External Knowledge Source Connections
Beyond the built-in vector store, Azure AI Foundry agents can connect to external knowledge sources — pre-existing data repositories that you own and manage. A ConnectionA named configuration object stored in a Foundry project that holds the endpoint, authentication credentials, and resource type for an external service. Agents reference connections rather than raw credentials. is a named configuration object stored in the Foundry project that holds the endpoint, authentication credentials, and resource type for an external service. Once a connection exists, you reference it when configuring the File Search tool or the Azure AI Search tool.
Types of Knowledge Source Connections
| Source Type | What It Provides | Typical Use Case |
|---|---|---|
| Azure AI Search | Enterprise search index with BM25, vector, and Hybrid SearchA retrieval strategy combining BM25 full-text keyword matching with vector semantic search. Available only through Azure AI Search connections — not the built-in Foundry vector store. retrieval | Large existing document corpora, compliance-controlled data |
| SharePoint | Microsoft 365 SharePoint document libraries | Organizational knowledge bases, policy documents |
| Azure Blob Storage | Unstructured files in a storage container | Bulk document ingestion pipelines |
Each connection type has a different configuration surface, but all follow the same pattern: resource endpoint + authentication method + optional index/container name.
For credential-free access, use Managed IdentityA Microsoft Entra ID identity automatically managed by Azure for a service (e.g., a Foundry project). Grants access to external resources via RBAC without storing credentials in the connection object. authentication and assign the Search Index Data ReaderThe Azure RBAC role that must be assigned to the Foundry project's managed identity on an Azure AI Search resource to allow credential-free, managed-identity-based retrieval. role to the Foundry project's managed identity on the Azure AI Search resource.
Built-in Vector Store vs External Index
| Dimension | Built-in Vector Store | External Index (Azure AI Search) |
|---|---|---|
| Ownership | Managed by Foundry project | Your Azure subscription |
| Data residency | Inside Foundry project boundary | Region of your choice |
| Hybrid search (BM25 + vector) | Not supported | Supported |
| Semantic ranker | Not available | Available (Standard tier+) |
| Facets / filters | Not supported | Full field filtering |
| Index freshness | Manual re-upload required | External pipeline controls it |
| Setup time | Seconds | Hours (index must pre-exist) |
Choose external when the data is already indexed, must remain in a specific region, requires hybrid retrieval, or is updated by a separate ETL pipeline.
Authentication Options
API Key
- The connection stores the Azure AI Search admin or query key.
- Simple to configure; key is stored as a Foundry secret.
- Risk: if the key is rotated, the connection must be updated manually.
Managed Identity
- The Foundry project's system-assigned managed identity is granted the Search Index Data Reader role on the Azure AI Search resource.
- No credentials stored in the connection object.
- Preferred for production and compliance scenarios; credentials cannot leak.
| Scenario | Recommended Auth |
|---|---|
| Development / proof-of-concept | API key |
| Production, regulated environments | Managed identity |
| Cross-tenant SharePoint | OAuth (delegated, not managed identity) |
Adding a Connection in the Foundry Portal
- Open Azure AI Foundry → select your Project.
- In the left navigation expand Settings and click Connections.
- Click + New connection and choose the source type (Azure AI Search, SharePoint, Blob Storage, etc.).
- Enter the resource endpoint (e.g.,
https://my-search.search.windows.netfor Azure AI Search). - Select the authentication method (API key or managed identity).
- Provide the index name (for Azure AI Search) or container name (for Blob Storage).
- Click Save. The connection appears in the list with a green status indicator when validated.
Configuring File Search to Use an Azure AI Search Index
After the connection is saved, reference it in the agent's File Search tool:
- Open the agent in the Agents editor.
- In the Tools tab, enable File Search.
- Under Knowledge source, switch from Built-in vector store to Azure AI Search connection.
- Select the saved connection from the dropdown.
- Confirm the index name matches the target index in your Azure AI Search resource.
- (Optional) Set
max_num_resultsandranking_thresholdas needed. - Save the agent configuration.
The agent now routes File Search queries to your Azure AI Search index rather than the built-in vector store.
Hands-On: Create an Azure AI Search Connection
Goal: Create an Azure AI Search connection and configure an agent to use it.
- In Azure AI Foundry, open your project and navigate to Settings → Connections.
- Click + New connection → select Azure AI Search.
- In the Endpoint field, paste your Azure AI Search URL:
https://<your-search-service>.search.windows.net. - For Authentication, select API key and paste a valid query key from the Azure portal (Azure AI Search → Keys).
- Enter the Index name you want to search.
- Click Save and verify the connection status shows Connected.
- Navigate to Agents, open your agent, and go to the Tools tab.
- Enable File Search → under Knowledge source choose Azure AI Search connection → select the connection you just created.
- Save the agent, then switch to the Playground tab.
- Submit a question that should be answered by the index content and confirm a citation appears referencing your Azure AI Search index.
AI-3018 Assessment Focus
Authentication method requirements and the distinction between what the built-in vector store and Azure AI Search each support are common exam scenarios.
Exam Trap
"You must create a new Azure AI Search resource to use a connection" — False. You connect to an existing Azure AI Search resource. Foundry does not provision it for you.
Exam Trap
"Managed identity connections require no additional Azure RBAC configuration" — False. You must assign the Search Index Data Reader (or Contributor) role to the Foundry project's managed identity on the Search resource.
Exam Trap
"API key connections automatically rotate when the key changes in Azure Key Vault" — False. The key stored in the Foundry connection must be updated manually after rotation unless you build a separate automation.
Exam Trap
"A single connection can target multiple indexes simultaneously" — False. Each connection references one endpoint, and one index name is specified at the tool level.
Exam Trap
"Built-in vector store supports hybrid search" — False. Hybrid (BM25 + vector) retrieval is only available through Azure AI Search.
Exam Tip
When a scenario states "no credentials stored" or "security team prohibits credential storage" — the answer is always managed identity with Search Index Data Reader RBAC assignment.
Question — click to flip
Q: What RBAC role must be assigned for managed identity access to Azure AI Search?
Question — click to flip
Q: Does Foundry provision an Azure AI Search resource when you create a connection?
Question — click to flip
Q: Which connection authentication method stores no credentials in the Foundry portal?
Question — click to flip
Q: What must you do after rotating an API key used in a Foundry connection?
Question — click to flip
Q: Which retrieval capability does Azure AI Search support that the built-in vector store does not?
Question — click to flip
Q: When should you use an external knowledge source connection instead of the built-in vector store?