This chapter covers security for Azure Cognitive Services and AI services, a domain that appears on the AZ-500 exam under Objective 2.5 (Compute Security). You will learn how to secure AI endpoints, manage authentication (keys vs. Azure AD), implement network isolation with private endpoints, and configure data encryption and auditing. Approximately 5-10% of exam questions touch on AI security, often focusing on authentication methods, network security, and key management best practices. By the end, you will be able to design secure AI solutions that meet enterprise compliance requirements.
Jump to a section
Imagine a high-security vending machine in a corporate lobby. The machine has a sealed internal mechanism that processes ingredients and dispenses drinks. You cannot open the machine to see how it works or tamper with its internal recipe. To use it, you insert a prepaid card (your subscription key) and select a drink (the API call). The machine checks your card's validity and balance (authentication and quota), then processes your request. If your card is stolen or expired, the machine rejects you. The machine also logs every transaction with your card ID, timestamp, and drink selected (audit logging). You can only access the machine via its front panel (the endpoint) using HTTPS; you cannot physically access the back or internal components. Now, suppose the company upgrades the machine to include a face scanner for VIP employees (Azure AD authentication). The machine now checks not just the card but also your face against a trusted list. This is exactly how Azure Cognitive Services work: you access a secure endpoint with a key or Azure AD token, the service authenticates you, authorizes based on role or key, processes your data inside a black box, and returns results. You never see the model or training data. The service also enforces rate limits (like a machine that only dispenses one drink per minute per card). If you exceed the limit, it rejects your request with a 429 error. If you try to send data that contains sensitive information without encryption in transit (non-HTTPS), the machine's security guard throws it out.
What Are Azure Cognitive Services and Why Security Matters
Azure Cognitive Services are cloud-based APIs that enable AI capabilities such as vision, speech, language, and decision-making. They are offered as managed services, meaning Microsoft handles the underlying infrastructure, model training, and scaling. From a security perspective, these services present unique challenges because they process potentially sensitive data (e.g., user images, text, audio) and are accessed over the internet. The AZ-500 exam tests your ability to secure these services using Azure's built-in security controls.
Authentication: Keys vs. Azure AD
Cognitive Services support two authentication methods: subscription keys and Azure Active Directory (Azure AD) tokens. Subscription keys are static strings generated when you create the service resource. They are passed in the HTTP header Ocp-Apim-Subscription-Key. Azure AD authentication uses managed identities or service principals to obtain an OAuth 2.0 token, which is passed in the Authorization header as Bearer <token>.
Key Points for the Exam:
- Subscription keys are simpler but less secure because they are long-lived and can be leaked. They are considered a shared secret.
- Azure AD authentication is recommended for production because it supports role-based access control (RBAC), conditional access, and token expiration.
- You can disable key-based authentication by setting the disableLocalAuth property to true on the Cognitive Services account. This forces all requests to use Azure AD.
- To use Azure AD, the caller must have the Cognitive Services User role (or a custom role with Microsoft.CognitiveServices/accounts/read and Microsoft.CognitiveServices/accounts/listKeys/action permissions).
Network Security: Private Endpoints and Service Endpoints
By default, Cognitive Services endpoints are publicly accessible over the internet. To restrict access, you can use Azure Private Link (private endpoints) or virtual network service endpoints. Private endpoints assign a private IP address from your virtual network to the Cognitive Services account, making it accessible only from within that VNet or peered networks. Service endpoints extend your VNet identity to the service over the Azure backbone, but the service still has a public endpoint.
Comparison for the Exam: - Private endpoints are more secure because the traffic never leaves the Microsoft network and the service is not exposed to the internet. They also support network security groups (NSGs) and route tables. - Service endpoints are simpler but the service remains reachable from the internet if the firewall is misconfigured. They do not allow the service to be fully isolated. - You can also configure IP firewall rules to allow only specific public IP ranges.
