Edit

Quickstart: Get started with Microsoft Discovery Infrastructure

In this quickstart, you set up your Microsoft Discovery environment to run your first AI-powered scientific investigation. You complete the following tasks:

  • Set up networking, identity, and storage
  • Create a supercomputer
  • Create a workspace
  • Assign the Foundry User role on the managed resource group
  • Sign-in to Microsoft Discovery Studio
  • Create a project

Prerequisites

  • An active Azure subscription that is enabled for Microsoft Discovery access.

  • Sufficient permissions in your Azure subscription to register resource providers and create resources:

    • The Owner or Role Based Access Control Administrator or User Access Administrator role is required to assign roles to administrators (Platform Admins, Scientists, and Engineers) who manage and use Discovery resources. For more information, see Assign roles to administrators.

  • Register resource providers in your Azure subscription: You need to have a Contributor or higher privileged role (for example, Owner) and follow these steps:

    1. Sign in to the Azure portal.
    2. Navigate to Subscriptions and select your subscription.
    3. In the left-hand menu, select Resource Providers.
    4. Search for Microsoft.Discovery.
    5. Select the provider name and select Register.

    Note

    Ensure that the following resource providers are also registered on your subscription. If not, register them: Microsoft.Network, Microsoft.Compute, Microsoft.Storage, Microsoft.ManagedIdentity, Microsoft.AlertsManagement, Microsoft.Authorization, Microsoft.CognitiveServices, Microsoft.ContainerInstance, Microsoft.ContainerRegistry, Microsoft.ContainerService, Microsoft.DocumentDB, Microsoft.Features, Microsoft.KeyVault, Microsoft.MachineLearningServices, Microsoft.OperationalInsights, Microsoft.ResourceGraph, Microsoft.Search, Microsoft.Web, Microsoft.Insights, Microsoft.Resources, Microsoft.Sql, Microsoft.App, Microsoft.Bing

  • Microsoft Foundry, Azure OpenAI quotas, and VM SKU/quotas available in your chosen region. See Quota reservations.

  • An existing resource group, or permissions to create a new one. Creating a resource group requires Contributor role on the subscription.

  • A virtual network and subnets for your workspace and supercomputer. See Create a virtual network and subnets.

  • User Assigned Managed Identities (UAMI) with the required Azure role assignments for your supercomputer, workspace, and Azure Blob Storage. See Create a User Assigned Managed Identity (UAMI).

Important

Microsoft Discovery resources are supported in three production regions: East US, Sweden Central, and UK South. Create all resources for a single deployment in the same region, subscription, and resource group for simplicity.

1. Set up networking, identity, and storage

Before proceeding with the deployment of Microsoft Discovery infrastructure components, use an existing resource group or create a new one.

a. Assign roles to administrators

Assign the following built-in roles to users at the desired scope (subscription or resource group):

  • Microsoft Discovery Platform Administrator (Preview)
  • Managed Identity Contributor
  • Managed Identity Operator
  • Storage Account Contributor
  • Storage Blob Data Contributor
  • Network Contributor
  • ACRPush
  • Foundry User
  • Microsoft Discovery Bookshelf Index Data Reader (Preview)

Note

If you're assigning all roles at the subscription level, you can skip this note. If you're assigning roles at the resource group level, skip the Foundry User role for now. Continue with the next steps and revisit this role assignment after the workspace resource is created. This role must be assigned to each Platform Admin or Scientist user at the workspace managed resource group level.

Steps to assign roles:

  1. Sign in to the Azure portal.
  2. Navigate to Subscriptions and select your subscription.
  3. In the left-hand menu, select Access control (IAM).
  4. Select Add, then select Add role assignment. Screenshot showing the Add role assignment option in Access control (IAM).
  5. On the Add role assignment pane, search for each role one at a time, then select Next.
  6. On the Members tab, ensure Assign access to is set to User, group, or service principal.
  7. Select + Select members, choose the members to assign this permission to, then select Next. Screenshot showing the Members tab for adding role assignment members.
  8. On the Conditions tab, select Allow user to assign all roles except privileged administrator roles Owner, UAA, RBAC (Recommended), then select Next.
  9. On the Assignment Type tab, select the configuration that best suits your organization, then select Next.
  10. On the Review + assign tab, verify the information, and select Review + assign.

