What is Azure OpenAI Attack Surface?

Red team methodology for Azure OpenAI Service: content filtering bypass, PTU security, deployment misconfiguration, managed identity abuse, and prompt flow exploitation.

What is Azure ML Exploitation?

Red team attack methodology for Azure Machine Learning: workspace security, compute instance attacks, pipeline poisoning, model registry tampering, and data store exploitation.

What is Defender for AI Bypass?

Red team techniques for understanding and bypassing Microsoft Defender for AI: detection capabilities, alert analysis, bypass strategies, coverage gaps, and alert fatigue exploitation.

Azure AI Services Security Overview

Intermediate9 min readUpdated 2026-03-15

Red team methodology for Azure AI services including Azure OpenAI, Azure ML, AI Studio, and Cognitive Services: service enumeration, managed identity abuse, and attack surface mapping.

azure azure-openai azure-ml ai-studio cognitive-services managed-identity red-team

Azure AI Services Security Overview

Microsoft's Azure AI portfolio combines first-party foundation model access (Azure OpenAI Service), a full ML platform (Azure Machine Learning), an integrated development environment (Azure AI Studio), and purpose-built cognitive services. For red teamers, Azure AI presents a unique challenge because of its deep integration with Microsoft Entra ID (formerly Azure AD), managed identities, and the broader Microsoft 365 ecosystem. A compromised Azure AI service can provide a pivot path into enterprise identity, SharePoint data, and Microsoft Graph.

Service Landscape

Azure OpenAI Service

Azure OpenAI provides access to OpenAI models (GPT-4, GPT-4o, o1, DALL-E, Whisper) through Azure-hosted endpoints with enterprise features: content filtering, private networking, managed identity authentication, and data residency guarantees.

Key components for red team assessment:

Component	Function	Attack Surface
Deployments	Model instances with specific configurations	Model switching, configuration enumeration
Content filtering	Input/output safety classification	Filter bypass, threshold probing
System messages	Application-defined model behavior	System prompt extraction
Provisioned Throughput (PTU)	Dedicated model capacity	Cost abuse, denial-of-wallet
On Your Data	RAG with Azure data sources	Data source poisoning, access control bypass
Prompt Flow	Orchestration and chaining	Flow manipulation, tool abuse

For detailed Azure OpenAI exploitation, see Azure OpenAI Attack Surface.

Azure Machine Learning

Azure ML is Microsoft's end-to-end ML platform, comparable to SageMaker. It covers the full lifecycle from data preparation through model training, deployment, and monitoring.

Component	Function	Attack Surface
Workspaces	Organizational unit containing all ML assets	Workspace access, cross-workspace pivoting
Compute instances	Development VMs with Jupyter	Credential theft, lateral movement
Compute clusters	Training infrastructure	Compute abuse, training data access
Online endpoints	Model serving (managed and Kubernetes)	Endpoint exposure, model extraction
Pipelines	MLOps automation	Pipeline poisoning, step manipulation
Data stores	Connections to Azure storage	Data access, credential exposure
Model registry	Model version management	Model tampering, supply chain attacks

For detailed Azure ML exploitation, see Azure ML Exploitation.

Azure AI Studio

AI Studio is Microsoft's unified development environment for building AI applications. It integrates Azure OpenAI, Azure ML, and other AI services into a single experience. Red team relevance:

Project-level permissions: AI Studio projects aggregate access to multiple AI services; compromising a project may grant access to OpenAI deployments, ML workspaces, and connected data sources simultaneously
Hub and project model: AI Studio uses a hub-and-spoke architecture where a hub provides shared resources (compute, connections, deployments) to multiple projects
Connection management: AI Studio stores connections to external services (API keys, connection strings) that are accessible to anyone with project-level access

Cognitive Services (Legacy and Current)

Azure Cognitive Services (now largely rebranded as Azure AI Services) includes:

Service	Red Team Relevance
Azure AI Search	RAG backend; index poisoning affects retrieval
Azure AI Content Safety	Content moderation; bypass enables harmful content
Azure AI Document Intelligence	Document processing; adversarial document attacks
Azure AI Speech	Audio processing; adversarial audio, voice cloning
Azure AI Vision	Image analysis; adversarial image attacks
Azure AI Language	NLP tasks; PII detection bypass
Azure AI Translator	Translation; filter bypass through language switching

Authentication and Identity

Managed Identity Architecture

Azure AI services commonly authenticate using managed identities. Understanding this architecture is critical for red teamers because managed identity compromise grants access to all resources the identity can reach.

