Microsoft Foundry Citadel Platform on Azure is a layered AI governance architecture that delivers production-ready agent deployments with unified governance, end-to-end observability, and centralized policy enforcement via Azure API Management. It is still in preview, and the documentation assumes a degree of familiarity with Azure infrastructure that not everyone has on day one. This post walks through what it actually takes to get a working hub-and-spoke running in Sweden Central, including the pitfalls, so you can decide whether it is a viable starting point for your own AI platform journey.
What Citadel Is (and Is Not)
Before touching the tooling, it helps to understand what Citadel actually deploys. The architecture has four layers:
The first layer — Governance Hub is the runtime enforcement plane: Azure API Management as a centralized AI gateway, Azure API Center as a model registry, and supporting services for content safety, PII detection, cost attribution, and usage telemetry.
Subsequent second layer 2 — AI Control Plane provides observability via the Foundry Control Plane: agent-level execution traces, AI evaluations in development and production, red-teaming, drift monitoring, and fleet dashboards.
The next third layer — Agent Identity transforms agents into managed enterprise assets via Microsoft Entra ID, with lifecycle management, sponsorship models for human accountability, and shadow AI discovery.
Finally, the last fourth layer, 4 — Security Fabric, weaves Defender, Purview, and Entra across the other three layers for real-time threat intelligence, data governance, and compliance automation.
For this guide, we deploy Layer 1 (the Governance Hub via the AI Hub Gateway Solution Accelerator) and a Layer 1/2 spoke (via the AI Landing Zone Bicep). Layers 3 and 4 reference existing Azure services (Entra ID, Defender, Purview) that you integrate separately.
Important: Citadel is currently in preview. The repos, parameter schemas, and CLI commands will change. Treat everything in this post as a starting point, not a stable reference.
Prerequisites
Before you start, make sure you have:
- An Azure subscription with Azure OpenAI access approved (aka.ms/oaiapply)
Microsoft.Authorization/roleAssignments/writeon the subscription (Owner or User Access Administrator role)- Azure CLI installed and authenticated (
az login) - Azure Developer CLI (
azd) installed - Node.js — use v20 LTS, not v24. Node 24 on Windows has a known issue where npm bundles are incomplete, causing
MODULE_NOT_FOUNDerrors onnpm-cli.jsandnpm-prefix.jswhenazdtries to package Logic App components
If you run into npm issues on Windows, the cleanest workaround is Azure Cloud Shell, where Node, npm, az, and azd are all pre-installed and healthy.
Part 1: Deploying the Microsoft Foundry Citadel Governance Hub
Clone the AI Hub Gateway Solution Accelerator:
git clone https://github.com/Azure-Samples/ai-hub-gateway-solution-accelerator.gitcd ai-hub-gateway-solution-accelerator
Create your azd environment:
azd auth loginazd env new ai-hub-gateway-devazd env set AZURE_LOCATION swedencentral
Create a parameters file at infra/main.parameters.json. The key decisions:
Model versions matter. At the time of writing, gpt-4o-mini versions 2024-07-18 and 2024-10-18 are retired. Use gpt-4o version 2024-11-20 with GlobalStandard SKU. Always verify current model availability at aka.ms/aoai-regions before deploying these changes frequently.
{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", "contentVersion": "1.0.0.0", "parameters": { "environmentName": { "value": "ai-hub-gateway-dev" }, "location": { "value": "swedencentral" }, "apimSku": { "value": "Developer" }, "openAiInstances": { "value": { "openAi1": { "name": "openai1", "location": "swedencentral", "deployments": [ { "name": "chat", "model": { "format": "OpenAI", "name": "gpt-4o", "version": "2024-11-20" }, "sku": { "name": "GlobalStandard", "capacity": 20 } }, { "name": "embedding", "model": { "format": "OpenAI", "name": "text-embedding-3-large", "version": "1" }, "sku": { "name": "Standard", "capacity": 20 } } ] } } }, "provisionFunctionApp": { "value": false }, "createAppInsightsDashboard": { "value": false }, "enableAIGatewayPiiRedaction": { "value": true }, "enableAIModelInference": { "value": true } }}
Deploy:
azd up
Expect 45–90 minutes. APIM Developer SKU is the slow component. If the deployment fails partway through, re-run azd up it is idempotent and will pick up where it left off.
Pitfall: Managed Identity Race Condition
You will likely see this error on first attempt:
BadRequest: The provided principal ID was not found in the AAD tenant(s)
This is a known race condition — the Managed Identity is created but has not yet propagated in Entra ID before the role assignment fires. Re-run azd up without any changes and it will succeed.
Validate the Hub
Once deployed, run:
azd env get-values | grep APIM
You will get your APIM gateway URL. Test it with a chat completion:
$headers = @{ "Content-Type" = "application/json" "api-key" = "<YOUR_APIM_SUBSCRIPTION_KEY>"}$body = '{"messages":[{"role":"user","content":"Hello from the AI Hub Gateway!"}],"max_tokens":100}'Invoke-RestMethod ` -Uri "https://<your-apim>.azure-api.net/openai/deployments/chat/chat/completions?api-version=2024-02-01" ` -Method POST -Headers $headers -Body $body
A successful response with content_filter_results and prompt_filter_results confirms Content Safety and PII redaction are active. Token usage in the response confirms Cosmos DB is logging for cost attribution.
