Skip to main content
Back to the Azure Footguns Database
SecurityMediumCommonAZF-0086

An Azure OpenAI account with public network access enabled leaves API keys as the only lock on your models and data

Your Azure OpenAI or AI services account is reachable from the internet, so an API key is the only thing standing between the world and your models, your quota, and any data your prompts carry.

Footgun ID
AZF-0086 (Azure Footgun No. 86)
Azure service
Azure AI services (incl. Azure OpenAI)
Resource type
Microsoft.CognitiveServices/accounts
Updated
July 9, 2026

What it is

An Azure AI services account, including Azure OpenAI, whose publicNetworkAccess property is Enabled. The account's inference endpoint resolves and accepts connections from any address on the internet, so authentication is the entire security boundary. And the common authentication is an API key: a bearer credential that identifies nobody, sits in app settings and notebooks, and works from anywhere.

Impact (security)
Model endpoints, quota, and any data sent in prompts reachable from any network on the internet
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Public network access is the path of least resistance for AI workloads. The quickstarts authenticate with a key, the account works immediately from a laptop, and Azure OpenAI accounts routinely get stood up mid-pilot by a team racing to ship an AI feature, not by the platform team that would normally insist on Private Link. Once the demo works, nobody circles back to the networking tab.

The property is also independent of everything that feels like it should close the hole. Adding a private endpoint does not disable the public path; the two settings coexist, so an account can be "on Private Link" and still answer the whole internet. Azure treats Enabled as a perfectly valid state, nothing warns, and the account keeps serving traffic exactly as before, which is why it survives reviews.

What it costs / blast radius

The blast radius has three layers. First, the data: every prompt, completion, and embedding call crosses that endpoint, and with features like On Your Data the account is wired to your grounding sources, so a leaked key can interrogate an assistant that knows your internal content. Second, the spend: inference bills per token on your account, so a stolen key is quota theft; someone else's traffic lands on your bill and consumes the capacity your app needs (magnitude depends entirely on your deployments and limits, so no dollar figure is honest here). Third, the surface: a public endpoint can be probed by anyone and abused the moment a key escapes through a repo, a notebook, or a client bundle. This is an exposure assessment of Azure's behavior, not a measured breach probability.

See it

Footgun: the account answers on a public endpoint, gated only by keys
resource openai 'Microsoft.CognitiveServices/accounts@2024-10-01' = {
  name: 'corp-openai'
  location: location
  kind: 'OpenAI'
  sku: { name: 'S0' }
  properties: {
    customSubDomainName: 'corp-openai'
    publicNetworkAccess: 'Enabled'   // any internet address can reach the endpoint
  }
}
Fix: disable public access and reach the account over a private endpoint
resource openai 'Microsoft.CognitiveServices/accounts@2024-10-01' = {
  name: 'corp-openai'
  location: location
  kind: 'OpenAI'
  sku: { name: 'S0' }
  properties: {
    customSubDomainName: 'corp-openai'  // required for private endpoints + Entra auth
    publicNetworkAccess: 'Disabled'     // private endpoints become the only way in
    networkAcls: {
      defaultAction: 'Deny'             // deny by default if the switch flips back later
    }
    disableLocalAuth: true              // optional but wise: retire keys, use Entra ID
  }
}

How StratoLens helps

StratoLens checks the public-network-access posture of every AI services and Azure OpenAI account across every subscription and flags the ones answering the open internet, continuously and inside your own tenant. The account a pilot team created eight months ago shows up on the same list as the ones the platform team hardened, so the review actually covers all of them.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Not ready to install anything? Browse the Azure Footguns Database: 55+ documented ways Azure quietly costs money or creates risk.

Request a demo

StratoLens catches the cost waste, access risk, and config drift across your whole Azure estate, from inside your own tenant, so your data never leaves it.