;*If your company uses a custom domain in Azure AD, you can assign the user to that domain; otherwise, it will default to the onmicrosoft.com domain.*
3. Click Create to create the user. Provide the user with the credentials you created (username and temporary password) so they can log in.
### Assigning users to groups (optional)
If you have many users, you can create Azure AD Groups and add users to them, then assign permissions to the groups rather than to individuals.
#### How to assign roles
Role assignment can be managed at the level of:
* Resource groups → grants access to all resources within it (including Hub, OpenAI, storage, etc.)
* Individual resources → grants access to the specific resource
To assign a role:
1. Go to the resource or resource group in question in the Azure portal.
2. Select Access control (IAM) from the menu. Click + Add role assignment.
3. Choose the appropriate role (e.g. Contributor, Reader, etc.), then search for the user or group in the Assign to box and confirm — the assignment will take effect within a few minutes.
In addition to roles, Azure AI Foundry lets you specify access to projects and hubs directly from its dashboard: simply go to the Management Center of your project and access the "Users" section of the Hub or project, depending on your needs.
Generally, if a user has RBAC access to the hub or resource group and linked services, they should be able to launch Foundry and access the project. However, if Foundry explicitly requires adding members:
1. Access the Management Center of the project > Users (of the project or the hub, as needed).
2. Add the user and assign the role.
3. Save the changes.
→ The user should now be able to see and access the project in the Azure AI Foundry portal.
## 10. Monitoring and budgeting
It's essential to set up careful cost monitoring and alerting or limiting mechanisms to avoid budget overruns.
### Cost analysis
1. In the Azure portal, go to Cost Management + Billing.
2. From here, you can select the relevant subscription (or filter by Resource Group Prod-AIsuru if you want to isolate costs for this project) and use Cost analysis, which will show you how much you're spending with a breakdown by service.
### Budget
The Budgets feature lets you set a budget for a given scope (subscription, resource group, service). Reaching or exceeding the budget does not automatically stop operations: Azure will evaluate periodic spending and send you alerts when defined thresholds are crossed.
To set a monthly budget for the subscription or the project's resource group:
1. Go to Cost Management > (Monitoring >) Budgets in the Azure portal (after selecting the appropriate subscription or RG as the scope).
2. Click + Add.
3. Enter a name for the budget (e.g. Budget-AIProject).
4. Select the reset period (e.g. the budget resets monthly).
* Set the creation date and expiration date.
* Set the amount (for example, if you don't want to exceed €1,000/month for the AI project, set 1000 as the monthly budget).
* Configure alerts: you can set alarm thresholds, for example at 50%, 80%, 100% of the budget. For each threshold, set up an email notification (enter the appropriate email addresses, such as the IT admin, project manager, etc.). Notifications will alert you when estimated spending reaches those percentages.
* Save the budget.
## 11. Final tips and best practices
* As already emphasized, a consistent naming convention saves a lot of confusion. Apply it to all resources: Azure resource names, model deployment names, project names, and even dedicated user/group identifiers. Document this convention so your team follows it consistently.
* Even if we set the rate limit to the maximum allowed for the model, Azure may have higher limits. Familiarize yourself with the default quotas and, if your use case requires it, you can request a quota increase by opening a ticket with Azure support.
* By using European data centers, you ensure that data in transit and at rest for the Azure OpenAI service remains within the EU, helping with GDPR compliance and corporate policies. Always check the latest Microsoft information on AI service data residency, especially if you handle sensitive data.
* In case of issues, consult the official Microsoft documentation and the community. The Azure portal offers basic diagnostics (e.g. failed request logs if enabled, usage metrics). You can also open support tickets with Azure if you encounter service malfunctions.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.aisuru.com/en/generative-ai/advanced/providers-api-keys/azure-ai-foundry-openai-models-access-and-costs.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.