Repeat this process for all the required roles.

b. Assign required roles to Discovery control-plane service App

Microsoft Discovery workspaces, bookshelves, and supercomputers are network-hardened by default using Network Security Perimeter (NSP) rules. Before you create your first workspace or bookshelf or supercomputer, you must create the Discovery NSP Perimeter Joiner custom role. Once created, assign Discovery NSP Perimeter Joiner custom role and "Reader" role to the Discovery first-party service principal so the control plane can configure Network Security Perimeters in your subscription. For step-by-step instructions, see Assign the NSP Perimeter Joiner role.

c. Create a virtual network and subnets

Note

A virtual network can only be associated with one Microsoft Discovery workspace. If you need multiple workspaces, create a separate virtual network and subnets for each one.

  1. Sign in to the Azure portal.
  2. Search for Virtual networks and select it from the results.
  3. Select Create to start creating a new virtual network.
  4. Enter details such as Subscription, Resource Group, Name, and Region, then select Next.
  5. Configure IP addresses:
    • IPv4 address space: Enter your chosen CIDR (Classless Inter-Domain Routing) block (for example, 10.0.0.0/16).
    • Add the following subnets:
      • supercomputerNodepoolSubnet: 10.0.1.0/24
      • aksSubnet: 10.0.2.0/24
      • workspaceSubnet: 10.0.3.0/24
      • privateEndpointSubnet: 10.0.4.0/24
      • agentSubnet: 10.0.5.0/24
      • searchSubnet: 10.0.6.0/24
  6. For workspaceSubnet, agentSubnet and searchSubnet, under SubnetDelegation, select Microsoft.App/environments. Screenshot of the Create virtual network subnet page showing subnet delegation settings.
  7. For workspaceSubnet, agentSubnet, supercomputerNodepoolSubnet, and aksSubnet, under Service Endpoints, add Microsoft.Storage. Screenshot of the Create virtual network subnet page showing service endpoint settings.
  8. Optionally, you can remove the default subnet from the list.
  9. Review and create the virtual network. Screenshot of the Create virtual network page showing IP address configuration.

Note

Network Security Groups (NSGs) aren't mentioned in this step, but it's a general best practice to implement NSGs for each subnet in a virtual network, depending on your organization's policies.

d. Create a user assigned managed identity (UAMI)

You can create different UAMIs each with their own required permissions for specific resource access, or you can create a single UAMI with all necessary permissions for the platform. For this exercise, create a single UAMI by following these steps:

  1. Sign in to the Azure portal.
  2. Search for Managed Identities and select it from the list.
  3. Select Create.
  4. Fill in the required details such as subscription, resource group, region, and name.
  5. Select Review + Create, then select Create.

e. Assign Azure Role Based Access Control (RBAC) roles to UAMI

Assign the following built-in roles to the new User Assigned Managed Identity at Resource Group level:

  • Microsoft Discovery Platform Contributor (Preview)
  • Storage Blob Data Contributor
  • ACRPull
  1. Navigate to Subscriptions and select your subscription.
  2. Select the resource group that you're using for this exercise.
  3. In the left-hand menu, select Access control (IAM).
  4. Select Add, then select Add role assignment.
  5. On the Add role assignment pane, search for each role one at a time, then select Next.
  6. On the Members tab, ensure Assign access to is set to Managed Identity.
  7. Select + Select members. In the Select managed identities pane, select your subscription, select User-assigned managed identity type, select the managed identity you created in the previous step, then select Select.
  8. On the Review + assign tab, verify all the information, and select Review + assign.

