Microsoft Foundry in Practice

Building Custom Content Filter Policies for Foundry

Foundry ships no configurable filter layer for Claude, so industry-specific screening is something you design and run yourself. Here is a practical, defensive blueprint.

Claude 3P 101 · Updated July 2026 · Unofficial guide

A "custom content filter policy" usually means a written set of categories — what your organization considers sensitive, in which contexts, at what severity — plus the technical controls that enforce it. On Microsoft Foundry, Claude deployments come with Anthropic's safety systems built into the service, but Microsoft is explicit that Foundry provides no built-in content filtering for Claude at deployment time: customers should configure AI content safety during model inference themselves. So for anything beyond Anthropic's baseline safeguards — a bank's rules about financial advice, a hospital's rules about clinical claims — the filter policy is yours to build. This article covers how to structure it defensively; it is not a guide to weakening any safeguard, which is not a customer option anyway.

Start with the policy document, not the code

Before writing a line of Python, write the annotated policy. For each category your industry cares about, record four things: a name, a plain-language definition with examples, the action to take (block, redact, flag for review, or allow with logging), and the rationale. The annotations matter — six months from now, an auditor or a new engineer needs to know why "unlicensed investment advice" is a block category while "general market commentary" is flag-only. Keep the document versioned alongside your application code so policy changes are reviewable like any other change.

Anthropic's Acceptable Use Policy is your floor: applications on Foundry must comply with it regardless of what your own policy says. Your custom categories sit on top, narrowing further for your industry.

The three enforcement layers

Layer 1 — input screening. Before a prompt reaches the Messages endpoint, run it through your checks: pattern matching for identifiers you never want sent (account numbers, patient IDs), a classifier for your block categories, and size or format validation. Rejecting a request here costs nothing in tokens.

Layer 2 — the system prompt. Encode your policy's behavioral rules directly in the system prompt: what topics to decline, what disclaimers to attach, what tone to hold. This is not a security boundary on its own — treat it as guidance that improves outcomes, backed by the layers around it.

Layer 3 — output review. After the response returns, screen it before display: check for your sensitive categories, apply redaction where your policy says redact, and route flagged responses to human review where it says flag. Also inspect stop_reason on every response — Anthropic's own classifiers (for example, the dual-use safeguards on Claude Fable 5) return an HTTP 200 with stop_reason: "refusal" rather than an error, and refused input tokens are not billed. Your handler should treat that as a first-class outcome, not an exception.

from anthropic import AnthropicFoundry

client = AnthropicFoundry(api_key="...", resource="example-resource")

def screened_call(user_text: str) -> str:
    if violates_input_policy(user_text):      # Layer 1: your classifier
        return POLICY_DECLINE_MESSAGE
    msg = client.messages.create(
        model="claude-sonnet-5", max_tokens=1024,
        system=POLICY_SYSTEM_PROMPT,           # Layer 2
        messages=[{"role": "user", "content": user_text}],
    )
    if msg.stop_reason == "refusal":           # Anthropic-side safeguard
        return POLICY_DECLINE_MESSAGE
    return apply_output_policy(msg)            # Layer 3: redact / flag / allow

Testing and operating the policy

A filter policy you have never tested is a wish. Build a labeled test set from your policy document — several examples per category, including borderline cases annotated with the expected action — and run it in CI whenever the policy, the system prompt, or the model version changes. Log every block, redaction, and flag with the category that triggered it, so you can see false-positive rates per category and tune definitions rather than guessing.

Two operational notes specific to Foundry. First, Microsoft points to Anthropic's documentation and system cards for how the built-in screening behaves; review those when you adopt a new model so your custom layers complement rather than duplicate them. Second, if your policy exists to satisfy a regulator, remember that running Claude on Azure inherits your cloud provider's compliance posture — confirm specifics with your provider and your own counsel rather than treating any filter design, including this one, as a compliance conclusion.

Where to go next

Read how content filtering actually works for Claude on Foundry if you skipped it, then see diagnostic logging for capturing filter events, or browse all articles.

Sources