Run Untrusted AI Agent Code Safely with Azure Container Apps Sandboxes

2026-06-12 · Source: InfoQ · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cloud Computing & IT Infrastructure, Cybersecurity & Data Privacy · Depth: Advanced, short

Summary

Microsoft has announced the public preview of Azure Container Apps Sandboxes on June 12, 2026. This new ARM resource type, `Microsoft.App/SandboxGroups`, provides hardware-isolated microVMs designed to safely execute untrusted code generated by AI agents. Each sandbox starts from an OCI disk image in less than a second, can scale to thousands of instances, and incurs no cost when idle, making it ideal for short, bursty agentic workloads. The service offers multi-tenant isolation, managing the full lifecycle from startup to teardown, and supports snapshot-based suspend and resume for persistent sessions. Network egress defaults to deny, allowing traffic only to explicitly permitted hosts, and integrates with Entra managed identities for secure Azure service authentication. This infrastructure is already used by GitHub Copilot, Foundry Hosted Agents, and Azure Container Apps Express.

Key takeaway

For AI Architects or MLOps Engineers building agentic applications on Azure, Azure Container Apps Sandboxes offer a critical security solution. You can now safely execute untrusted AI-generated code in hardware-isolated microVMs, mitigating prompt injection risks without custom isolation setups. This Azure-native integration simplifies secure deployment, allowing you to utilize existing Entra identities and ARM management. Consider adopting ACA Sandboxes to enhance security and streamline operational overhead for your agent workloads.

Key insights

Azure Container Apps Sandboxes provide hardware-isolated microVMs for securely executing untrusted AI agent code, preventing host compromise.

Principles

• Hardware isolation prevents agent code compromise.
• Default-deny network egress enhances security.
• Managed identities secure Azure service access.

Method

ACA Sandboxes group microVMs into Sandbox Groups, managing shared settings like network egress, managed identity, and lifecycle rules for short-lived, bursty agent workloads.

In practice

• Use ACA Sandboxes for multi-tenant AI platforms.
• Integrate with Entra managed identities.
• Leverage snapshot suspend/resume for agent sessions.

Topics

• AI Agents
• Container Sandboxing
• Azure Container Apps
• MicroVM Isolation
• Security
• Entra Managed Identities

Code references

• features/copilot

Best for: CTO, VP of Engineering/Data, Director of AI/ML, AI Engineer, MLOps Engineer, AI Architect

Related on AIssential

• Building a safe, effective sandbox to enable Codex on Windows — Effective sandboxing for coding agents on Windows requires custom solutions due to OS-level isolation gaps.
• NanoClaw's creators are turning the secure, open source AI agent harness into an enterprise 'second brain' — Secure, personalized AI agents with infrastructure-level sandboxing and human-in-the-loop approval multiply individual enterprise productivity.
• Securing Azure AI Applications: Against Prompt Injection | Part - 2 — Prompt injection is an inherent LLM vulnerability requiring defense-in-depth across all application layers, treating all input as untrusted.
• When an Agent Deletes the Production Database — AI agents amplify existing system vulnerabilities, accelerating the impact of poor security practices like over-privileged, long-lived credentials.
• Microsoft launches MXC, an OS-level sandbox for AI agents, with OpenAI and Nvidia already on board — MXC provides OS-level, policy-driven sandboxing for AI agents, enabling secure enterprise deployment by enforcing resource access boundaries.
• NVIDIA OpenShell: 18+ Practical Tips to Run AI Agents Without Losing Sleep — NVIDIA OpenShell provides kernel-level sandboxing for AI agents using declarative YAML policies.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by InfoQ.