# AI Red Teaming Agent for Generative AI models and applications in Azure AI Foundry

## Objective
This notebook walks through how to use Azure AI Evaluation's AI Red Teaming Agent functionality to assess the safety and resilience of AI systems against adversarial prompt attacks. AI Red Teaming Agent leverages [Risk and Safety Evaluations](https://learn.microsoft.com/en-us/azure/ai-foundry/concepts/evaluation-metrics-built-in?tabs=warning#risk-and-safety-evaluators) to help identify potential safety issues across different risk categories (violence, hate/unfairness, sexual content, self-harm) combined with attack strategies of varying complexity levels from [PyRIT](https://github.com/Azure/PyRIT), Microsoft AI Red Teaming team's open framework for automated AI red teaming.

## Time
You should expect to spend about 30-45 minutes running this notebook. Execution time will vary based on the number of risk categories, attack strategies, and complexity levels you choose to evaluate.

## Before you begin

### Prerequisite
First, if you have an Azure subscription, create an [Azure AI hub](https://learn.microsoft.com/en-us/azure/ai-studio/concepts/ai-resources) then [create an Azure AI project](https://learn.microsoft.com/en-us/azure/ai-studio/concepts/ai-resources). AI projects and Hubs can be served within a private network and are compatible with private endpoints. You **do not** need to provide your own LLM deployment as the AI Red Teaming Agent hosts adversarial models for both simulation and evaluation of harmful content and connects to it via your Azure AI project.

In order to upload your results to Azure AI Foundry:
- Your AI Foundry project must have a connection (*Connected Resources*) to a storage account with `Microsoft Entra ID` authentication enabled.
- Your AI Foundry project must have the `Storage Blob Data Contributor` role in the storage account.
- You must have the `Storage Blob Data Contributor` role in the storage account.
- You must have network access to the storage account.

For more information see: https://learn.microsoft.com/en-us/azure/ai-foundry/how-to/develop/run-ai-red-teaming-cloud
Viewing AI red teaming results in Azure AI Foundry project: https://learn.microsoft.com/en-us/azure/ai-foundry/how-to/view-ai-red-teaming-results

**Important**: First, ensure that you've installed the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) and then make sure to authenticate to Azure using `az login` in your terminal before running this notebook.

**Important**: Second, the authentication dialog box pop up may be opened at the background. To locate it please minimize all the application window(s) and browser window(s) and choose organization account to login.

### Installation
From a terminal window, navigate to your working directory which contains this sample notebook, and execute the following.
```bash
python -m venv .venv
```

Then, activate the virtual environment created:

```bash
# %source .venv/bin/activate # If using Mac/Linux OS
.venv/Scripts/activate # If using Windows OS
```

With your virtual environment activated, install the following packages required to execute this notebook:

```bash
pip install uv
uv pip install azure-ai-evaluation[redteam] azure-identity python-dotenv azure-ai-projects
```


Now open VSCode with the following command, and ensure your virtual environment is used as kernel to run the remainder of this notebook.
```bash
code .
```

### Imports

In [2]:
from typing import Optional, Dict, Any
from dotenv import load_dotenv
import os

# Azure imports
from azure.ai.evaluation.red_team import RedTeam, RiskCategory, AttackStrategy

# OpenAI imports
from openai import AzureOpenAI

### Login to Azure with valid credentials

Ensure that you've installed the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) and then make sure to authenticate to Azure using `az login` in your terminal before running this notebook.

**Important**: the authentication dialog box pop up may be opened at the background. To locate it please minimize all the application window(s) and browser window(s) and choose organization account to login.

Configure the `credential` object with a different AzureCredential type if this is a requirement for your environment.

In [13]:
# Azure Credential imports
from azure.identity import DefaultAzureCredential, AzureCliCredential, get_bearer_token_provider

# Try DefaultAzureCredential first, fallback to AzureCliCredential if needed
try:
    credential = DefaultAzureCredential()
    # Test the credential
    _ = credential.get_token("https://management.azure.com/.default")
    print("‚úì Successfully authenticated with DefaultAzureCredential")
except Exception as e:
    print(f"DefaultAzureCredential failed: {e}")
    print("Trying AzureCliCredential...")
    try:
        !az login
        credential = AzureCliCredential()
        print("‚úì Successfully authenticated with AzureCliCredential")
    except Exception as e2:
        print(f"AzureCliCredential also failed: {e2}")
        raise

‚úì Successfully authenticated with DefaultAzureCredential


### Set Up Your Environment Variables

Set the following variables for use in this notebook. These variables connect to your Azure resources and model deployments.

