Microsoft Foundry in Practice

Role-Based Access Control for Foundry Resources

"Who can deploy Claude?" and "who can call Claude?" are different questions with different Azure roles as answers. Getting the split right is most of Foundry access governance.

Claude 3P 101 · Updated July 2026 · Unofficial guide

Azure role-based access control (RBAC) is the permission system that decides what each identity — a person, a group, an application, or a managed identity — may do with each Azure resource. For Claude on Microsoft Foundry, RBAC governs two distinct planes. The management plane covers creating Foundry resources, deploying models, and changing settings like networking. The data plane covers actually calling the deployed model — sending requests to /anthropic/v1/messages. A sound setup gives most identities exactly one of the two.

Management plane: who can deploy and configure

Microsoft's prerequisites for deploying Claude are explicit: you need the Contributor or Owner role on the resource group (alongside a paid Azure subscription, Foundry portal access, and Azure Marketplace access — Claude models are third-party Marketplace offerings from Anthropic that require accepting Marketplace terms). Contributor/Owner is what lets someone create the Foundry resource, click through Deploy for claude-opus-4-8 or claude-sonnet-5, and manage deployments afterwards.

Networking changes bring in one more role: creating a private endpoint requires Network Contributor on the virtual network, while approving the endpoint connection again takes Contributor or Owner on the Foundry resource. In practice, management-plane roles belong to a small platform team, assigned at the resource group scope — broad-scope Owner grants are the classic over-permission to avoid.

Data plane: who can call the model

Calling Claude requires no management role at all — and that is the point. When applications authenticate with Microsoft Entra ID tokens (rather than API keys), the documented inference role is Cognitive Services User in Microsoft's guide; Anthropic's documentation names Foundry User or Cognitive Services User. Both docs agree on the symptom of getting it wrong: a 403 from the endpoint usually means the calling identity is missing this role assignment.

Entra ID authentication is what makes the data plane RBAC-governed at all. The alternative — the resource's API key from the deployment's Details tab — grants access to anyone holding the string, with no per-identity distinction. Both methods are documented and hit the same endpoint, but centralized identity management and RBAC are explicitly the benefits Entra auth adds. Some models force the issue: Claude Mythos 5 and Mythos Preview support Entra ID authentication only, with no API keys. For the key-based path and its handling, see storing Foundry keys in Key Vault; to remove keys entirely, see managed identity.

TaskRoleScope
Create resource, deploy Claude modelsContributor or OwnerResource group
Create a private endpointNetwork ContributorVirtual network
Approve private endpoint connectionsContributor or OwnerFoundry resource
Call deployed models (inference)Cognitive Services User / Foundry UserFoundry resource

Assigning the roles

Assignment is standard Azure IAM: open the target scope (resource group or Foundry resource) in the portal, go to Access control (IAM), and add a role assignment for the user, group, service principal, or managed identity — or script the same with the Azure CLI or infrastructure-as-code. Two habits pay off. Assign to groups for humans (a "claude-developers" group with the inference role beats twenty individual assignments), and assign to managed identities for workloads, so production apps never hold standing credentials. Keep scopes as narrow as the task allows: inference roles on the specific Foundry resource, not the subscription.

Rule of thumb: developers and applications get the inference role only; a small platform team gets Contributor on the resource group; Owner stays rare. If an app's identity could deploy models, it has the wrong role.

Verifying the setup

Test both directions. An identity with only Cognitive Services User should successfully call the Messages endpoint with an Entra token and fail to modify the deployment. An identity with neither role should get 403 on inference — seeing that expected failure confirms RBAC, not the API key, is doing the guarding. Fold these checks into your go-live checklist alongside network tests.

Where to go next

Continue with managed identity for Azure services, add conditional rules in Conditional Access for Foundry, or review Entra ID authentication end to end.

Sources