AI-103 Developing AI Apps and Agents on Azure Question and Answers

The solution does not fully meet the goal. Image moderation is appropriate for one part of the risk: blocking unsafe image content before the image is processed. Azure AI Content Safety provides image APIs that detect harmful content, and its harm categories and severity levels can be used to classify and block objectionable image content. This addresses unsafe photos, but it does not address hidden instructions embedded in images.

The second risk is prompt manipulation through extracted image text. After OCR extracts text from the uploaded image, that text becomes untrusted third-party content supplied to a generative model. Microsoft defines document attacks as malicious instructions embedded in third-party content, where the objective is to cause the model to execute unintended commands or alter intended behavior. Prompt Shields are the control designed to detect user prompt attacks and document attacks, including indirect attacks that come from uploaded or referenced content.

Therefore, image moderation alone is incomplete. A complete mitigation would combine image moderation for harmful visual content with Prompt Shields for document attacks, and optionally Spotlighting, so extracted or embedded text is treated as lower trust. Reference topics: Azure AI Content Safety, image moderation, Prompt Shields, document attacks, indirect prompt injection, and multimodal safety.

The solution does not meet the goal. Increasing temperature changes the sampling behavior of the generative model, not the completeness-checking logic of the application. Microsoft’s Azure OpenAI reference defines temperature as a sampling control where higher values make output more random, while lower values make output more focused and deterministic. Raising the value can increase variation and creativity, but it does not ensure that all required regulatory clauses from the retrieved policy documents are included.

The reported issue is a recall/completeness failure: relevant clauses are already present in retrieved content, but the generated summary omits them. Microsoft Foundry RAG evaluator guidance defines Response Completeness as whether a response covers critical information compared to expected information or ground truth, and distinguishes it from groundedness, which checks that responses do not go beyond grounding context.

A more suitable implementation would add a reflection, verification, or completeness review pass that compares the draft summary against the retrieved clauses and revises the response before returning it. Increasing temperature could make outputs less predictable and may worsen omission risk. Reference topics: model parameters, temperature, RAG response completeness, retrieved context, and model reflection.

To retain user preferences across conversations, use: Agent memory that uses persistent storage

To enable users to provide contextual grounding during chats, use the: file search tool

The correct capability for retaining user preferences is agent memory that uses persistent storage . Microsoft Foundry Agent Service memory is a managed long-term memory capability that enables continuity across sessions, devices, and workflows. It is specifically intended to let agents retain user preferences, maintain relevant historical context, and personalize responses across separate conversations. Memory stores provide the persistent storage layer, and scope can be used to segment memories for secure user-specific experiences.

The correct capability for contextual grounding from user-uploaded documents is the file search tool . Microsoft describes file search as the tool that enables Foundry agents to search through documents and retrieve relevant information from outside the base model, including proprietary product information and user-provided documents. The file search workflow supports uploading files, creating a vector store, enabling the tool on the agent, and querying those documents through the agent.

Conversation history alone supports continuity within a conversation, but it is not durable preference memory across multiple conversations. An Azure AI Search tool is better for preconfigured enterprise indexes, while file search is the direct document-upload grounding capability. Reference topics: Foundry Agent Service memory, memory stores, File Search tool, vector stores, and grounded agent responses.

The correct answer is A. Set the input_fidelity parameter to high . The scenario requires the generated image to preserve the identity and visual characteristics of the user-supplied product photo. In Azure OpenAI image editing and generation workflows, input_fidelity controls how strongly the model attempts to match the style and features of the input image. Microsoft’s documentation states that this parameter lets you make subtle edits without changing unrelated areas, and that high input fidelity preserves input-image features more accurately than standard mode.

Including a prompt and input image is necessary for image-guided generation, but it does not by itself maximize preservation of the product’s appearance. The explicit preservation control is input_fidelity, and the requirement specifically asks to maintain product identity and visual characteristics. A groundedness detection filter applies to validating generated text against source data, not preserving visual features in image generation. Lowering temperature may reduce randomness in text generation, but it is not the image-control parameter used to retain product-specific visual details. Reference topics: Azure OpenAI image generation, image edit API, input images, input_fidelity, image-to-image generation, and visual identity preservation.