Screenshot of the Azure portal showing UAMI role assignment.

f. Create an Azure Blob Storage account

To store input and output data for your investigations, create an Azure blob storage account to associate with your storage container or use an existing one with the following requirements:

  • Create a container within the storage account named discoveryoutputs where the output files are stored.
  • The storage account must allow access from the Virtual Network used to create the supercomputer and workspace.
  • The storage account must allow access from your client public IP or local network so you can access the output data.
  • The storage account must have the correct CORS settings. You must allow these origins: https://studio.discovery.microsoft.com, https://vscode.dev, and https://*.vscode-cdn.net. Set the allowed operations to include GET, HEAD, DELETE, and PUT and set Allowed Headers and Exposed Headers to *, and Max Age to 200. This setting is found under the Resource sharing (CORS) page under the Settings tab.
  • Ensure that the storage account has Storage Blob Data Contributor access to the UAMI created in the previous step.

To create an Azure blob storage account:

  1. Sign in to the Azure portal.
  2. Search for Storage accounts and select it from the results.
  3. Select Create to start creating a new storage account.
  4. Enter details such as Subscription, Resource Group, Name, and Region.
  5. Select Azure Blob Storage as the primary service, then select the Networking tab.
  6. Under public network access, select Enable public access from selected virtual networks and IP addresses.
  7. Select the Virtual Network and all subnets created in step 1.
  8. Select Add your client IP address if you're accessing data over the internet, or ensure your client can access the storage account and virtual network via private link, Site-to-Site VPN, or ExpressRoute. Screenshot showing the networking configuration for the storage account.
  9. Select Review + create, then select Create.

Note

To view and download output files, your client or browser needs network access to the blob storage. You can allow public internet access by opening public access to all networks. You can also allow your client's public IP address in the storage networking and firewall settings. Alternatively, configure private access via Azure VPN or ExpressRoute.

Create a blob container

  1. After the storage account is created, navigate to the storage account overview page.
  2. In the left navigation pane, under Data storage, select Containers.
  3. Select Add container.
  4. Enter discoveryoutputs as the name and select Create. Screenshot showing the Add container dialog with the name.

Enable CORS and UAMI access

  1. Open the storage account we created in the previous step.
  2. Under the Settings tab, select Resource sharing (CORS).
  3. Under Blob service in the Allowed origins column, enter https://studio.discovery.microsoft.com, https://vscode.dev, and https://*.vscode-cdn.net. For all three, set the allowed operations to include GET, HEAD, DELETE, OPTIONS, and PUT. Set Allowed Headers and Exposed Headers to *, and Max Age to 200.
  4. Select Save. Screenshot showing the CORS configuration for the storage account blob service.

2. Create a supercomputer

You need a supercomputer with associated node pools to deploy and run scientific tools, and to index your data in Bookshelf knowledge bases. The supercomputer also executes GPU and CPU intensive workloads for simulation and modeling. It provides the compute resources on a specific virtual network within your subscription.

  1. Sign in to the Azure portal.
  2. Search for Microsoft Discovery Supercomputers.
  3. Select Create and enter details such as Subscription ID, Resource Group name, Location, and Name, then select Next. Screenshot showing the basic details page for creating a Microsoft Discovery Supercomputer.
  4. In the Networking tab, select the Virtual Network and aksSubnet created in step 1, then select Next. Screenshot showing the networking configuration for the supercomputer.
  5. In the System SKU tab, select Standard_D4s_v6 as the System SKU for this deployment and select Next.
  6. In the Identities tab, add the User Assigned Managed Identity (UAMI) created in step 1 for the cluster identity, kubelet identity, and workload identity. Supercomputer instances use this managed identity to access data from your Azure resources. Once done, select Next. Screenshot showing the identity configuration step for the supercomputer.
  7. In the Encryption tab, since we're using Microsoft-managed keys for this exercise, uncheck the "Enable Customer Managed Keys" option and select Next.
  8. Add tags as needed, and move to the next tab.
  9. Review the Terms and Conditions and select Next.
  10. Once validation is successful, select Create. Screenshot of the Microsoft Discovery Supercomputer overview page after creation.