# Enumerate managed identities on AI resources
az ml compute show --name <compute-name> --workspace-name <ws> --resource-group <rg>
 
# Check managed identity assignments
az role assignment list --assignee <managed-identity-object-id> --all
 
# From a compromised compute instance, get the managed identity token
curl -H "Metadata: true" \
  "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"

API Key vs. Entra ID Authentication

Azure OpenAI supports both API key and Entra ID (token-based) authentication. Key-based authentication is simpler but less secure:

Authentication	Security Posture	Red Team Approach
API key	Static credential, shared across users	Key extraction from config, environment variables, key vaults
Entra ID token	Dynamic, scoped, auditable	Token theft from managed identity, service principal compromise

Enumeration and Reconnaissance

Discovering Azure AI Resources

# List Azure OpenAI accounts
az cognitiveservices account list --query "[?kind=='OpenAI']" -o table
 
# List deployments within an Azure OpenAI account
az cognitiveservices account deployment list \
  --name <account-name> --resource-group <rg> -o table
 
# List Azure ML workspaces
az ml workspace list -o table
 
# List compute instances in a workspace
az ml compute list --workspace-name <ws> --resource-group <rg> --type ComputeInstance
 
# List online endpoints
az ml online-endpoint list --workspace-name <ws> --resource-group <rg>
 
# List AI Studio hubs and projects
az ml workspace list --query "[?kind=='Hub' || kind=='Project']" -o table
 
# Check for Cognitive Services accounts
az cognitiveservices account list -o table

RBAC Analysis

Azure RBAC roles for AI services:

Role	Scope	Risk
`Cognitive Services OpenAI User`	Can invoke models	Prompt injection, cost abuse
`Cognitive Services OpenAI Contributor`	Can manage deployments	Model configuration changes
`Cognitive Services Contributor`	Full Cognitive Services management	All AI service management
`AzureML Compute Operator`	Manage ML compute	Compute instance access
`AzureML Data Scientist`	Run experiments, manage models	Training and deployment access
`Owner` / `Contributor` on resource group	Full resource management	Everything including identity management

# List role assignments for AI resources
az role assignment list --scope /subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.CognitiveServices/accounts/<name>
 
# Check who has OpenAI access
az role assignment list --role "Cognitive Services OpenAI User" --all -o table

Common Misconfigurations

Network Exposure

Azure AI services support private endpoints and virtual network integration, but many deployments remain publicly accessible:

Public network access enabled: Azure OpenAI accounts accessible from the internet without IP restrictions
Missing private endpoints: AI services without private endpoint connections in VNet-connected architectures
Overpermissive network ACLs: IP allowlists that include broad CIDR ranges or 0.0.0.0/0

# Check network configuration
az cognitiveservices account show --name <name> --resource-group <rg> \
  --query "{publicAccess:properties.publicNetworkAccess, networkRules:properties.networkAcls}"

Data Residency Violations

Azure OpenAI deployments process data in the region where the resource is deployed. However:

Content filtering may process data in different regions (check the abuse monitoring configuration)
"On Your Data" features may access data sources in other regions
Azure AI Search indexes backing RAG may be in different regions than the OpenAI resource

Diagnostic Settings Gaps

Azure diagnostic settings control logging for AI services. Missing or incomplete diagnostic settings mean:

Model invocations are not logged (no prompt/response audit trail)
Content filter triggers are not recorded
Authentication failures are not captured

Azure OpenAI Attack Surface -- Detailed Azure OpenAI exploitation
Azure ML Exploitation -- Azure ML attack methodology
Defender for AI Bypass -- Evading Microsoft's AI security monitoring
Cloud AI Security Overview -- Cross-provider comparison

Knowledge Check

An Azure OpenAI deployment uses API key authentication. Where should a red teamer look first for the API key?