Guardrails: Select User input, Output, Tool response, and Tool call and set Action to Block.

Storage access: A system-assigned managed identity that is assigned the Storage Blob Data Contributor role

The guardrail must be applied to User input, Output, Tool response, and Tool call with the action set to Block . Microsoft Foundry guardrails support four intervention points: user input, tool call, tool response, and output. This scenario includes user-provided screenshots, a ticketing tool that uploads images and returns blob URLs, and final agent responses. Applying blocking controls at all four points ensures harmful image-related content is inspected throughout the agent run and prevented from continuing or being returned to the user. Microsoft’s guardrails guidance also states that tool call and tool response controls are specifically required when harmful content can pass through agent tools.

For storage, configure the Azure AI Content Safety resource with a system-assigned managed identity and grant it Storage Blob Data Contributor on the storage account or container. The Content Safety image moderation quickstart states that images can be supplied by blob storage URL and that the Content Safety resource must be given storage access by enabling its system-assigned managed identity and assigning Storage Blob Data Contributor or Owner; Contributor is the least-privileged valid option shown. Reference topics: Foundry guardrails, agent intervention points, image moderation, managed identity, and Azure Storage RBAC.

The correct capability is tracing because the requirement is to inspect the execution path of an individual agent run. Microsoft Foundry tracing captures detailed telemetry for agent behavior, including LLM calls, tool invocations, agent decision flows, inputs, outputs, tool results, token consumption, duration, and latency. This is the appropriate observability mechanism when you need to determine which step introduced a delay, whether the agent called the internal knowledge API, what data the tool returned, and how the model used that data before producing the final response. Microsoft’s Foundry observability guidance describes distributed tracing as the mechanism that provides visibility into LLM calls, tool invocations, agent decisions, and inter-service dependencies.

Token usage is useful for cost analysis and prompt optimization, but it does not show ordered run steps or tool-call sequencing. Safety metrics evaluate risk-related output behavior, not latency or tool execution. General monitoring provides aggregate health, latency, success-rate, and dashboard views, but the question asks for per-run sequence inspection and timing breakdowns. Foundry agent tracing specifically supports debugging unexpected behavior and monitoring latency across requests. Reference topics: Microsoft Foundry observability, agent tracing, OpenTelemetry-based traces, tool invocations, LLM call inspection, and latency diagnostics.

The correct answer is a workflow . Microsoft Foundry workflows are designed to orchestrate agents and business logic as declarative, predefined sequences of actions. The official workflow guidance states that workflows are ideal when you need to orchestrate multiple agents in a repeatable process, add branching logic such as if/else, and handle variables without writing application orchestration code. This directly matches the requirement for a deterministic, step-based process with conditional branching and shared state.

In this scenario, TriageAgent can classify the request first, the workflow can store the triage result, and conditional logic can determine whether to invoke PolicyAgent, ActionAgent, or both. The ticket action is optional, so it should be triggered through a workflow condition based on the triage output. This minimizes development effort because the branching, sequencing, and variable handling are managed in the Foundry workflow rather than being manually implemented across separate runs in application code.

A group chat session is better for dynamic agent handoff, not a strict deterministic process. Threads and runs or separate app-coordinated calls require more custom orchestration. Reference topics: Microsoft Foundry workflows, multi-agent orchestration, conditional branching, variable handling, and agent-driven workflows.

The correct answer is B. Modify the system message instructions . The case study states that Agent1 answers general questions about Contoso products and that the business requirement is for Agent1 to answer questions only about the products sold by Contoso . This is a behavioral boundary for the agent, so it should be implemented in the highest-priority instructions that define the agent’s role, allowed scope, and refusal behavior.

Microsoft Foundry guidance states that a system message is used to steer model behavior, define the assistant’s role and boundaries, and add safety or quality constraints for the scenario. The system message should instruct Agent1 to answer only when the question concerns Contoso products, use the configured Contoso product documentation as grounding, and politely refuse or redirect questions about non-Contoso products.