3. Create node pools

After your supercomputer is created, follow these steps to create a node pool:

  1. Open the Supercomputer that we created in the previous step.
  2. In the left pane, select Node pool under Settings, then select Create. Screenshot showing the create node pool option in the supercomputer settings.
  3. Enter the name and location for the node pool, then select Next.

    Note

    Node pool names must be all lowercase, a maximum of 12 characters, must start with a letter, and can only contain letters and numbers.

  4. On the Networking tab, select the Virtual Network and supercomputerNodepoolSubnet created in step 1 and select Next. Note: Use the same virtual network selected for the supercomputer in step 2. Screenshot showing the networking configuration for the supercomputer node pool.
  5. On the VM configuration tab, select the Virtual Machine (VM) SKU to use for the node pool, then select Next. The selected SKU and quota must be available in the region where you deploy the node pool. Screenshot showing the VM SKU selection for the node pool.
  6. In the Scaling section, enter the maximum node count that your node pool can scale to, for example: 5 and select Next. Screenshot showing the scaling configuration for the node pool.
  7. Select Review + Create and Create.

4. Create a workspace

A workspace is a collaborative environment where teams manage large-scale scientific initiatives. Workspaces bring together the infrastructure resources such as supercomputers, agents, tools, and knowledge bases (Bookshelves) into a single secure boundary. You can create projects under workspaces, allowing researchers to organize experiments, analyze data, and use AI agents within a shared space.

Important

Make sure your workspace name is globally unique and uses only lowercase letters.

  1. Sign in to the Azure portal.
  2. Search for Microsoft Discovery Workspaces.
  3. Select + Create and enter details such as Subscription, Resource Group, Name, and Region, then select Next. Screenshot showing the basic details page for creating a Microsoft Discovery workspace.
  4. On the Networking tab, select "Public network access" as "Enable" for this exercise. After that, populate the details for Private Endpoint subnet, Agent subnet, and Workspace subnet with the subnets created earlier in step 1, then select Next. Screenshot showing the Networking tab while creating a workspace.
  5. On the Encryption tab, leave the Enable customer-managed keys (CMK) unchecked. For this exercise, we'll use Microsoft-Managed Keys (MMK), just select Next to go to the next tab.
  6. On the Supercomputer tab, select Add Supercomputer and select your subscription, resource group, and the supercomputer created in step 2, then select Next. Screenshot showing the Supercomputer tab while creating a workspace.
  7. On the Workspace Identity tab, select Add under User Assigned Managed Identity (UAMI) and select the identity created in step 1 to provide access to the workspace. Screenshot showing the Workspace Identity tab with the UAMI added.
  8. Add tags as needed, and move to the next tab.
  9. Review the Terms and Conditions, then select Review + Create.
  10. Once validation is successful, select Create. Screenshot of the Microsoft Discovery Workspace overview page after creation.

5. Assign Foundry User role on the managed resource group

When a workspace is created, a managed resource group is automatically provisioned alongside it. To allow users to modify agents and workflows within a project directly in Foundry portal for advanced settings, you must assign them the Foundry User role on this managed resource group.

  1. Sign in to the Azure portal.
  2. Navigate to the workspace created in step 3 and locate the Managed Resource Group name on the workspace overview page.
  3. Navigate to that managed resource group.
  4. In the left-hand menu, select Access control (IAM).
  5. Select Add, then select Add role assignment.
  6. On the Add role assignment pane, search for Foundry User and select it, then select Next.
  7. On the Members tab, ensure Assign access to is set to User, group, or service principal.
  8. Select + Select members, choose the users who need to modify agents and workflows, then select Select.
  9. Select Review + assign, verify the information, and select Review + assign.

