Skip to main content

Challenge 11: Azure AI Foundry Setup

Estimated Time

45-60 min | Cost: ~$2.00 (hub resources) | Domain: Generative AI Solutions (15-20%)

Exam skills covered

  • Plan and manage an Azure AI Foundry resource
  • Deploy hub and project resources with proper resource hierarchy
  • Configure connections to Azure OpenAI and Azure AI Search

Overview

Azure AI Foundry (formerly Azure AI Studio) provides a unified platform for building generative AI applications. The architecture follows a hub-and-project model where a hub acts as a top-level container that manages shared infrastructure—including Azure Storage, Key Vault, and Container Registry—while projects are workspaces within a hub where teams build and deploy AI solutions.

Understanding the resource hierarchy is critical for the AI-102 exam. A hub creates dependent resources automatically (Storage Account, Key Vault, and optionally Container Registry and Application Insights). Projects inherit the hub's connections and compute resources but maintain their own artifacts, deployments, and data. This separation enables enterprise governance while giving development teams autonomy.

Connections are the mechanism by which hubs and projects access external services like Azure OpenAI endpoints, Azure AI Search indexes, and custom APIs. Connections store credentials securely in the associated Key Vault and can be shared across all projects within a hub.

Architecture

The AI Foundry resource hierarchy follows a hub → project model with shared dependent resources and configurable connections to AI services.

Challenge 11 topology

Prerequisites

  • Azure subscription with Contributor access
  • Azure CLI installed (v2.60+) with ml extension
  • Resource providers registered: Microsoft.MachineLearningServices, Microsoft.CognitiveServices
  • An existing Azure OpenAI resource (or permission to create one)

Implementation

Task 1: Create a Resource Group and AI Foundry Hub

from azure.identity import DefaultAzureCredential
from azure.mgmt.machinelearningservices import MachineLearningServicesMgmtClient
from azure.mgmt.machinelearningservices.models import Workspace

credential = DefaultAzureCredential()
subscription_id = "YOUR_SUBSCRIPTION_ID"
resource_group = "rg-ai102-challenge11"
hub_name = "hub-ai102-foundry"
location = "eastus2"

ml_client = MachineLearningServicesMgmtClient(credential, subscription_id)

# Create AI Foundry Hub
hub = Workspace(
    location=location,
    kind="Hub",
    display_name="AI-102 Foundry Hub",
    description="Hub for AI-102 certification prep",
    storage_account=f"/subscriptions/{subscription_id}/resourceGroups/{resource_group}/providers/Microsoft.Storage/storageAccounts/stai102hub",
    key_vault=f"/subscriptions/{subscription_id}/resourceGroups/{resource_group}/providers/Microsoft.KeyVault/vaults/kv-ai102-hub",
)

poller = ml_client.workspaces.begin_create_or_update(
    resource_group_name=resource_group,
    workspace_name=hub_name,
    body=hub
)
result = poller.result()
print(f"Hub created: {result.name} (State: {result.provisioning_state})")

Task 2: Create a Project Under the Hub

from azure.identity import DefaultAzureCredential
from azure.mgmt.machinelearningservices import MachineLearningServicesMgmtClient
from azure.mgmt.machinelearningservices.models import Workspace

credential = DefaultAzureCredential()
subscription_id = "YOUR_SUBSCRIPTION_ID"
resource_group = "rg-ai102-challenge11"
hub_name = "hub-ai102-foundry"
project_name = "proj-ai102-genai"

ml_client = MachineLearningServicesMgmtClient(credential, subscription_id)

hub_id = f"/subscriptions/{subscription_id}/resourceGroups/{resource_group}/providers/Microsoft.MachineLearningServices/workspaces/{hub_name}"

project = Workspace(
    location="eastus2",
    kind="Project",
    display_name="GenAI Project",
    description="Project for generative AI challenges",
    hub_resource_id=hub_id,
)

poller = ml_client.workspaces.begin_create_or_update(
    resource_group_name=resource_group,
    workspace_name=project_name,
    body=project
)
result = poller.result()
print(f"Project created: {result.name}")
print(f"Hub: {result.hub_resource_id}")

