What it is
An Azure AI services account, including Azure OpenAI, whose publicNetworkAccess property is Enabled. The account's inference endpoint resolves and accepts connections from any address on the internet, so authentication is the entire security boundary. And the common authentication is an API key: a bearer credential that identifies nobody, sits in app settings and notebooks, and works from anywhere.
Why it happens
Public network access is the path of least resistance for AI workloads. The quickstarts authenticate with a key, the account works immediately from a laptop, and Azure OpenAI accounts routinely get stood up mid-pilot by a team racing to ship an AI feature, not by the platform team that would normally insist on Private Link. Once the demo works, nobody circles back to the networking tab.
The property is also independent of everything that feels like it should close the hole. Adding a private endpoint does not disable the public path; the two settings coexist, so an account can be "on Private Link" and still answer the whole internet. Azure treats Enabled as a perfectly valid state, nothing warns, and the account keeps serving traffic exactly as before, which is why it survives reviews.
What it costs / blast radius
The blast radius has three layers. First, the data: every prompt, completion, and embedding call crosses that endpoint, and with features like On Your Data the account is wired to your grounding sources, so a leaked key can interrogate an assistant that knows your internal content. Second, the spend: inference bills per token on your account, so a stolen key is quota theft; someone else's traffic lands on your bill and consumes the capacity your app needs (magnitude depends entirely on your deployments and limits, so no dollar figure is honest here). Third, the surface: a public endpoint can be probed by anyone and abused the moment a key escapes through a repo, a notebook, or a client bundle. This is an exposure assessment of Azure's behavior, not a measured breach probability.
See it
resource openai 'Microsoft.CognitiveServices/accounts@2024-10-01' = {
name: 'corp-openai'
location: location
kind: 'OpenAI'
sku: { name: 'S0' }
properties: {
customSubDomainName: 'corp-openai'
publicNetworkAccess: 'Enabled' // any internet address can reach the endpoint
}
}resource openai 'Microsoft.CognitiveServices/accounts@2024-10-01' = {
name: 'corp-openai'
location: location
kind: 'OpenAI'
sku: { name: 'S0' }
properties: {
customSubDomainName: 'corp-openai' // required for private endpoints + Entra auth
publicNetworkAccess: 'Disabled' // private endpoints become the only way in
networkAcls: {
defaultAction: 'Deny' // deny by default if the switch flips back later
}
disableLocalAuth: true // optional but wise: retire keys, use Entra ID
}
}How StratoLens helps
StratoLens checks the public-network-access posture of every AI services and Azure OpenAI account across every subscription and flags the ones answering the open internet, continuously and inside your own tenant. The account a pilot team created eight months ago shows up on the same list as the ones the platform team hardened, so the review actually covers all of them.