Azure AI Foundry (at ai.azure.com) is the unified portal for building, deploying, and managing generative AI applications on Azure. It organizes work through a two-level hierarchy: hubs and projects. Understanding this hierarchy is foundational to the AI-3016 applied skills assessment.
An Azure AI HubThe top-level governance container in Azure AI Foundry that owns shared infrastructure (storage, key vault, network settings, managed identity) and propagates those settings to all nested projects. is the top-level governance and infrastructure container. It owns shared settings — network isolation, customer-managed encryption keys, managed identity, connected resources — that flow down automatically to every project nested inside it. When you provision a hub, Azure also creates associated dependent resources: a Storage account, a Key Vault, a Container Registry (optional), and an Application Insights instance (optional). One hub can contain many projects, making it the right boundary for a business unit or team.
An Azure AI ProjectThe development workspace nested inside a hub where teams deploy models, run prompt flows, create indexes, and evaluate AI outputs. It inherits the hub's security settings but can have its own project-scoped connections. is the development workspace where teams actually build AI solutions — deploying models, running prompt flows, creating indexes, and evaluating outputs. A project inherits the hub's security and connection settings but also supports its own project-scoped connections and assets. Multiple projects can share the same hub, reducing redundant resource provisioning.
| Concept | Hub | Project |
|---|---|---|
| Scope | Governance / infrastructure | Development workspace |
| Creates | Storage, Key Vault, Container Registry | Inherits from hub |
| Connections | Shared across all child projects | Project-scoped (private) |
| RBAC assignment | Hub-level roles | Project-level roles |
| Network / encryption | Configured here | Inherited from hub |
| Azure resource type | Microsoft.MachineLearningServices/workspaces (kind: Hub) | Nested workspace |
To create a hub you need Owner or Contributor on the target resource group. A regular developer does not need resource-group permissions — they only need a role assigned on an existing hub or project. The Azure AI Developer roleA built-in RBAC role that grants data-plane development permissions (deploy models, run evaluations, publish agents) without allowing hub creation or role assignment — the principle of least-privilege role for developers. is the recommended least-privilege choice for developers who build and deploy but should not create hubs or assign roles.
RBAC Roles in Azure AI Foundry
Role-based access control (RBAC) in Azure AI Foundry is applied at both the hub and project level. The key built-in roles are:
| Role | Where assigned | Key permissions |
|---|---|---|
| Owner | Hub or project | Full access including role assignments |
| Contributor | Hub or project | Full access except assigning roles |
| Azure AI Developer | Hub or project | Build and deploy; cannot create hubs; cannot assign roles |
| Azure AI Inference Deployment Operator | Resource group | Create resource deployments (inference endpoints) |
| Reader | Hub (auto-assigned to all project members) | Read-only access to hub |
| Azure AI Project Manager | Project | Development + can invite Azure AI Users; can publish agents |
| Azure AI User | Project | Minimum developer permissions (data actions) |
Critical distinction: Azure's standard Owner and Contributor roles include only management plane permissions. They do not grant development (data-plane) permissions. To build and call models, a user also needs a role like Azure AI Developer or Azure AI User that includes data actions.
Auto-assigned Roles
When you grant a user access to a project, the system automatically assigns them:
- Reader role on the parent hub (required to see shared resources)
- Azure AI Inference Deployment Operator role on the resource group (required to create inference endpoints)
Both are required for end-to-end development workflows — they cannot be omitted.
Hub vs. Project Scope
Security settings (network isolation, encryption, managed identity, and shared connections) configured on a hub automatically apply to all projects under it. Only project-scoped connections and assets are independent.
Follow these steps to create a hub and project in the Azure AI Foundry portal:
Sign in to Foundry portal — Navigate to https://ai.azure.com and sign in with your Azure credentials.
Create a new project — On the landing page, select Create project. Enter a project name. If no hub exists, select Create new hub, give the hub a name, and choose a subscription, resource group, and region. Select Next to review the resources that will be created (Resource group, Hub, Foundry/AI Services resource).
Review and create — Expand Azure resources to be created to verify the hub, storage account, and other dependent resources. Select Create and wait for provisioning to complete (typically 1–3 minutes).
Assign roles to project users — In the Foundry portal, select Operate (upper-right navigation), then Admin in the left pane. Select your project name in the Manage all projects list. Select Add user, enter the team member's email address or Entra security group, assign the appropriate role (minimum: Azure AI User), and select Add.
Verify hub settings — From within your project, select Management center (bottom of left sidebar). Under the hub section, review Connected resources, Networking, Encryption, and Identity to confirm shared settings are correct.
View role assignments — In the Azure portal, navigate to the hub resource, open Access control (IAM), and select Role assignments to audit who has which roles at the hub scope. Repeat for the project resource to review project-scoped assignments.
AI-3016 Assessment Focus
The AI-3016 assessment heavily tests the hub/project governance model and RBAC. Expect scenarios that describe a permission failure and ask you to identify the correct role or scope.
Exam Trap
"Owner on the subscription is enough to develop." Owner/Contributor are management-plane roles. Developers need a data-plane role (Azure AI Developer, Azure AI User) to call models, run evaluations, or publish agents.
Exam Trap
"You can create a project without a hub." Every hub-based project must live inside a hub. If you don't select an existing hub during project creation, the wizard creates a new one automatically — a hub is always present.
Exam Trap
"Hub settings and project settings are independent." Security settings (network isolation, encryption, managed identity, and shared connections) configured on a hub automatically apply to all projects under it. Only project-scoped connections and assets are independent.
Exam Trap
"Any user can create a new hub." Hub creation requires Owner or Contributor at the resource group scope. The Azure AI Developer role allows creating projects but not new hubs.
Exam Trap
"Assigning Reader to a project member is sufficient." Reader is read-only. A developer needs at minimum Azure AI User (for building) or Azure AI Developer (for building and deploying).
Exam Tip
When you assign a user access to a project, the system auto-assigns Reader on the hub and Azure AI Inference Deployment Operator on the resource group. Exam scenarios may ask what additional roles are assigned automatically.
Must Memorize
Hub-level roles do not automatically cascade to projects unless assigned at hub scope with Azure RBAC inheritance. Project-level roles must be assigned per project.
Question — click to flip
Q: What is the minimum RBAC role a developer needs to call models and run evaluations inside an Azure AI Foundry project?
Question — click to flip
Q: What two roles does Azure AI Foundry automatically assign when you grant a user access to a project?
Question — click to flip
Q: What subscription-level permission is required to create a new Azure AI hub?
Question — click to flip
Q: Which Azure resource type represents an Azure AI hub?
Question — click to flip
Q: If a hub's network isolation is set to Disabled, what effect does this have on projects inside the hub?
Question — click to flip
Q: What is the difference between Azure AI Project Manager and Azure AI Developer roles at the project scope?