Task 3: Configure Connections

from azure.identity import DefaultAzureCredential
from azure.ai.ml import MLClient
from azure.ai.ml.entities import WorkspaceConnection
from azure.ai.ml.entities._workspace.connections import (
    AzureOpenAIConnection,
    AzureAISearchConnection,
)

credential = DefaultAzureCredential()
ml_client = MLClient(
    credential=credential,
    subscription_id="YOUR_SUBSCRIPTION_ID",
    resource_group_name="rg-ai102-challenge11",
    workspace_name="hub-ai102-foundry",
)

# Create Azure OpenAI connection
aoai_connection = WorkspaceConnection(
    name="aoai-connection",
    type="azure_open_ai",
    target="https://your-openai.openai.azure.com/",
    credentials={
        "type": "api_key",
        "api_key": "YOUR_AZURE_OPENAI_KEY"
    },
)
ml_client.connections.create_or_update(aoai_connection)
print("Azure OpenAI connection created")

# Create Azure AI Search connection
search_connection = WorkspaceConnection(
    name="search-connection",
    type="cognitive_search",
    target="https://your-search.search.windows.net",
    credentials={
        "type": "api_key",
        "api_key": "YOUR_AZURE_SEARCH_KEY"
    },
)
ml_client.connections.create_or_update(search_connection)
print("Azure AI Search connection created")

# List all connections
connections = ml_client.connections.list()
for conn in connections:
    print(f"  {conn.name} ({conn.type})")

Task 4: Explore the Resource Hierarchy

from azure.identity import DefaultAzureCredential
from azure.ai.ml import MLClient

credential = DefaultAzureCredential()

# Connect to hub
hub_client = MLClient(
    credential=credential,
    subscription_id="YOUR_SUBSCRIPTION_ID",
    resource_group_name="rg-ai102-challenge11",
    workspace_name="hub-ai102-foundry",
)

# Get hub details
hub = hub_client.workspaces.get("hub-ai102-foundry")
print(f"Hub: {hub.name}")
print(f"  Storage: {hub.storage_account}")
print(f"  Key Vault: {hub.key_vault}")
print(f"  Container Registry: {hub.container_registry}")

# Connect to project
project_client = MLClient(
    credential=credential,
    subscription_id="YOUR_SUBSCRIPTION_ID",
    resource_group_name="rg-ai102-challenge11",
    workspace_name="proj-ai102-genai",
)

# Verify project inherits hub connections
project_connections = project_client.connections.list()
print(f"\nProject connections (inherited from hub):")
for conn in project_connections:
    print(f"  {conn.name} -> {conn.type}")

Expected Output

After completing all tasks, you should have:

  1. Resource group rg-ai102-challenge11 containing:
    • AI Foundry Hub (hub-ai102-foundry) with kind=Hub
    • AI Foundry Project (proj-ai102-genai) with kind=Project
    • Storage Account (auto-created by hub)
    • Key Vault (auto-created by hub)
  2. Connections configured on the hub:
    • aoai-connection → Azure OpenAI endpoint
    • search-connection → Azure AI Search endpoint
  3. Project inherits all hub connections automatically

Break & fix

ScenarioSymptomRoot CauseFix
Hub creation failsResourceProviderNotRegistered errorMicrosoft.MachineLearningServices not registeredaz provider register --namespace Microsoft.MachineLearningServices
Project can't see connectionsEmpty connection list in projectProject created in different hub or wrong workspace contextVerify hub_resource_id points to correct hub
Connection test fails401 Unauthorized on connectionAPI key rotated or expiredUpdate connection credentials in hub settings
Storage account conflictStorageAccountAlreadyTakenStorage name not globally uniqueUse unique prefix in storage account name
Project creation timeoutOperation takes >10 minutesRegion capacity constraintsTry a different region or wait and retry

Knowledge Check

1. What is the relationship between an AI Foundry Hub and a Project?

2. Which Azure CLI command creates an AI Foundry Hub?

3. Which dependent resources are automatically created when provisioning an AI Foundry Hub?

4. How do Projects access connections configured on the Hub?

5. What resource provider must be registered to create AI Foundry resources?

Cleanup

az group delete --name rg-ai102-challenge11 --yes --no-wait

Learn More