Data Encryption: At Rest and In Transit
All Cognitive Services data is encrypted at rest using Azure Storage Service Encryption (SSE) with Microsoft-managed keys by default. You can optionally use customer-managed keys (CMK) stored in Azure Key Vault. For data in transit, HTTPS is enforced (TLS 1.2 minimum). The exam may ask about compliance requirements such as HIPAA or FedRAMP, where CMK is often required.
CMK Configuration Steps:
1. Create an Azure Key Vault and generate or import a key.
2. Enable soft delete and purge protection on the Key Vault.
3. Assign the Cognitive Services account a system-assigned managed identity.
4. Grant the managed identity Get, Unwrap Key, and Wrap Key permissions on the key.
5. Update the Cognitive Services account to use the customer-managed key.
Auditing and Monitoring
Cognitive Services integrate with Azure Monitor and Azure Activity Log. You can log API calls, authentication failures, and quota usage. Diagnostic settings can stream logs to Log Analytics, Storage, or Event Hubs. The exam may ask about enabling diagnostic logs for security analysis.
Key Metrics:
- TotalCalls: Total number of API calls.
- TotalErrors: Number of calls that resulted in HTTP 4xx or 5xx errors.
- BlockedCalls: Calls blocked due to rate limiting or IP restrictions.
Managed Identities for Access to Other Azure Resources
Cognitive Services often need to access other resources like Storage Accounts or Key Vault. Using managed identities eliminates the need for credentials in code. For example, a Cognitive Services account can use its system-assigned managed identity to read images from a Storage Account for processing. The exam tests that you understand how to assign the managed identity and grant it the necessary RBAC role (e.g., Storage Blob Data Reader).
Responsible AI and Content Moderation
Azure Cognitive Services include content moderation APIs that can detect offensive or inappropriate content. Security teams can use these to enforce acceptable use policies. The exam may cover how to configure content moderation filters and review tools.
Configuration and Verification Commands
Using Azure CLI, you can manage Cognitive Services security settings. Example commands:
Disable local authentication (keys):
az cognitiveservices account update --name myAIService --resource-group myRG --disable-local-authEnable private endpoint:
az network private-endpoint create --name myPE --resource-group myRG --vnet-name myVNet --subnet mySubnet --private-connection-resource-id /subscriptions/.../providers/Microsoft.CognitiveServices/accounts/myAIService --group-id accountSet IP firewall rules:
az cognitiveservices account network-rule add --name myAIService --resource-group myRG --ip-address 203.0.113.0/24Enable customer-managed key:
az cognitiveservices account update --name myAIService --resource-group myRG --cmk-key-vault https://myvault.vault.azure.net/keys/mykey --cmk-key-name mykeyInteraction with Related Technologies
Cognitive Services security is closely tied to: - Azure Key Vault: For storing customer-managed keys and secrets. - Azure Private Link: For network isolation. - Azure AD: For authentication and authorization. - Azure Policy: To enforce security configurations (e.g., require private endpoints). - Azure Monitor: For logging and alerting.
Default Values and Timers
Subscription key length: 32 characters (alphanumeric).
Rate limits: Vary by service; typically 20-30 calls per second per key. Check service-specific documentation.
Token expiration for Azure AD: 1 hour by default (configurable).
Diagnostic logs: Retained for 30 days in Log Analytics by default.
Trap Patterns on the Exam
Confusing service endpoints with private endpoints: Service endpoints do not provide a private IP; they only extend VNet identity. Private endpoints are required for complete isolation.
Thinking keys are the only authentication method: Azure AD is supported and often required for compliance.
Assuming CMK is enabled by default: It is not; you must explicitly configure it.
Overlooking managed identities: The exam expects you to know that managed identities can be used for accessing other Azure resources securely.
Create Cognitive Services Resource
In the Azure portal, search for 'Cognitive Services' and select 'Create'. Choose the specific service (e.g., Computer Vision, Text Analytics) or a multi-service account. Provide a name, subscription, resource group, location, and pricing tier. The pricing tier determines throughput limits and features. For security, select a region that supports your compliance requirements (e.g., US Gov for FedRAMP). After creation, note the endpoint URL and the two subscription keys generated. These keys are shown only once; if lost, you must regenerate them from the 'Keys and Endpoint' blade.