Repeat this process for all users who require access to agents and workflows in the workspace. Any changes made in Foundry portal directly are reflected in Discovery agent configuration automatically.

6. Create Chat Model Deployment

Chat model deployments provision foundational language models such as GPT-4o or GPT-5 for use within the Microsoft Discovery Workspace. Agents created within projects can use these chat model deployments.

  1. Go to the overview page of Microsoft Discovery workspace, created in the previous step.

  2. Under the Settings tab on left navigation pane, select Chat Model Deployments.

  3. Select the + Create option at the top

  4. Provide the Model format (only option available today is OpenAI) and Model Name in the drop-down. Use "gpt-4o" for this exercise.

  5. Then select Review + create button at the bottom and select Create.

    Screenshot of the Chat Model Deployment creation page.

Important

If you plan to use the Discovery Engine, you must also create a chat model deployment named gpt-5-2 using model gpt-5.2. The Discovery Engine requires this specific deployment for task validation. Repeat the steps with the model name gpt-5.2 and deployment name gpt-5-2.

You can provide access to users via Role Based Access Control (RBAC) at the resource group level. Microsoft Discovery Administrator (Preview) role is required to create projects within a workspace.

7. Sign-in to Microsoft Discovery Studio

Microsoft Discovery Studio is a secure, AI-powered research environment. It enables scientists and engineers to accelerate innovation through autonomous agents, simulation workflows, and integrated data tools within a unified interface.

After your infrastructure is set up, you can sign in to Microsoft Discovery Studio directly via the URL, or find the URL in the Workspace overview page in the Azure portal.

Screenshot of the Microsoft Discovery Studio homepage after signing in.

You must sign in with your Entra ID credentials for your work or school account. Studio supports single sign-on with Entra ID. You don't have to explicitly provide credentials if you're already signed in to another service with your Entra ID in the same browser.

Note

If you have access to multiple Microsoft Entra tenants, select the right tenant by selecting your profile icon on the top right corner of the page.

8. Create storage containers

After you sign in to the studio, create storage containers to organize and manage your storage assets used in your projects.

Storage containers store both input and output data as storage assets. Both inputs and outputs use a storage container of type Azure Storage Blob, backed by the storage account created in step 1.

  1. In Microsoft Discovery Studio, on the left navigation pane, select the Data tab.
  2. Storage Containers (new) tab is selected by default.
  3. Select Create Container.
  4. Enter details such as name, subscription, resource group, and location.
  5. Select the storage account created in step 1. Screenshot showing the Storage Container creation page in Microsoft Discovery Studio.
  6. Select Create.

Note

After you select Create, the resource is initially in the Accepted state. Refresh the page and wait until the Provisioning State changes to Succeeded before proceeding. This operation typically takes a few minutes.

9. Create a project

Projects help you organize and manage scientific investigations within a workspace. Each project defines the functional boundary for access to your agents, tools, and storage containers. Within a project, you can run experiments, analyze data, apply AI models, and track research progress in a collaborative environment.

Important

Your project name must be all lowercase and no more than 12 characters long. Also, ensure you refresh your studio UI before you create a project.

  1. In Microsoft Discovery Studio, on the left navigation pane, select Projects. This lists all existing projects across your Azure subscriptions.

  2. Select Create Project.

  3. Enter the name of the project and select the workspace we created in step 3.

  4. For this exercise, uncheck the "Create storage container for me" option

  5. Select the storage container created in step 7.

  6. Select Create. Screenshot showing the Project creation page in Microsoft Discovery Studio.

    Screenshot showing the Project list page after project creation in Microsoft Discovery Studio.

Note

After you select Create, the project is initially in the Accepted state. Refresh the page and wait until the Provisioning State changes to Succeeded before proceeding.

Next step

After you create your project, continue with the following next step:

  • Last updated on