What is Azure Agentic AI

Azure Agentic AI is an autonomous cloud security agent that audits Azure infrastructure using a multi-phase agentic AI workflow. Unlike a simple chatbot that answers one question at a time, this agent plans, executes, reasons, and generates structured reports entirely on its own.

It connects to your Azure subscription via read-only SDK calls, runs security checks across storage, compute, and network resources, and produces actionable findings ranked by severity.

How the Agentic Workflow Works

The core of the project is a four-phase autonomous loop:

PLANNEREXECUTOLROOP(uAFApnidandtldsoRysEzn2Aeie0SsswOsiNruttEeeaeRsssrukalsttisons)REPORTER

Phase 1 - Planning: The LLM receives your goal and creates a task list with dependencies. Each task maps to a specific Azure tool.

Phase 2 - Execution: Tasks run sequentially, respecting dependency order. Each task calls a read-only Azure SDK operation and captures the result.

Phase 3 - Reasoning: After each task the LLM analyzes the output, flags security risks (CRITICAL/HIGH/MEDIUM/LOW), and can dynamically add new tasks based on what it discovers.

Phase 4 - Reporting: Once all tasks complete, the LLM synthesizes every finding into a structured markdown report with an executive summary, categorized insights, and prioritized recommendations.

The key differentiator is Phase 3. The agent does not follow a static checklist. If it finds a storage account with public blob access, it proposes a follow-up task to inspect that account’s network rules. This makes it genuinely agentic.

Setup

Prerequisites

  • Python 3.8+
  • An Azure subscription
  • Codex CLI installed and authenticated

Installation

1
2
3
4

cd ~/azure-agentic-ai
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt

Configuration

Copy the example environment file and fill in your credentials:

1

cp .env.example .env

Required variables:

1
2
3
4
5
6
7
8

AZURE_SUBSCRIPTION_ID=your-subscription-id

# Option A: Service principal
AZURE_CLIENT_ID=your-client-id
AZURE_CLIENT_SECRET=your-secret
AZURE_TENANT_ID=your-tenant-id

# Option B: Use az login (uses cached tokens)

The Codex CLI settings live in config/settings.yaml:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

agent:
  model: "gpt-5.1-codex"
  max_iterations: 10
  temperature: 0.1

codex:
  command: "codex"
  model: null
  args: []

llm_provider: "codex_cli"

Environment variables override the YAML file. Set CODEX_MODEL to switch models without editing config.

CLI Commands

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

# Run the agentic workflow (recommended)
python main.py run
python main.py run "Check storage accounts for public access"
python main.py run --output report.md

# Single query mode
python main.py scan "List all VMs with public IPs"

# Interactive chat
python main.py chat

# Multi-agent assessment
python main.py assess --services storage,network --report

# Quick predefined scan
python main.py quick-scan

# Standalone scanner (no LLM, free)
python main.py scan-only

# List available tools
python main.py list-tools

# Test Codex connectivity
python main.py codex-check

Available Tools

The agent has 12 read-only Azure tools at its disposal:

ToolPurpose
azure_list_storage_accountsList all storage accounts
azure_check_storage_public_accessDetect public blob access
azure_check_storage_network_rulesReview firewall rules
azure_storage_security_checkFull storage security posture
azure_storage_key_infoKey rotation details
azure_list_virtual_machinesList all VMs
azure_list_public_ip_vmsFind VMs with public IPs
azure_vm_metrics_summaryCPU and memory metrics
azure_check_nsg_open_portsRisky NSG rules (SSH, RDP, DB ports)
az_cli_readonlyGeneric read-only az CLI wrapper
azure_cost_queryCost Management queries
azure_cost_analysisCost analysis with forecasting

All tools enforce is_read_only = True. No resource modifications are possible.

Expected Output

Running a full security assessment:

1

python main.py run "Perform comprehensive Azure security assessment"
EEx#0123xMTCFICHMAGT12345AeEETRETRETRETRETRS##Aa#----#1234eeooatrieZoh.....ncTLCLCxxoexoexoexoexoey#sc##....cttmieigdUaeauaihiheeoSa[eoSa[+eoSa[eoSa[eoSa[nAsr1N23uraplrthiRlCERAGltssesecclusHclusCclusMclusCclusHtzEeoSoRDRRAtilleaiuE:arxedeyiktctcPuu:coIu:coRAu:coEu:coRu:coIhuxssesVNeieedicedtcImgeeadnzokkHttcnGtcnIdtcnDtcnItcnGeressctfMScssmdoTtianAceacseinSVAiiaeiHiaeiTdiaeiIiaeiTiaeiHsecmuoisGoatonaeolsIGontuonrntSiNSnnzsn]nzsnIinzsnUnzsnInzsn]iuesrrrmbrvfsdninEmtetneagPotrSEggusggusgCngusgMgusgCgusgPzOtntiaehrmlieiSksIgsNpewtlrotG:rs:rAg:r]:rA:rNHipitotgwaueecrusnhiTrwaaegaaru2teateaLeaeaLeaoAnevryeavlntpemstgIeitbtPongaaOaL_boC_b]tL_b2C_b]C_bSgrefaleedbuwmishChlpaoaaHaeglp&silorhcoailohcohcofEaogFalselNbaagtellsusAleeksiuaehuFssiuVehu3ehuiftSueicpdoSllrhsOnaktkfSAMn3ststgcetoktstMcetcetr4iiunncruobGilytPsanssiEacPa:tekcu:tskcNkce:nomdadoubpAcsEiurnncucPaS_r-krnV_rkrSkrwdFnmniullecprrRvteaa1dobhoEntseaS_edCivehN_eGS_eaGiIsaCdnneintuuIuAeossl:ulirXdotsctsshrisaSnstsslEnNrRgtsciblPlTnucnintEroucotusetruvGsurotulNgARyInstoleseIsolnrPrtcesCrarltroltcutleglurolEsLeTeaoIonissOemteeLessUegat-artokautO_tlartrR.pItlnPscfNcosepAaATaegs0gasrlaspposegasuA.OoCwlsItrtV5503221SuudoNtcIse.0eg.aSl.uep.seg.lT.PrAooenaoooarserNicOoA_.1e.gtM_.bne.e.eIEtLrwx(tcmlWildtInsNnca.:P_.eoam.ln.aN_.sNRkspMecsauOtyNgiccuprcaiP_lenGAaoErepnleRy:G+nocBbuwahccoplteoTnrpsDnseolKwTaaaaguollbigihroowtnRIdeueIescnFaoozzzzR.nuoilteniItrwowEOsbdUti-sLsrouuuuE.tnbcihenPstroePNHolMofitOsklrrrrA.stcNsesikrxOSIuis)(ninoWefeeeeSspA_desankpRGrctCctrsl____OucaatdbR_oTRHcoRseasolclcNbccnwdoursEebrItsrgmwihihIlecgoruluePsslaToonee.seseNiselreneldOe.ogIruen.tctcGcssiksdseRvbeCartat._k_ksnsssTeAgc-cs_v_agRef(tra(LeefctsincusrdoicH)-aootrscployrtcIaIcurotgeuemnayeGcPinaru_sbsagsHcsntgaaoslImeis)tgsegl.inis-.e..actcas(0V....le)cuH0M...larceI1s.ocnosG-wceuHD-0-eetn)edstpsendsOn

Project Structure

azureatucms-gotoataeoiniagnllfnnetacosaaaaasccis.dn/gor/zzzzz/oogepatercuuuuund/tylinehrrrrrfetoct.eeeeeeixin-ips_____g_neacytscncu.cg_i_rtoeltplss/aaomtiiyi.citrpw.l_ya.oauopscanprgtry.lmny.eekpilep...yerypppn.yyytp.ypy#############AuSMSVNGAYCMTLtiutMSeuAooyLonloGntMddpMngtraehLeee-oliansrxlrfme-gdeia+ro-aeccnCaCeuqgmudeLnLesueseranIdIenetizsvA4rtcrtusAez-yuiyCbcuznupcrcLsobutrhaoistIcnprreagotorfreyserytowiiosendolrpgccpctitosateooawnolpilsninoaospoosfnnrtlenaitekosrdwgrfrherulerarolpawppteeirrosn

Safety Guarantees

Every tool enforces is_read_only = True. The agent cannot create, modify, or delete any Azure resource. The az_cli_readonly wrapper only allows operations like list, show, get, and query, rejecting any write command.

Credentials are loaded through DefaultAzureCredential which supports service principals, managed identities, and az login tokens. Secrets are never logged.

Task failures do not stop the workflow. The agent marks the task as failed, reasons about the error, and continues with the remaining plan.

Quick Validation

1
2
3
4
5
6
7
8
9

# 1. Verify Codex works
python main.py codex-check
# Expected: "ok"

# 2. Run a targeted scan
python main.py run "List all storage accounts and check for public access"

# 3. Save report to file
python main.py run --output security-report.md