Configure Authentication Method
Decide whether to use subscription keys or Azure AD. For production, disable local authentication by setting `disableLocalAuth=true` (via CLI or portal). Then assign the `Cognitive Services User` role to the security principal (user, group, or managed identity) that will call the API. If using Azure AD, the caller must obtain a token from Azure AD and pass it in the `Authorization` header. For managed identities, the token is obtained automatically by the Azure SDK. Test the connection by making a sample API call with the token.
Restrict Network Access
Navigate to the 'Networking' blade of the Cognitive Services account. You can choose 'All networks', 'Selected networks', or 'Disabled'. For 'Selected networks', add IP address ranges or enable virtual networks. To fully isolate the service, create a private endpoint: go to 'Private endpoint connections' and create a new private endpoint in your VNet. This assigns a private IP to the service. Ensure DNS resolution points to the private IP. Optionally, configure a network security group (NSG) on the subnet to further restrict traffic.
Enable Data Encryption with CMK
If required by compliance, enable customer-managed keys. First, create an Azure Key Vault with soft delete and purge protection enabled. Generate or import a key (RSA 2048 or higher). Then, assign a system-assigned managed identity to the Cognitive Services account. Grant this identity `Get`, `Unwrap Key`, and `Wrap Key` permissions on the key. Finally, update the Cognitive Services account to use the key via the 'Encryption' blade or CLI. Verify that the key vault is accessible and that the key version is active.
Set Up Diagnostic Logging and Monitoring
Go to 'Diagnostic settings' and add a diagnostic setting. Select the logs you want to collect (e.g., `AuditEvent`, `RequestResponse`). Choose a destination: Log Analytics workspace (for analysis), Storage account (for archiving), or Event Hubs (for streaming). Configure retention policies. Create alerts based on metrics like `TotalErrors` or `BlockedCalls` to detect potential attacks. For example, set an alert when `BlockedCalls` exceeds 100 in 5 minutes, which may indicate a brute-force attempt.
Enterprise Scenario 1: Healthcare Compliance with HIPAA
A hospital uses Azure Cognitive Services for medical image analysis (e.g., detecting tumors in X-rays). The solution must comply with HIPAA, which requires encryption of protected health information (PHI) at rest and in transit, and strict access controls. The security team configures the Cognitive Services account with customer-managed keys stored in Azure Key Vault with soft delete and purge protection. They disable local authentication and use Azure AD authentication with managed identities for the application. Network access is restricted using a private endpoint in a VNet that is peered with the hospital's on-premises network via ExpressRoute. All API calls are logged to a Log Analytics workspace, and alerts are set for any access from unexpected IPs. They also enable content moderation to ensure no offensive content is processed. A common mistake is forgetting to disable key-based authentication, which would leave a backdoor if a key is leaked. The team regularly rotates keys and reviews access logs.
Enterprise Scenario 2: Retail Chatbot with Conditional Access
A retail company deploys a chatbot using Azure Cognitive Services Language Understanding (LUIS) and QnA Maker. The chatbot is accessed by customers and employees. For employees, they want to enforce multi-factor authentication (MFA) and conditional access policies. They configure the Cognitive Services account to use Azure AD authentication and assign the Cognitive Services User role to the employee app's managed identity. A conditional access policy is created that requires MFA for all access to the Cognitive Services endpoint. For customer access, they continue using subscription keys but rotate them frequently. They also implement IP firewall rules to allow only the chatbot's backend IP. Performance considerations: The chatbot handles up to 1000 requests per minute, so they choose the S0 pricing tier (1000 calls per minute). They monitor TotalCalls and TotalErrors to ensure they don't hit rate limits.