Part 2: Deploying a Citadel Platform Agent Spoke on Azure
The spoke is deployed from the AI Landing Zone Bicep repo. Download it as a ZIP (no GitHub account required):
https://github.com/Azure/bicep-ptn-aiml-landing-zone/archive/refs/heads/main.zip
Extract and navigate to the folder. Create a resource group for the spoke:
az group create --name rg-ai-spoke-dev --location swedencentral
Create a spoke.parameters.json file. Several things to know upfront:
The parameter schema is not the same as the Citadel README suggests. The actual template parameters differ from the example file. Key differences discovered in practice: aiFoundryLocation does not exist as a separate parameter; deployMcp, greenFieldDeployment, deployPostgres, and useCMK are not in this version of the template; and solutionStorageAccountName is simply storageAccountName.
The modelDeploymentList uses nested objects, not flat properties:
"modelDeploymentList": { "value": [ { "name": "chat", "model": { "format": "OpenAI", "name": "gpt-4o", "version": "2024-11-20" }, "sku": { "name": "GlobalStandard", "capacity": 20 }, "canonical_name": "CHAT_DEPLOYMENT_NAME", "apiVersion": "2025-04-01-preview" }, { "name": "text-embedding", "model": { "format": "OpenAI", "name": "text-embedding-3-large", "version": "1" }, "sku": { "name": "Standard", "capacity": 10 }, "canonical_name": "EMBEDDING_DEPLOYMENT_NAME", "apiVersion": "2025-04-01-preview" } ]}
containerAppsList cannot be an empty array. The template references containerApps[0] internally and will fail validation if the array is empty. Pass at least one placeholder entry.
Deploy:
az deployment group create ` --resource-group rg-ai-spoke-dev ` --template-file main.bicep ` --parameters @spoke.parameters.json
Pitfalls in the Spoke Deployment
AI Search Standard SKU capacity exhaustion. Sweden Central frequently runs out of AI Search Standard SKU capacity. You will see ResourcesForSkuUnavailable. This affects both the standalone Search Service and the AI Foundry Agent Service’s internal Search instance. Disable both:
"deploySearchService": { "value": false },"deployAAfAgentSvc": { "value": false }
You can re-enable them later once capacity is available, or deploy Search in a different region.
Soft-deleted resources block redeployment. Azure retains soft-deleted Cognitive Services accounts, Key Vaults, and App Configuration stores for up to 90 days. If you delete a resource group and redeploy, the deployment will fail with FlagMustBeSetForRestore or NameUnavailable. Purge them explicitly before redeploying:
# List and purge soft-deleted resourcesaz keyvault list-deleted --subscription <sub-id> -o tableaz keyvault purge --name <name> --location swedencentralaz appconfig list-deleted --subscription <sub-id> -o tableaz appconfig purge --name <name> --location swedencentral --yesaz cognitiveservices account list-deleted --subscription <sub-id> -o tableaz cognitiveservices account purge --name <name> --location swedencentral
Key Vault purges are slow — allow 2–5 minutes per vault.
Bastion subnet ID resolution fails with networkIsolation=false. When you disable network isolation, the template passes a relative subnet ID to Bastion instead of a fully qualified resource ID. Disable Bastion, Jump VM, and NAT Gateway for the dev spoke:
"deployBastion": { "value": false },"deployJumpbox": { "value": false },"deployVM": { "value": false },"deployNatGateway": { "value": false }
Write parameters files without BOM. On Windows, Out-File -Encoding utf8 adds a Byte Order Mark that causes az deployment to fail with Unable to parse parameter. Use either:
$content | Out-File -FilePath "spoke.parameters.json" -Encoding utf8NoBOM# or[System.IO.File]::WriteAllText("spoke.parameters.json", $content, [System.Text.UTF8Encoding]::new($false))
Part 3: Wiring the Citadel Spoke to the Azure APIM Hub
Add the hub’s APIM gateway URL and subscription key to the spoke’s App Configuration:
az appconfig kv set ` --name <spoke-appconfig-name> ` --key "APIM_GATEWAY_URL" ` --label "ai-lz" ` --value "https://<your-apim>.azure-api.net/openai" ` --yesaz appconfig kv set ` --name <spoke-appconfig-name> ` --key "APIM_SUBSCRIPTION_KEY" ` --label "ai-lz" ` --value "<YOUR_APIM_KEY>" ` --yes
Note: az cognitiveservices account connection create with a YAML file for creating an APIM connection in AI Foundry has known bugs in the current CLI version and will throw NoneType or codec errors. Create this connection via the Azure AI Foundry portal UI instead.
