Skip to main content
Back to the Azure Footguns Database
SecurityMediumCommonAZF-0087

An Azure AI Search service with public network access enabled puts your whole RAG corpus behind one query key

The search index is usually the retrieval layer of a RAG pipeline, holding full copies of the documents it ingested. A public endpoint makes one leaked key equal to the whole corpus.

Footgun ID
AZF-0087 (Azure Footgun No. 87)
Azure service
Azure AI Search
Resource type
Microsoft.Search/searchServices
Updated
July 9, 2026

What it is

An Azure AI Search service whose publicNetworkAccess is enabled, so its endpoint accepts connections from any address on the internet. The part people underestimate: a search index does not hold pointers to your documents, it holds the content. Whatever your indexers and RAG ingestion pipelines pulled in, from SharePoint exports to support tickets to contracts, is sitting in that index as retrievable text.

Impact (security)
Every indexed document reachable from any network, gated only by API keys and optional IP rules
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

AI Search services get created as a supporting resource, one step in a copilot or RAG tutorial, and every quickstart authenticates with an API key against the public endpoint because that works instantly. The service then inherits the security attention of a side component even though it holds a concentrated copy of the data from every source it indexed.

The knobs also mislead. The IP firewall (networkRuleSet.ipRules) only applies while public access is enabled, so an empty rule list means an open front door, and adding a private endpoint does not close the public path: publicNetworkAccess is a separate switch that stays enabled until someone explicitly turns it off. The admin key compounds it, because that single key grants full read and write across every index on the service.

What it costs / blast radius

The blast radius is the union of everything the service ever indexed. A query key leaking from a client app, a repo, or a browser bundle lets anyone run searches against the corpus from anywhere; an admin key leaking hands over read, write, and delete on all of it. Because RAG pipelines deliberately funnel an organization's most useful internal content into the index, the index is often more sensitive than any single source system that fed it. There is little direct cost here; the harm is data exposure. (This is an assessment of Azure's exposure behavior, not a measured breach statistic.)

See it

Footgun: the index answers on a public endpoint with no IP restrictions
resource search 'Microsoft.Search/searchServices@2023-11-01' = {
  name: 'corp-search'
  location: location
  sku: { name: 'standard' }
  properties: {
    publicNetworkAccess: 'enabled'   // note: this provider wants lowercase
    networkRuleSet: {
      ipRules: []                    // no firewall rules narrowing the open door
    }
  }
}
Fix: disable public access; private endpoint connections become the only path
resource search 'Microsoft.Search/searchServices@2023-11-01' = {
  name: 'corp-search'
  location: location
  sku: { name: 'standard' }
  properties: {
    publicNetworkAccess: 'disabled'  // ipRules stop mattering; Private Link only
    disableLocalAuth: true           // optional but wise: Entra ID instead of keys
  }
}

How StratoLens helps

StratoLens flags every AI Search service in every subscription that still answers on a public endpoint, automatically and continuously, inside your own tenant. The search service that shipped with a long-forgotten copilot experiment gets the same scrutiny as your production retrieval layer, without anyone having to remember it exists.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Not ready to install anything? Browse the Azure Footguns Database: 55+ documented ways Azure quietly costs money or creates risk.

Request a demo

StratoLens catches the cost waste, access risk, and config drift across your whole Azure estate, from inside your own tenant, so your data never leaves it.