Scenario 3: Financial Services with Azure Policy
A bank uses Cognitive Services for fraud detection. They have a strict policy that all Cognitive Services accounts must have private endpoints and CMK enabled. They enforce this using Azure Policy with built-in policies like 'Cognitive Services accounts should use customer-managed keys for encryption' and 'Cognitive Services accounts should use private link'. Any new account that violates these policies is automatically denied or flagged. They also use Azure Blueprints to standardize the deployment. A common issue is that developers forget to assign the managed identity to the Cognitive Services account when setting up CMK, causing the encryption to fail. The policy alerts them to this misconfiguration.
AZ-500 Objective 2.5: Secure Cognitive Services
The exam focuses on three main areas: authentication, network security, and data protection. You will be asked to choose the correct method to restrict access, identify the most secure configuration, or troubleshoot a security issue.
Common Wrong Answers and Why Candidates Choose Them: 1. 'Use service endpoints instead of private endpoints for complete isolation.' Candidates see 'endpoint' and think they are similar. Reality: Service endpoints do not provide a private IP; the service remains publicly accessible. Private endpoints are required for full isolation. 2. 'Subscription keys are more secure because they are static.' Candidates think static means predictable, but static keys are easier to leak and cannot be rotated without disruption. Azure AD tokens are dynamic and support RBAC. 3. 'Customer-managed keys are enabled by default.' Candidates assume Microsoft's default is the most secure. Reality: Default is Microsoft-managed keys; CMK is optional and requires configuration. 4. 'Disabling local authentication also disables Azure AD authentication.' Candidates think 'local' means all authentication. Reality: 'Local' refers to keys; Azure AD is a separate method that remains active.
Specific Numbers and Terms That Appear on the Exam:
- The command to disable local auth: az cognitiveservices account update --disable-local-auth
- The role for calling Cognitive Services with Azure AD: Cognitive Services User
- The property for disabling keys: disableLocalAuth
- The default encryption: Microsoft-managed keys (SSE)
- Private endpoint group ID: account
Edge Cases and Exceptions: - If you disable local authentication, you cannot use keys even for emergency access. Ensure Azure AD is working before disabling. - Private endpoints require DNS configuration; if DNS is not updated, calls will fail with a connection error. - CMK key vault must be in the same region as the Cognitive Services account. - Rate limits are per key and per region; using multiple keys can increase throughput.
How to Eliminate Wrong Answers: - If the question asks for 'most secure' or 'recommended', look for Azure AD, private endpoints, and CMK. - If the question mentions 'compliance' like HIPAA, CMK is likely required. - If the question involves 'network isolation', private endpoints are the answer, not service endpoints. - If the question says 'keys are compromised', the solution is to disable local auth and use Azure AD, or regenerate keys. - If the question involves 'managed identity', it is for accessing other resources, not for authenticating to the Cognitive Services API (though it can be used for that via Azure AD).
Cognitive Services support two authentication methods: subscription keys and Azure AD. Azure AD is recommended for production.
Disable local authentication (keys) by setting disableLocalAuth=true to force Azure AD-only access.
Use private endpoints for complete network isolation; service endpoints do not provide a private IP.
Customer-managed keys (CMK) are optional and require Azure Key Vault; they are not enabled by default.
The Cognitive Services User role is required for Azure AD authentication to call the API.
Rate limits vary by service and pricing tier; monitor TotalCalls and TotalErrors metrics.
Managed identities allow Cognitive Services to access other Azure resources without credentials.
Diagnostic logs can be sent to Log Analytics, Storage, or Event Hubs for auditing and alerting.
HTTPS is enforced for all Cognitive Services endpoints; TLS 1.2 minimum.
Content moderation APIs can be used to enforce acceptable use policies.
These come up on the exam all the time. Here's how to tell them apart.
Subscription Keys
Static 32-character alphanumeric strings.
Passed in header Ocp-Apim-Subscription-Key.
No support for RBAC; any user with the key can call the API.
Cannot enforce conditional access or MFA.
Can be regenerated but requires updating all clients.
Azure AD Authentication
Dynamic OAuth 2.0 tokens with 1-hour default expiry.
Passed in header Authorization: Bearer <token>.
Supports RBAC via Cognitive Services User role.
Can enforce conditional access policies (e.g., MFA).