Validate End-to-End
$headers = @{ "Content-Type" = "application/json" "api-key" = "<YOUR_APIM_KEY>"}$body = '{"messages":[{"role":"user","content":"Hello from the Citadel spoke!"}],"max_tokens":50}'Invoke-RestMethod ` -Uri "https://<your-apim>.azure-api.net/openai/deployments/chat/chat/completions?api-version=2024-02-01" ` -Method POST -Headers $headers -Body $body
A successful response with content_filter_results, prompt_filter_results, and usage confirms the full Citadel loop: spoke → APIM gateway → Azure OpenAI → governance telemetry.
What the Microsoft Foundry Citadel Platform Deploys
After following this guide, your rg-ai-hub-gateway-dev resource group contains:
- APIM gateway with content safety, PII redaction, token rate limiting, and cost attribution policies
- Azure OpenAI with
gpt-4oandtext-embedding-3-large - Cosmos DB for usage event logging
- Logic App for usage processing
- Application Insights for gateway telemetry
Your rg-ai-spoke-dev resource group contains:
- AI Foundry account and project
gpt-4oandtext-embedding-3-largedeployments- Cosmos DB with a
conversationscontainer - Key Vault, App Configuration, Storage Account, Application Insights, Log Analytics
App Configuration is fully populated with canonical keys (CHAT_DEPLOYMENT_NAME, AI_FOUNDRY_PROJECT_ENDPOINT, COSMOS_DB_ENDPOINT, and more) ready for agent applications to consume.
This Is a Dev Setup — Here Is What Changes for Non-Prod and Production
The configuration above is a starting point, not a production blueprint. Key differences when moving up the environment stack:
APIM SKU. Developer SKU has no SLA and no VNet support. Switch to Premium SKU for non-prod and production. This significantly increases cost and deployment time but enables private networking, multi-region, and availability zones.
Network isolation. For production, set networkIsolation=true and wire the spoke VNet to your hub VNet via peering (hubIntegrationHubVnetResourceId). This requires coordinating private DNS zones across the hub and spoke. The template supports bringing existing DNS zones via the existingPrivateDnsZone* parameters.
AI Search. Re-enable deploySearchService and deployAAfAgentSvc for non-prod and production. If Sweden Central remains capacity-constrained on Standard SKU, deploy Search to a paired region (East US 2 works well) using the searchServiceLocation parameter.
Bastion and Jump VM. For production with networkIsolation=true, re-enable deployBastion and deployJumpbox so operators can access resources inside the private VNet without public endpoints.
Separate parameter files per environment. Maintain spoke.parameters.dev.json, spoke.parameters.nonprod.json, and spoke.parameters.prod.json with environment-specific values. Use a deployment pipeline (GitHub Actions or Azure DevOps) to apply them consistently.
Model versions. Pin specific model versions in parameters files and validate availability in your target region before each deployment. Azure OpenAI model lifecycle moves fast; versions retire on 18-month cycles, and regional availability varies.
Preview Caveats
Citadel is in active development. Several things you should expect to change:
The parameter schemas for both the hub and spoke accelerators will evolve. Parameters discovered missing or renamed in this guide will likely be reorganized again as the repos mature. Always check the actual main.bicep parameter definitions rather than relying on example files.
The az cognitiveservices account connection create CLI command for AI Foundry connections is incomplete at the time of writing. This will improve as the Foundry CLI surface area matures.
The citadel-v1 branch in the AI Hub Gateway repo is flagged as the recommended path for new deployments. By the time you read this, it may have become the default branch with a cleaner deployment experience.
Regional capacity for AI Search Standard SKU fluctuates. Sweden Central is a high-demand region for AI workloads plan for capacity constraints in any SKU beyond Basic for dev scenarios.
Conclusion
Citadel gives you a credible, opinionated starting point for enterprise AI governance on Azure APIM as the AI gateway, AI Foundry as the agent runtime, Cosmos DB for conversation state, and App Configuration as the configuration backbone. Getting it running today requires navigating several rough edges: parameter schema inconsistencies, soft-delete cascades, model version deprecations, regional capacity constraints, and Windows-specific tooling issues.
None of these are blockers. They are the expected friction of working with a platform in active preview. The underlying architecture is sound, and the pieces that do work, APIM governance policies, Content Safety integration, App Config population, and AI Foundry project wiring deliver real value immediately.
If you are building an AI platform for your organization, a Citadel dev setup is a reasonable first step. Treat it as a learning environment to understand the architecture, validate the tooling, and build the parameter files you will need for non-prod and production. Then evolve it deliberately: add network isolation, re-enable Search and Agent Services as capacity allows, and adopt the Citadel contracts (AI Access Contract, AI Publish Contract) to formalize the hub-spoke integration as your agent portfolio grows.
The governance-velocity paradox Citadel sets out to solve is real. Getting the foundation right now, while it is still in preview and the patterns are malleable, is the right time to start.
Final note: This post reflects a hands-on deployment performed in June 2026. Given the pace of change in this space, verify all CLI commands, parameter schemas, and model versions against current documentation before applying them in your own environment.