Knowledge Check

What makes Azure AI particularly interesting for lateral movement compared to other cloud AI platforms?

References

Azure OpenAI Security Documentation -- Authentication and security
Azure ML Security -- Enterprise security overview
Azure RBAC for Cognitive Services -- Role-based access control

Azure AI Services Security Overview

Intermediate9 min readUpdated 2026-03-15

Red team methodology for Azure AI services including Azure OpenAI, Azure ML, AI Studio, and Cognitive Services: service enumeration, managed identity abuse, and attack surface mapping.

azure azure-openai azure-ml ai-studio cognitive-services managed-identity red-team

Azure AI Services Security Overview

Service Landscape

Azure OpenAI Service

Key components for red team assessment:

Component	Function	Attack Surface
Deployments	Model instances with specific configurations	Model switching, configuration enumeration
Content filtering	Input/output safety classification	Filter bypass, threshold probing
System messages	Application-defined model behavior	System prompt extraction
Provisioned Throughput (PTU)	Dedicated model capacity	Cost abuse, denial-of-wallet
On Your Data	RAG with Azure data sources	Data source poisoning, access control bypass
Prompt Flow	Orchestration and chaining	Flow manipulation, tool abuse

For detailed Azure OpenAI exploitation, see Azure OpenAI Attack Surface.

Azure Machine Learning

Azure ML is Microsoft's end-to-end ML platform, comparable to SageMaker. It covers the full lifecycle from data preparation through model training, deployment, and monitoring.

Component	Function	Attack Surface
Workspaces	Organizational unit containing all ML assets	Workspace access, cross-workspace pivoting
Compute instances	Development VMs with Jupyter	Credential theft, lateral movement
Compute clusters	Training infrastructure	Compute abuse, training data access
Online endpoints	Model serving (managed and Kubernetes)	Endpoint exposure, model extraction
Pipelines	MLOps automation	Pipeline poisoning, step manipulation
Data stores	Connections to Azure storage	Data access, credential exposure
Model registry	Model version management	Model tampering, supply chain attacks

For detailed Azure ML exploitation, see Azure ML Exploitation.

Azure AI Studio

AI Studio is Microsoft's unified development environment for building AI applications. It integrates Azure OpenAI, Azure ML, and other AI services into a single experience. Red team relevance:

Project-level permissions: AI Studio projects aggregate access to multiple AI services; compromising a project may grant access to OpenAI deployments, ML workspaces, and connected data sources simultaneously
Hub and project model: AI Studio uses a hub-and-spoke architecture where a hub provides shared resources (compute, connections, deployments) to multiple projects
Connection management: AI Studio stores connections to external services (API keys, connection strings) that are accessible to anyone with project-level access

Cognitive Services (Legacy and Current)

Azure Cognitive Services (now largely rebranded as Azure AI Services) includes:

Service	Red Team Relevance
Azure AI Search	RAG backend; index poisoning affects retrieval
Azure AI Content Safety	Content moderation; bypass enables harmful content
Azure AI Document Intelligence	Document processing; adversarial document attacks
Azure AI Speech	Audio processing; adversarial audio, voice cloning
Azure AI Vision	Image analysis; adversarial image attacks
Azure AI Language	NLP tasks; PII detection bypass
Azure AI Translator	Translation; filter bypass through language switching

Authentication and Identity

Managed Identity Architecture

# Enumerate managed identities on AI resources
az ml compute show --name <compute-name> --workspace-name <ws> --resource-group <rg>
 
# Check managed identity assignments
az role assignment list --assignee <managed-identity-object-id> --all
 
# From a compromised compute instance, get the managed identity token
curl -H "Metadata: true" \
  "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"

API Key vs. Entra ID Authentication

Azure OpenAI supports both API key and Entra ID (token-based) authentication. Key-based authentication is simpler but less secure:

