Intermediate

Plan & Manage Azure AI Services (15-20%)

This domain tests your ability to select, provision, configure, secure, and monitor Azure AI resources. Understanding resource management is foundational to every other exam domain.

Azure AI Services Overview

Azure AI Services (formerly Cognitive Services) is an umbrella term for pre-built AI APIs and models hosted on Azure. For the exam, you need to understand the service hierarchy:

Multi-service resource — A single Azure resource that provides access to multiple AI services (Vision, Language, Speech, etc.) under one endpoint and key.
Single-service resource — A dedicated resource for one specific service (e.g., Computer Vision only). Offers separate billing and access control.
Azure OpenAI Service — A separate resource type for deploying OpenAI models (GPT-4, GPT-3.5, DALL-E, Whisper) on Azure infrastructure.

💡

Exam Tip: Know when to use a multi-service vs. single-service resource. Multi-service is simpler (one key for everything), but single-service provides granular access control and separate billing per service.

Provisioning and Configuration

Creating AI Resources

You can create Azure AI resources using:

Azure Portal — GUI-based, good for one-time setup
Azure CLI — az cognitiveservices account create
Azure PowerShell — New-AzCognitiveServicesAccount
ARM/Bicep templates — Infrastructure as code for repeatable deployments
Terraform — azurerm_cognitive_account resource

Pricing Tiers

Tier	Use Case	Key Features
Free (F0)	Development and testing	Limited transactions per month, no SLA
Standard (S0)	Production workloads	Pay-per-transaction, SLA guaranteed, higher rate limits
Commitment tier	High-volume production	Discounted rate for committed usage, available for some services

Security and Authentication

The exam heavily tests security best practices:

Authentication Methods

Subscription keys — Two keys per resource (primary and secondary) for key rotation without downtime. Passed in the Ocp-Apim-Subscription-Key header.
Azure Active Directory (Entra ID) — Token-based authentication using managed identities or service principals. Preferred for production.
Managed Identity — System-assigned or user-assigned. No credentials stored in code. Best practice for Azure-to-Azure communication.

⚠

Key Exam Concept: Always recommend Managed Identity over subscription keys for production scenarios. Keys should be stored in Azure Key Vault if they must be used.

Network Security

Virtual Network (VNet) service endpoints — Restrict access to specific VNets
Private endpoints — Assign a private IP address from your VNet to the AI service. Traffic never leaves the Microsoft backbone network.
IP firewall rules — Allow only specified IP addresses or CIDR ranges

Deploying with Containers

Some Azure AI services can run in Docker containers for on-premises or edge deployments:

Containers still require an Azure billing endpoint (they phone home for metering)
Supported services: Language detection, sentiment analysis, key phrase extraction, OCR, Speech-to-text, and more
Use cases: data sovereignty requirements, low-latency edge scenarios, air-gapped environments (with disconnected containers)

# Pull and run a Text Analytics container
docker pull mcr.microsoft.com/azure-cognitive-services/textanalytics/sentiment:latest
docker run --rm -it -p 5000:5000 \
  --memory 4g --cpus 1 \
  mcr.microsoft.com/azure-cognitive-services/textanalytics/sentiment:latest \
  Eula=accept \
  Billing={ENDPOINT_URI} \
  ApiKey={API_KEY}

Monitoring and Diagnostics

Azure Monitor — Metrics (request count, latency, errors) and diagnostic logs
Diagnostic settings — Send logs to Log Analytics, Storage Account, or Event Hub
Alerts — Configure alerts on metrics (e.g., error rate exceeds 5%)
Cost management — Set budgets and cost alerts per resource or resource group

Practice Questions

📝

Question 1: Your company needs to use multiple Azure AI services (Vision, Language, Speech) from a single application. You want to minimize the number of keys to manage. What should you create?

A. A separate single-service resource for each AI service
B. A multi-service Azure AI Services resource
C. An Azure OpenAI resource
D. An Azure Machine Learning workspace

Show Answer

✅

Answer: B. A multi-service Azure AI Services resource provides a single endpoint and key for multiple services including Vision, Language, and Speech. This minimizes key management overhead while providing access to all required services.

📝

Question 2: You are deploying an Azure AI Services solution to production. Which authentication method should you recommend for an Azure-hosted application?

A. Embed the subscription key in the application code
B. Store the subscription key in an environment variable
C. Use a system-assigned managed identity
D. Use a shared access signature (SAS) token

Show Answer

✅

Answer: C. System-assigned managed identity is the recommended authentication method for Azure-hosted applications. It eliminates the need to manage credentials in code or configuration. Keys should be stored in Key Vault if managed identity is not possible, never embedded in code.

📝

Question 3: Your organization has data sovereignty requirements that prevent sending data to the cloud. You need to use Azure AI text analytics. What should you do?

A. Use Azure Government cloud
B. Deploy a Text Analytics container on-premises
C. Use a VPN connection to Azure
D. Request a private Azure region

Show Answer

✅

Answer: B. Azure AI Services containers allow you to run AI capabilities on-premises while still using Azure for billing. The container processes data locally and only sends billing/metering data to Azure. For fully air-gapped environments, disconnected containers are available.

📝

Question 4: You need to restrict access to your Azure Cognitive Services resource to only allow traffic from your corporate virtual network. What should you configure?

A. Azure Active Directory Conditional Access
B. Network security group (NSG) rules
C. Private endpoint for the Cognitive Services resource
D. Azure Application Gateway

Show Answer

✅

Answer: C. A private endpoint assigns a private IP from your VNet to the Cognitive Services resource. All traffic stays on the Microsoft backbone network. You can also use VNet service endpoints, but private endpoints provide the strongest isolation.

📝

Question 5: You have two applications using the same Azure AI Services resource. You need to rotate the primary subscription key without causing downtime. What is the correct procedure?

A. Regenerate both keys simultaneously
B. Switch applications to the secondary key, then regenerate the primary key
C. Delete the resource and create a new one
D. Disable key authentication and use only managed identity

Show Answer

✅

Answer: B. Azure provides two keys for zero-downtime rotation. Update all applications to use the secondary key first, verify they work, then regenerate the primary key. You can then switch back to the new primary key and regenerate the secondary.

Key Takeaways

Know the difference between multi-service and single-service resources and when to use each.
Managed identity is the preferred authentication method for Azure-hosted applications.
Private endpoints provide the strongest network isolation for AI services.
Containers enable on-premises deployment but still require Azure for billing.
Two subscription keys exist for zero-downtime key rotation.

← Previous Exam Overview & Strategy Next → Computer Vision (15-20%)