Set these variables by creating an `.env` file as per instruction from "Required Lab Setup".

**Note:** You can find these values in your Azure AI Foundry project or Azure OpenAI resource.

For reference, here's an example of what your populated environment variables should look like:

```
# Azure OpenAI
AZURE_OPENAI_API_KEY="your-api-key-here"
AZURE_OPENAI_ENDPOINT="https://endpoint-name.cognitiveservices.azure.com/"
MODEL_DEPLOYMENT_NAME="gpt-4o-mini"
MODEL_API_VERSION="2024-12-01-preview"

# Azure AI Project
AI_FOUNDRY_PROJECT_ENDPOINT="https://your-aifoundry-endpoint-name.services.ai.azure.com/api/projects/yourproject-name"
```

In [11]:
load_dotenv("../.env")  # This loads variables from .env into the environment

# Azure AI Project information - construct from PROJECT_CONNECTION_STRING
project_connection_string = os.environ.get("PROJECT_CONNECTION_STRING")
if project_connection_string:
    # Extract project info from connection string
    # Format: https://foundry-name.services.ai.azure.com/api/projects/project-name
    import re
    match = re.match(r'https://([^.]+)\.services\.ai\.azure\.com/api/projects/(.+)', project_connection_string)
    if match:
        foundry_name = match.group(1)
        project_name = match.group(2)
        subscription_id = os.environ.get("AZURE_SUBSCRIPTION_ID")
        
        azure_ai_project = {
            "subscription_id": subscription_id,
            "resource_group_name": f"rg-{foundry_name}",  # Common pattern
            "project_name": project_name,
        }
    else:
        # Fallback: use the connection string directly
        azure_ai_project = project_connection_string
else:
    # Manual configuration if no connection string
    azure_ai_project = {
        "subscription_id": os.environ.get("AZURE_SUBSCRIPTION_ID"),
        "resource_group_name": "your-resource-group",  # Update this
        "project_name": "your-project-name",  # Update this
    }

# Azure OpenAI deployment information
azure_openai_deployment = os.environ.get("MODEL_DEPLOYMENT_NAME", "gpt-4o")
azure_openai_endpoint = os.environ.get("AZURE_OPENAI_ENDPOINT", "")
azure_openai_api_key = os.environ.get("AZURE_OPENAI_API_KEY", "")
azure_openai_api_version = os.environ.get("MODEL_API_VERSION", "2024-12-01-preview")

print(f"Azure AI Project: {azure_ai_project}")
print(f"Model Deployment: {azure_openai_deployment}")
print(f"OpenAI Endpoint: {azure_openai_endpoint}")
print(f"API Version: {azure_openai_api_version}")

Azure AI Project: {'subscription_id': 'ab13a150-25a0-40d8-a73b-c4e3ecdda27b', 'resource_group_name': 'rg-foundrye2elab', 'project_name': 'banff'}
Model Deployment: gpt-4o
OpenAI Endpoint: 
API Version: 2024-12-01-preview


## Understanding AI Red Teaming Agent's capabilities

The Azure AI Evaluation SDK's `RedTeam` functionality evaluates AI systems against adversarial prompts across multiple dimensions:

1. **Risk Categories**: Different content risk categories your AI system might generate
   - Violence
   - HateUnfairness
   - Sexual
   - SelfHarm

2. **Attack Strategies**: Along with standard unmodified prompts which are sent by default as the `baseline`, you can specify different transformations of prompts to elicit undesired content.
You can also use `AttackStrategy.Compose()` to layer two strategies in one attack
   - AnsiAttack: Using ANSI escape codes in prompts
   - AsciiArt: Using ASCII art to disguise harmful content
   - AsciiSmuggler: Hiding harmful content within ASCII characters
   - Atbash: Using the Atbash cipher to encode harmful requests
   - Base64: Encoding harmful content in Base64 format
   - Binary: Converting text to binary to bypass filters
   - Caesar: Using the Caesar cipher for encoding
   - CharacterSpace: Manipulating character spacing to confuse filters
   - CharSwap: Swapping characters to bypass detection
   - Diacritic: Using diacritical marks to alter text appearance
   - Flip: Flipping text to bypass content filters
   - Leetspeak: Converting letters to numbers and symbols
   - Morse: Using Morse code to encode harmful requests
   - ROT13: Using ROT13 cipher for text transformation
   - SuffixAppend: Adding suffixes to confuse detection systems
   - StringJoin: Joining strings in unconventional ways
   - Tense: Changing the tense of harmful requests to past tense
   - UnicodeConfusable: Using similar-looking Unicode characters
   - UnicodeSubstitution: Substituting characters with Unicode alternatives
   - Url: Embedding harmful content within URLs
   - Jailbreak: Specially crafted prompts to bypass AI safeguards