Authentication	Security Posture	Red Team Approach
API key	Static credential, shared across users	Key extraction from config, environment variables, key vaults
Entra ID token	Dynamic, scoped, auditable	Token theft from managed identity, service principal compromise

Enumeration and Reconnaissance

Discovering Azure AI Resources

# List Azure OpenAI accounts
az cognitiveservices account list --query "[?kind=='OpenAI']" -o table
 
# List deployments within an Azure OpenAI account
az cognitiveservices account deployment list \
  --name <account-name> --resource-group <rg> -o table
 
# List Azure ML workspaces
az ml workspace list -o table
 
# List compute instances in a workspace
az ml compute list --workspace-name <ws> --resource-group <rg> --type ComputeInstance
 
# List online endpoints
az ml online-endpoint list --workspace-name <ws> --resource-group <rg>
 
# List AI Studio hubs and projects
az ml workspace list --query "[?kind=='Hub' || kind=='Project']" -o table
 
# Check for Cognitive Services accounts
az cognitiveservices account list -o table

RBAC Analysis

Azure RBAC roles for AI services:

Role	Scope	Risk
`Cognitive Services OpenAI User`	Can invoke models	Prompt injection, cost abuse
`Cognitive Services OpenAI Contributor`	Can manage deployments	Model configuration changes
`Cognitive Services Contributor`	Full Cognitive Services management	All AI service management
`AzureML Compute Operator`	Manage ML compute	Compute instance access
`AzureML Data Scientist`	Run experiments, manage models	Training and deployment access
`Owner` / `Contributor` on resource group	Full resource management	Everything including identity management

# List role assignments for AI resources
az role assignment list --scope /subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.CognitiveServices/accounts/<name>
 
# Check who has OpenAI access
az role assignment list --role "Cognitive Services OpenAI User" --all -o table

Common Misconfigurations

Network Exposure

Azure AI services support private endpoints and virtual network integration, but many deployments remain publicly accessible:

Public network access enabled: Azure OpenAI accounts accessible from the internet without IP restrictions
Missing private endpoints: AI services without private endpoint connections in VNet-connected architectures
Overpermissive network ACLs: IP allowlists that include broad CIDR ranges or 0.0.0.0/0

# Check network configuration
az cognitiveservices account show --name <name> --resource-group <rg> \
  --query "{publicAccess:properties.publicNetworkAccess, networkRules:properties.networkAcls}"

Data Residency Violations

Azure OpenAI deployments process data in the region where the resource is deployed. However:

Content filtering may process data in different regions (check the abuse monitoring configuration)
"On Your Data" features may access data sources in other regions
Azure AI Search indexes backing RAG may be in different regions than the OpenAI resource

Diagnostic Settings Gaps

Azure diagnostic settings control logging for AI services. Missing or incomplete diagnostic settings mean:

Model invocations are not logged (no prompt/response audit trail)
Content filter triggers are not recorded
Authentication failures are not captured

Azure OpenAI Attack Surface -- Detailed Azure OpenAI exploitation
Azure ML Exploitation -- Azure ML attack methodology
Defender for AI Bypass -- Evading Microsoft's AI security monitoring
Cloud AI Security Overview -- Cross-provider comparison

Knowledge Check

An Azure OpenAI deployment uses API key authentication. Where should a red teamer look first for the API key?

Knowledge Check

What makes Azure AI particularly interesting for lateral movement compared to other cloud AI platforms?

References

Azure OpenAI Security Documentation -- Authentication and security
Azure ML Security -- Enterprise security overview
Azure RBAC for Cognitive Services -- Role-based access control

Azure AI Services Security Overview

Learning Path

Related Articles

Azure OpenAI Attack Surface

Cloud AI Forensics: Azure

Azure OpenAI Red Team Walkthrough

Azure AI Services Security Overview

Learning Path

Related Articles

Azure OpenAI Attack Surface

Cloud AI Forensics: Azure

Azure OpenAI Red Team Walkthrough