Connected ResourceA named link in Azure AI Foundry that stores an external Azure service's endpoint URL, authentication method, and optional secrets — allowing developers to reference resources by name without managing raw credentials. in Azure AI Foundry are links from a hub or project to external Azure services. Rather than embedding credentials directly, connections store endpoint URLs, authentication methods, and optional secrets so that developers can reference resources by connection name without handling raw keys.
Hub-level connectionA connected resource added to the hub's Management center that is shared across all projects nested within that hub. Used for resources every team should access, such as a shared Azure AI Search index. are shared across all projects in that hub; Project-level connectionA connected resource scoped to a single project. Invisible to other projects in the same hub, making it suitable for proprietary or team-specific external services. are private to that project.
The three primary connection types tested in AI-3016 are:
| Connection Type | Purpose | Auth options |
|---|---|---|
| Azure AI Services / Azure OpenAI | Access OpenAI models (GPT-4o, embeddings), Speech, Vision, Language endpoints | API Key or Microsoft Entra ID |
| Azure AI Search | Vector and keyword search over indexed data; required for RAG and Standard Agent deployment | API Key or Microsoft Entra ID |
| Azure Storage | Store documents, evaluation artifacts, and datasets; required for Standard Agent deployment | Microsoft Entra ID authenticationKeyless authentication for connected resources that uses managed identity and Azure RBAC instead of storing API keys. The recommended approach for production workloads — no secret is stored in the connection. (recommended) or Account Key |
When a hub is provisioned, Azure automatically creates a default Azure AI Services (Foundry Tools) connection and a Storage connection. These defaults appear in Management center → Connected resources. You may need to add additional connections — for example, to a separately provisioned Azure AI Search resource or a second OpenAI deployment in a different region.
Authentication Methods Compared
Authentication methods are a key exam topic.
| Method | How it works | Security posture |
|---|---|---|
| API Key | Stores the key in the connection configuration | Secret can be leaked; rotation requires updating the connection |
| Microsoft Entra ID | Uses hub's managed identity + Azure RBAC | No secret stored; access revoked by removing a role assignment |
Microsoft Entra ID is the recommended approach for production workloads.
Required RBAC Roles for Entra ID Connections
When using Microsoft Entra ID authentication for connected resources, the hub's managed identity (or the user's identity) must have the correct role on the external resource:
| External resource | Required role for the hub managed identity |
|---|---|
| Azure AI Services / OpenAI | Cognitive Services OpenAI Contributor (or Cognitive Services User) |
| Azure AI Search | Search Index Data Contributor + Search Service Contributor |
| Azure Storage (blob) | Storage Blob Data Contributor |
Adding a connection does NOT automatically assign roles on the external resource. You must separately grant the hub managed identity the appropriate RBAC role.
Connection Scope and Access Isolation
| Scenario | Correct scope |
|---|---|
| All teams in the hub need access to a shared Azure AI Search index | Hub-level connection |
| One team has a proprietary index that other teams must not see | Project-level connection |
| Shared OpenAI deployment for everyone | Hub-level connection |
| Temporary or experimental resource for one project | Project-level connection |
Project-level connections supplement hub connections — they do not override them. Both are visible within the project.
Add an Azure AI Search connection
Open Management center — In the Azure AI Foundry portal, select Management center from the bottom of the left sidebar (for hub-level connections) or navigate to Operate → Admin (for project-level connections).
Add a new connection — Under Connected resources, select New connection. Select Azure AI Search from the service list.
Select the resource and set authentication — Browse your subscription for the target Azure AI Search service. Under Authentication, choose Microsoft Entra ID (recommended) or API key. Select Add connection.
Assign roles on the Search resource — In the Azure portal, navigate to the Azure AI Search resource → Access control (IAM) → Add role assignment. Assign Search Index Data Contributor and Search Service Contributor to the hub's managed identity. Select Review + assign.
Verify the connection — Return to Management center → Connected resources and confirm the new Azure AI Search connection appears with status Connected.
Add or verify an Azure AI Services / Azure OpenAI connection
Check existing connection — In Management center → Connected resources, look for a connection of type Foundry Tools or Azure OpenAI. This is created automatically when the hub is provisioned.
Add a second connection if needed — Select New connection → Azure OpenAI (or Foundry). Select the target resource from your subscription, choose an authentication method, and select Add connection.
Add an Azure Storage connection
Add connection — In Management center → Connected resources, select New connection → Azure Storage. Search for your storage account, select Microsoft Entra ID as the authentication method, and select Add connection.
Grant role on the Storage account — In the Azure portal, navigate to the Storage account → Access control (IAM). Assign Storage Blob Data Contributor to the hub's managed identity.
Enable trusted service (if network-restricted) — In the Storage account → Networking, select Selected networks, then enable Allow Azure services on the trusted services list to access this storage account and save.
AI-3016 Assessment Focus
Expect scenarios involving a 403 error after adding a connection with Entra ID auth, or access-isolation requirements between teams sharing a hub. You must know both which connection scope to use and which RBAC role to assign on the external resource.
Exam Trap
"A storage account connection is optional." Storage is a required dependent resource for hubs. It is provisioned automatically during hub creation and is used for artifact storage, evaluation logs, and agent state. Without a valid storage connection some features will fail.
Exam Trap
"Adding a connection to the hub automatically grants the hub's managed identity the required role on the external resource." Adding a connection does NOT automatically assign roles on the external resource. You must separately grant the hub managed identity the appropriate RBAC role (e.g., Search Index Data Contributor) on the Azure AI Search or Storage resource.
Exam Trap
"A project-level connection overrides the hub-level connection of the same type." Project-level connections supplement hub connections; they do not override or replace them. Both are visible within the project.
Exam Trap
"API Key and Microsoft Entra ID connections work identically from a security perspective." API Key connections store credentials that can be leaked. Microsoft Entra ID connections use managed identity — no secret is stored and access can be revoked by removing a role assignment.
Exam Tip
For Azure AI Search with Entra ID auth, you need two roles on the search resource: Search Index Data Contributor (data-plane) AND Search Service Contributor (management-plane). Assigning only one is a common incomplete configuration.
Must Memorize
Hub-provisioning automatically creates: (1) Azure Storage connection and (2) Azure AI Services connection. Azure AI Search must always be added manually.
Question — click to flip
Q: A team adds an Azure AI Search connection to a hub using Microsoft Entra ID auth. Queries return 403. What is the most likely cause?
Question — click to flip
Q: Which two resources are automatically connected when you create a new Azure AI Foundry hub?
Question — click to flip
Q: What RBAC role must the hub managed identity hold on an Azure Blob Storage account when using Microsoft Entra ID auth?
Question — click to flip
Q: Two teams share a hub. Team A needs Azure AI Search access that Team B cannot see. Where should the connection be added?
Question — click to flip
Q: What is the key security difference between API Key and Microsoft Entra ID connection authentication?
Question — click to flip
Q: What two RBAC roles are required on an Azure AI Search resource when using the hub's managed identity with Entra ID authentication?