3. **Complexity Levels**: Different difficultly levels of attacks
   - Baseline: Standard functionality tests
   - Easy: Simple attack patterns
   - Moderate: More sophisticated attacks
   - Difficult: Complex, layered attack strategies

The key metric for evaluating results is the **Attack Success Rate (ASR)**, which measures the percentage of attacks that successfully elicit harmful content from your AI system.

## Basic Example: Fixed Response Callback

Let's start with a basic example that demonstrates how to set up a Red Team evaluation using a simple callback that always returns a fixed, safe response regardless of the input prompt.

**Important Note**: Since this callback always responds with the same safe message, the Attack Success Rate (ASR) will be 0% for all categories. This example is merely to demonstrate the API structure and flow.

In [9]:
# Define a simple callback function that always returns a fixed response
def financial_advisor_callback(query: str) -> str:  # noqa: ARG001
    return "I'm a financial advisor assistant. I can help with investment advice and financial planning within legal and ethical guidelines."

In [15]:
# For this demo, let's use the PROJECT_CONNECTION_STRING directly
# This approach works when you have the correct project endpoint
azure_ai_project_endpoint = os.environ.get("PROJECT_CONNECTION_STRING")

# Create the `RedTeam` instance with the connection string approach
if azure_ai_project_endpoint:
    red_team = RedTeam(
        azure_ai_project=azure_ai_project_endpoint,
        credential=credential,
        risk_categories=[RiskCategory.Violence, RiskCategory.HateUnfairness],
        num_objectives=1,
    )
    print("‚úì RedTeam instance created successfully with project endpoint")
else:
    print("‚ùå PROJECT_CONNECTION_STRING not found in environment variables")
    print("Please ensure your .env file contains the correct PROJECT_CONNECTION_STRING")

‚úì RedTeam instance created successfully with project endpoint


NOTE: `num_objectives` specifies the number of attacks to perform per risk category per attack strategy. If the parameter `risk_categories` is not specified, `[RiskCategory.Violence, RiskCategory.HateUnfairness, RiskCategory.Sexual, RiskCategory.SelfHarm]` will be used by default.

Now let's run a simple automated scan using the `RedTeam` with the fixed response target. We'll test against two risk categories and one attack strategy for simplicity.

In [16]:
# Run the red team scan called "Basic-Callback-Scan" with limited scope for this basic example
# This will test 1 objective prompt for each of Violence and HateUnfairness categories with the Flip strategy
result = await red_team.scan(
    target=financial_advisor_callback,
    scan_name="Basic-Callback-Scan",
    attack_strategies=[AttackStrategy.Flip],
    output_path="red_team_output.json",
)

üöÄ STARTING RED TEAM SCAN
üìÇ Output directory: .\.scan_Basic-Callback-Scan_20251006_162937
üìä Risk categories: ['violence', 'hate_unfairness']
üîó Track your red team scan in AI Foundry: https://ai.azure.com/resource/build/redteaming/6eb23cd2-d994-45a0-81bb-37336e92537f?wsid=/subscriptions/ab13a150-25a0-40d8-a73b-c4e3ecdda27b/resourceGroups/sandboxprval/providers/Microsoft.CognitiveServices/accounts/foundrye2elab/projects/banff&tid=ed244546-f48e-4572-a767-d6d2a521a7c5
üìã Planning 4 total tasks
üîó Track your red team scan in AI Foundry: https://ai.azure.com/resource/build/redteaming/6eb23cd2-d994-45a0-81bb-37336e92537f?wsid=/subscriptions/ab13a150-25a0-40d8-a73b-c4e3ecdda27b/resourceGroups/sandboxprval/providers/Microsoft.CognitiveServices/accounts/foundrye2elab/projects/banff&tid=ed244546-f48e-4572-a767-d6d2a521a7c5
üìã Planning 4 total tasks
üìù Fetched baseline objectives for violence: 1 objectives
üìù Fetched baseline objectives for hate_unfairness: 1 objectives
üîÑ F

