A Foundry resource is the Azure object that represents your Claude capability: it lives in a subscription and resource group, sits in a region, issues the API keys your code will use, and is the unit at which usage is metered and access is administered. Creating one takes minutes; configuring it so that it still looks sensible a year later takes a little forethought. This guide covers the decisions in order.
Step 1: decide where the resource lives
Before creating anything, answer three placement questions with your platform team. Subscription and resource group: put the resource where its costs and ownership are unambiguous — typically the subscription of the team that owns the workload, in a resource group dedicated to that application. Region: choose based on where your users and data are; region affects latency and the data-location answers your legal team will eventually ask for (see Regions and Data Location Basics). How many resources: the pattern that ages best is one resource per environment — dev, staging, production — so credentials, quotas, and spend never blur across environments. A single shared resource "to keep things simple" is the choice teams most often regret.
Step 2: create the resource and enable Claude
Creation itself follows the standard Azure flow: pick the subscription, resource group, region, and a name. Choose names that encode team, purpose, and environment — future-you reading a bill or an audit log will be grateful. Once the resource exists, enable or deploy the Claude models your team will use through the resource's model configuration. Enable only what you need: if the workload runs on Claude Sonnet 5, there is no reason for the production resource to expose Claude Opus 4.8 as well. You can always add a model later, deliberately.
Step 3: handle the keys like the secrets they are
Unlike Bedrock (AWS credentials) and Vertex AI (Application Default Credentials), Foundry authenticates with API keys issued by the resource. Keys are convenient and dangerous in exactly the usual ways, so apply the standard discipline from day one: store them in a secret manager, inject them into workloads at runtime, never write them into code, configuration files, or repositories, and assign an owner for rotation. Because each environment has its own resource, each environment has its own keys — which means rotating staging never risks production, and a leaked dev key cannot touch production traffic.
.env file that reaches version control, treat it as compromised and rotate it. Key hygiene failures are rarely dramatic on day one — they surface months later, in an environment nobody remembers configuring.Step 4: wire it into code
The official Python SDK's Foundry client takes the resource name and the key. Model IDs on Foundry are the bare first-party form — claude-sonnet-5, not the anthropic.-prefixed form Bedrock uses.
import os
from anthropic import AnthropicFoundry
client = AnthropicFoundry(
api_key=os.environ["FOUNDRY_API_KEY"], # injected, never hard-coded
resource="acme-support-prod",
)
message = client.messages.create(
model="claude-sonnet-5",
max_tokens=1024,
messages=[{"role": "user", "content": "Confirm the resource is live."}],
)
print(message.content)
A successful response confirms the whole chain: resource exists, model is enabled, key is valid, and your code can reach the endpoint.
Step 5: production settings worth checking before launch
Three items separate a demo resource from a production one. Access: restrict who in your organization can read keys or administer the resource, using your normal Azure role assignments. Monitoring and spend: point your cost views and alerts at the resource so usage is visible from the first week — surprises compound. Feature status: Foundry's feature coverage is broad, though some features are still in beta as of July 2026; before a production dependency on anything beyond the core Messages API, streaming, tool use, vision, adaptive thinking, and prompt caching, check the current status of that specific feature, as covered in the Foundry primer.
Where to go next
With the resource configured, Your First Claude Call on Microsoft Foundry walks the request path end to end, and Microsoft Foundry: The Complete Enterprise Primer puts the resource in its wider Azure context. For key handling patterns across all platforms, see Keeping API Keys and Credentials Out of Your Code.