Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Code in this article uses packages that are currently in preview. This preview is provided without a service-level agreement, and we don't recommend it for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure Previews.
In this article, you configure safety and security guardrails for an agent using Microsoft Foundry. Instead of selecting controls manually, you answer a short set of questions about your agent's intended users, data handling, and tool usage. Foundry maps your responses to relevant risk categories and applies targeted controls at the correct intervention points: user input, tool calls, tool responses, and output.
Each agent is purpose-built for a specific scenario, so guardrails should be tailored accordingly—not applied as a single default. Guided set-up ensures that protections are scoped to where they're needed and that the agent stays both safe and usable. Follow this link for more information about guardrails concepts.
Prerequisites
- An active agent in Microsoft Foundry. To create one, see create a prompt agent quickstart.
Open guided guardrail setup
- In Microsoft Foundry, open a project.
- Navigate to the Build tab in the top bar. In the left navigation, select Agents, then select the agent you want to configure.
- On the agent detail page, expand the Guardrails section on the left pane within the agent playground.
- Select Manage guardrail, then select Guided guardrails setup to start the guided configuration experience.
Specify who the agent is for
The first set of questions identifies who uses the agent and the level of trust to apply to their inputs.
- For Who will use this agent?, select whether the agent is accessed by public users or internal teams. Examples include:
- Public users: applies stricter content safety filtering and jailbreak protections, because broader access increases exposure to unexpected or adversarial inputs.
- Internal teams: applies lighter controls appropriate for trusted, authenticated users.
- Select Next to continue.
Define input and data handling
The second set of questions determines how the agent receives information and what data it processes. External or untrusted inputs increase the risk of prompt injection. Sensitive data increases the risk of unintended exposure.
- For Where does the agent receive inputs from?, select all sources that apply—for example, user messages, uploaded files, or external APIs.
- For Will the agent access, process, or return sensitive data?, select yes or no.
- If yes, select whether the data includes personally identifiable information (PII). Selecting yes enables PII detection and data protection controls.
- Select Next to continue.
Configure tool and action usage
The third set of questions covers the agent's tool integrations and action capabilities. Tool usage and real-world actions introduce additional risks that require targeted controls.
- For Does the agent call external tools?, select yes or No.
- If yes, Foundry enables tool response validation and spotlighting to guard against prompt injection via tool outputs.
- For Can the agent take real-world or consequential actions? (for example, send emails, modify records, or call external services), select yes or No.
- If yes, task adherence controls and action validation are added to reduce the risk of misaligned or unintended actions.
- For Does the agent generate, modify, or execute code?, select yes or No.
- If yes, protected material detection and code safety controls are enabled.
- Select Next to review your recommendations.
Review and apply guardrail recommendations
Foundry displays a summary of the recommended guardrails based on your answers, along with the intervention points where each control is applied.
| Intervention point | Description |
|---|---|
| User input | Controls applied before the agent processes a message |
| Tool calls | Controls applied before the agent invokes a tool |
| Tool responses | Controls applied to content returned by tools |
| Output | Controls applied to the agent's final response |
- Review the recommended controls. To adjust a recommendation, select Edit next to the control and modify the configuration.
- When you're satisfied with the configuration, select Create guardrails.
- Confirm the changes when prompted.
The guardrails are now active for your agent. You can return to the Guardrails tab at any time to update the configuration as your agent's scenario evolves.
Note
Agents built on the same model can require different guardrails depending on their scenario. If you deploy multiple agents, run guided setup independently for each one.