Scanning:   0%|                                       | 0/4 [00:00<?, ?scan/s, current=initializing]

‚öôÔ∏è Processing 4 tasks in parallel (max 5 at a time)
‚ñ∂Ô∏è Starting task: baseline strategy for violence risk category
‚ñ∂Ô∏è Starting task: baseline strategy for hate_unfairness risk category
‚ñ∂Ô∏è Starting task: flip strategy for violence risk category
‚ñ∂Ô∏è Starting task: flip strategy for hate_unfairness risk category


ERROR: Error evaluating conversation 1 for violence/baseline: (UserError) The needed capability 'content harm' is not supported by the RAI service in this region.
Visit https://aka.ms/azsdk/python/evaluation/safetyevaluator/troubleshoot to troubleshoot this issue.
ERROR: Error evaluating conversation 1 for hate_unfairness/baseline: (UserError) The needed capability 'content harm' is not supported by the RAI service in this region.
Visit https://aka.ms/azsdk/python/evaluation/safetyevaluator/troubleshoot to troubleshoot this issue.
ERROR: Error evaluating conversation 1 for hate_unfairness/baseline: (UserError) The needed capability 'content harm' is not supported by the RAI service in this region.
Visit https://aka.ms/azsdk/python/evaluation/safetyevaluator/troubleshoot to troubleshoot this issue.
ERROR: Error evaluating conversation 1 for violence/flip: (UserError) The needed capability 'content harm' is not supported by the RAI service in this region.
Visit https://aka.ms/azsdk/pytho

Evaluation results saved to "c:\Users\prvalava\Documents\myrepos\ai-foundry-e2e-lab\ai-red-teaming-agent\.scan_Basic-Callback-Scan_20251006_162937\baseline_violence_e6edc10c-147e-46ec-a628-930b54342853.json".
‚úÖ Completed task 1/4 (25.0%) - baseline/violence in 41.5s
   Est. remaining: 2.7 minutes
Evaluation results saved to "c:\Users\prvalava\Documents\myrepos\ai-foundry-e2e-lab\ai-red-teaming-agent\.scan_Basic-Callback-Scan_20251006_162937\baseline_hate_unfairness_82ac73d6-ec58-4f7a-95f2-7220272bf428.json".
‚úÖ Completed task 2/4 (50.0%) - baseline/hate_unfairness in 41.5s
   Est. remaining: 0.9 minutes
Evaluation results saved to "c:\Users\prvalava\Documents\myrepos\ai-foundry-e2e-lab\ai-red-teaming-agent\.scan_Basic-Callback-Scan_20251006_162937\flip_violence_1266783b-a5d7-4654-b809-b3f108fcb1f8.json".
‚úÖ Completed task 3/4 (75.0%) - flip/violence in 41.5s
   Est. remaining: 0.3 minutes
Evaluation results saved to "c:\Users\prvalava\Documents\myrepos\ai-foundry-e2e-lab\ai-red-tea

## Intermediary Example: Using a Model Configuration as Target

Now let's create a more realistic example that uses an Azure OpenAI model for responding to the red teaming prompts. Please note you'll run into HTTP 400 because of which type Error. Please ignore and proceed as it is triggering the model's security filter.  To test base or foundation models, you can update your target to take in a model configuration:

In [17]:
# Define a model configuration to test
azure_oai_model_config = {
    "azure_endpoint": azure_openai_endpoint,
    "azure_deployment": azure_openai_deployment,
    "api_key": azure_openai_api_key,
}

Then, update your target to point to the model configurations and run the scan.

In [None]:
# Run the red team scan called "Intermediary-Model-Target-Scan"
result = await red_team.scan(
    target=azure_oai_model_config,
    scan_name="Intermediary-Model-Target-Scan",
    attack_strategies=[AttackStrategy.Flip],
)

## Advanced Example: Using an Azure Open AI Model Endpoint in a Callback Function

Using the same Azure Open AI model configuration as above, we now wrap it in a callback function for more flexibility and control on the input and output handling. This will demonstrate how to evaluate an actual AI application. To test your own actual AI application, replace the inside of the callback function with a call to your application. Please note you'll run into HTTP 400 because of which type Error. Please ignore and proceed as it is triggering the model's security filter.