Top-p sampling and temperature control randomness, not business-domain scope. Increasing temperature would make responses less deterministic. Few-shot examples can support desired behavior, but examples alone are weaker than explicit system-level instructions for defining operating boundaries. Reference topics: system message design, prompt engineering, agent instructions, response constraints, and grounded generative AI behavior.

The correct built-in skills are Azure OpenAI Embedding and Text Split. The case study requires an indexing pipeline that enables semantic and vector search over the product sheets stored in Azure Blob Storage, so Agent1 can retrieve relevant product information for natural language customer questions. For a RAG pipeline, long PDF content must first be broken into retrievable chunks, and each chunk must then be vectorized for semantic similarity retrieval.

Microsoft’s Azure AI Search integrated vectorization guidance states that you create a skillset that calls the Text Split skill for chunking and the Azure OpenAI Embedding skill to vectorize the chunks. The Text Split skill breaks text into chunks and provides positional metadata, making it suitable when downstream embedding skills have input-length limits. The Azure OpenAI Embedding skill connects to an embedding model deployed in Azure OpenAI or a Microsoft Foundry project and generates embeddings during indexing.

Language Detection, Entity Recognition, and key phrase extraction can enrich text, but they do not create vector embeddings. Merge is useful for combining OCR text with document text, but it does not satisfy the core vector-search requirement. Reference topics: Azure AI Search skillsets, Text Split skill, Azure OpenAI Embedding skill, integrated vectorization, and RAG indexing.

The correct answer is B. Personally Identifiable Information (PII) Detection . The case study states that Agent1 must never reveal customer information , even if a document containing customer data is added accidentally to the product sheet repository in storage1. This is a privacy and compliance control requirement, so the appropriate capability is PII Detection.

Azure Language PII Detection is a Foundry Tools capability that identifies, classifies, and redacts sensitive information across text, conversations, and native documents. Microsoft states that PII Detection can be used to implement privacy controls, reduce sensitive data exposure, and support compliance requirements. In this scenario, PII Detection should be applied to retrieved product-sheet content and generated responses so customer names, contact details, identifiers, and other sensitive values are not exposed to users.

Prompt Shields are important for a separate requirement: protecting Agent1 from malicious instructions hidden in documents or embedded text. Microsoft describes Prompt Shields for documents as protection against hidden instructions embedded in external content. However, the option that directly satisfies the requirement to prevent disclosure of customer information is PII Detection. Self-harm and violence filters address harmful-content categories, not privacy leakage.

The correct recommendation is Azure Content Understanding in Foundry Tools . The case study states that Contoso’s finance department must manually review vendor invoices to verify that invoice details match vendor contract terms, and that the invoices contain tables, logos, and varied layouts that make consistent processing difficult. It also states that the planned solution must evaluate both the visual layout and textual content of the invoices.

Azure Content Understanding is designed for this type of multimodal document-processing workload. Microsoft describes Content Understanding as a Foundry Tool that processes unstructured and multimodal content, including documents and images, and transforms it into structured output for AI applications. It can use document analyzers to extract text, layout, tables, fields, and relationships from diverse document types.

Chat completions alone would not reliably extract structured invoice fields from complex layouts. Azure Document Intelligence can extract OCR, layout, and tables, but Content Understanding is the better end-to-end Foundry capability for combining visual and textual understanding with structured extraction for downstream verification. Image Analysis focuses on image-level visual features and is insufficient for invoice field and table review. Reference topics: Content Understanding, document analyzers, multimodal extraction, invoice processing, tables, layout, and structured JSON output.

The correct answer is B. Modify the system message instructions . The case study states that Agent1 answers general questions about Contoso products and that a business requirement is for Agent1 to answer questions only about products sold by Contoso. This requirement defines the agent’s allowed domain and refusal boundary, so it must be expressed in the agent’s system-level instructions. Microsoft Foundry guidance states that system messages steer Azure OpenAI chat model behavior and are used to define the assistant’s role, boundaries, output format, and safety or quality constraints.