Tokens are obtained automatically by managed identities.
Service Endpoints
Extends VNet identity to the service over Azure backbone.
Service still has a public endpoint and public IP.
Traffic stays on Microsoft network but goes to public endpoint.
Configured via service endpoint policies.
No private IP assigned; DNS resolves to public IP.
Private Endpoints
Assigns a private IP from VNet to the service.
Service is fully isolated from the internet.
Traffic never leaves Microsoft network and goes to private IP.
Configured via Private Link and private endpoint.
DNS resolves to private IP; public endpoint can be disabled.
Mistake
Cognitive Services can only be authenticated using subscription keys.
Correct
Cognitive Services support both subscription keys and Azure AD authentication. Azure AD is recommended for production because it supports RBAC, conditional access, and token expiration.
Mistake
Service endpoints provide the same level of isolation as private endpoints.
Correct
Service endpoints only extend VNet identity; the service still has a public endpoint. Private endpoints assign a private IP and fully isolate the service from the internet.
Mistake
Customer-managed keys are enabled by default for Cognitive Services.
Correct
By default, Cognitive Services use Microsoft-managed keys. Customer-managed keys must be explicitly configured via Azure Key Vault.
Mistake
Disabling local authentication also disables Azure AD authentication.
Correct
Disabling local authentication only disables key-based access. Azure AD authentication remains unaffected and can still be used.
Mistake
Cognitive Services data is encrypted in transit only if you use HTTPS.
Correct
HTTPS is enforced by default for all Cognitive Services endpoints. Data is encrypted in transit using TLS 1.2 minimum. You cannot disable HTTPS.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Use the Azure CLI command `az cognitiveservices account update --name myAIService --resource-group myRG --disable-local-auth`. This sets the `disableLocalAuth` property to true, which blocks all requests that use subscription keys. After disabling, only Azure AD authentication is accepted. Ensure that the calling application has been updated to use Azure AD tokens before disabling keys, or you will lose access.
A service endpoint extends your VNet identity to the Cognitive Services service over the Azure backbone, but the service still has a public endpoint. A private endpoint assigns a private IP address from your VNet to the service, making it accessible only from within that VNet or peered networks. Private endpoints provide full isolation from the internet, while service endpoints do not. For maximum security, use private endpoints.
Yes, you can use any Azure AD security principal (user, group, service principal) that has the `Cognitive Services User` role. The caller must obtain an OAuth 2.0 token from Azure AD and pass it in the `Authorization` header. Managed identities are just one way to obtain tokens automatically; you can also use the Azure Identity SDK or acquire tokens manually.
First, create an Azure Key Vault with soft delete and purge protection enabled. Generate or import a key. Then, assign a system-assigned managed identity to the Cognitive Services account. Grant the managed identity `Get`, `Unwrap Key`, and `Wrap Key` permissions on the key. Finally, update the Cognitive Services account to use the key via the Azure portal (Encryption blade) or CLI: `az cognitiveservices account update --name myAIService --resource-group myRG --cmk-key-vault https://myvault.vault.azure.net/keys/mykey --cmk-key-name mykey`.
The `Cognitive Services User` role is required. This role grants permission to read the Cognitive Services account and use its API. Without this role, Azure AD authentication will fail with a 403 Forbidden error. Note that this role does not allow management of the account itself (e.g., changing settings); that requires the `Cognitive Services Contributor` role.
Enable diagnostic settings on the Cognitive Services account. Select the logs you want to collect, such as `AuditEvent` and `RequestResponse`. Choose a destination like Log Analytics workspace. You can then query logs using KQL, create alerts based on metrics (e.g., `TotalErrors`), and set up dashboards. All API calls are logged with caller IP, authentication method, and response status.
No, Cognitive Services are cloud APIs and require internet connectivity (or Azure private connectivity) to function. However, you can use private endpoints to route traffic through your VNet without going over the public internet. For offline scenarios, consider using containers (Cognitive Services containers) that can be deployed on-premises or in a disconnected environment.
You've just covered Cognitive Services and AI Security — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?