The system message should instruct Agent1 to answer only Contoso-product questions, use Contoso product documentation when available, and decline questions about non-Contoso products. This directly enforces the intended business scope at the highest instruction level. Few-shot examples can reinforce desired behavior but are not the primary control for defining mandatory operating boundaries. Top-p sampling and temperature are decoding controls; they influence randomness and diversity, not whether the agent restricts answers to a specific product domain. Increasing temperature would likely reduce consistency. Reference topics: Microsoft Foundry agent instructions, system message design, prompt engineering, response boundaries, and grounded generative AI behavior.

The correct recommendation is Azure AI Search. The case study states that the product detail sheets are stored as PDFs in storage1, and that Agent1 must be enabled to retrieve and use detailed product information from those sheets. It also specifies that the indexing pipeline must enable semantic and vector search, and that Agent1 must answer natural language questions about product details by using the product sheet information. Azure AI Search is the Azure service designed to ingest content from sources such as Azure Blob Storage, create searchable indexes, and support keyword, semantic, hybrid, and vector retrieval for Retrieval Augmented Generation (RAG) solutions.

Microsoft’s Azure AI Search guidance states that integrated vectorization can chunk content and generate embeddings during indexing, enabling vector search over source documents. It also states that Azure AI Search supports text and vector queries and can improve raw content for search-related scenarios through enrichment pipelines. Azure Translator is unrelated to retrieval. Document Intelligence can extract document structure, but it is not the retrieval index for Agent1. Grounding with Bing Search retrieves public web content, not Contoso’s private PDFs in storage1. Reference topics: Azure AI Search, RAG, semantic search, vector search, Azure Blob Storage indexing, and agent grounding.

credential = DefaultAzureCredential()

agent = project_client.agents.get(agent_name=myAgent)

The correct authentication option is DefaultAzureCredential() because the case study states that API keys must not be used to access Foundry-deployed models and that Contoso developers must authenticate to Microsoft Foundry resources by using Microsoft Entra authentication. It also states that access to Project1 must be assigned to Agent1Dev Team by using the security group SC_Agent1_Dev . Microsoft Foundry authentication guidance recommends Microsoft Entra ID for production workloads because it supports least-privilege RBAC, per-principal auditing, and keyless authentication. AzureKeyCredential() would violate the no-API-key requirement, and None would not provide a valid credential.

The correct agent operation is get because the task is to access an existing agent named Agent1, not create a new version or retrieve a specific published version. Microsoft Foundry SDK examples show AIProjectClient created with DefaultAzureCredential() and then using project agent operations to create, retrieve, or interact with agents by name. To meet the compliance requirement, the group SC_Agent1_Dev must also be granted the appropriate project-scoped Foundry role, such as Foundry User, for Project1. Reference topics: Microsoft Entra authentication, Foundry RBAC, AIProjectClient, and project agent access.

Deployment type: Standard

Version update policy: Once the current version expires

The correct deployment type is Standard . The case study specifies that Project1 is deployed in an EU Azure region and that model-processed data must remain within the EU. It also requires scalable, high-throughput generative AI workloads that dynamically handle variable customer support traffic without reserved throughput capacity. In Microsoft Foundry Models, Standard is a pay-per-token deployment type that processes data in a single Azure region, while Global Standard can process requests across regions and Global Provisioned uses reserved provisioned throughput. Microsoft’s deployment-type guidance identifies Standard as single-region, pay-per-token, whereas Global Provisioned is cross-region with reserved capacity.

The correct version update policy is Once the current version expires . This keeps Agent1 on the selected model version during its supported lifecycle, which supports stable and consistent responses, but still preserves continuity by automatically moving to a supported replacement when the current version is retired. Microsoft’s model versioning guidance states that this policy updates only when the current model version expires, while upgrading when a new default is available changes the deployment sooner and opting out can cause the deployment to stop working after retirement. Reference topics: deployment types, regional data processing, model versioning, throughput capacity, and stable production deployments.