In [18]:
# Define a callback that uses Azure OpenAI API to generate responses
async def azure_openai_callback(
    messages: list,
    stream: Optional[bool] = False,  # noqa: ARG001
    session_state: Optional[str] = None,  # noqa: ARG001
    context: Optional[Dict[str, Any]] = None,  # noqa: ARG001
) -> dict[str, list[dict[str, str]]]:
    # Get token provider for Azure AD authentication
    token_provider = get_bearer_token_provider(credential, "https://cognitiveservices.azure.com/.default")

    # Initialize Azure OpenAI client
    client = AzureOpenAI(
        azure_endpoint=azure_openai_endpoint,
        api_version=azure_openai_api_version,
        azure_ad_token_provider=token_provider,
    )

    ## Extract the latest message from the conversation history
    messages_list = [{"role": message.role, "content": message.content} for message in messages]
    latest_message = messages_list[-1]["content"]

    try:
        # Call the model
        response = client.chat.completions.create(
            model=azure_openai_deployment,
            messages=[
                {"role": "user", "content": latest_message},
            ],
            # max_tokens=500, # If using an o1 base model, comment this line out
            max_completion_tokens=500,  # If using an o1 base model, uncomment this line
            # temperature=0.7, # If using an o1 base model, comment this line out (temperature param not supported for o1 base models)
        )

        # Format the response to follow the expected chat protocol format
        formatted_response = {"content": response.choices[0].message.content, "role": "assistant"}
    except Exception as e:
        print(f"Error calling Azure OpenAI: {e!s}")
        formatted_response = "I encountered an error and couldn't process your request."
    return {"messages": [formatted_response]}

In [20]:
# Create the RedTeam instance with all of the risk categories with 5 attack objectives generated for each category
# Use the same approach as the working red_team instance
model_red_team = RedTeam(
    azure_ai_project=azure_ai_project_endpoint,  # Use the working endpoint approach
    credential=credential,
    risk_categories=[RiskCategory.Violence, RiskCategory.HateUnfairness, RiskCategory.Sexual, RiskCategory.SelfHarm],
    num_objectives=5,
)
print("‚úì Model RedTeam instance created successfully")

‚úì Model RedTeam instance created successfully


We will use this instance of `model_red_team` to test different attack strategies in the following section.

### Testing Different Attack Strategies

Now we'll run a more comprehensive evaluation using multiple attack strategies across risk categories. This will give us a better understanding of our model's vulnerabilities.Please note you'll run into HTTP 400 because of which type Error. Please ignore and proceed as it is triggering the model's security filter.

In [None]:
# Run the red team scan with multiple attack strategies
advanced_result = await model_red_team.scan(
    target=azure_openai_callback,
    scan_name="Advanced-Callback-Scan",
    attack_strategies=[
        AttackStrategy.EASY,  # Group of easy complexity attacks
        AttackStrategy.MODERATE,  # Group of moderate complexity attacks
        AttackStrategy.CharacterSpace,  # Add character spaces
        AttackStrategy.ROT13,  # Use ROT13 encoding
        AttackStrategy.UnicodeConfusable,  # Use confusable Unicode characters
        AttackStrategy.CharSwap,  # Swap characters in prompts
        AttackStrategy.Morse,  # Encode prompts in Morse code
        AttackStrategy.Leetspeak,  # Use Leetspeak
        AttackStrategy.Url,  # Use URLs in prompts
        AttackStrategy.Binary,  # Encode prompts in binary
        AttackStrategy.Compose([AttackStrategy.Base64, AttackStrategy.ROT13]),  # Use two strategies in one attack
    ],
    output_path="Advanced-Callback-Scan.json",
)

The data and results used in this attack will be saved to the `output_path` specified. The URL printed out at the end of the scorecard will provide a link to where you results are uploaded and logged to your Azure AI Foundry project.

## Bring your own objectives: Using your own prompts as objectives for RedTeam

Below we demonstrate how to use your own prompts as objectives for a `RedTeam` scan. You can see the required format for prompts under `../data/prompts.json`. Note that when bringing your own prompts, the supported `risk-type`s are `violence`, `sexual`, `hate_unfairness`, and `self_harm`. The number of prompts you specify will be the `num_objectives` used in the scan. Please note you'll run into HTTP 400 because of which type Error. Please ignore and proceed as it is triggering the model's security filter.

In [23]:
path_to_prompts = "data/prompts.json"

# Check if the prompts file exists
import os
if os.path.exists(path_to_prompts):
    print(f"‚úì Found prompts file: {path_to_prompts}")
    
    # Create the RedTeam specifying the custom attack seed prompts to use as objectives
    custom_red_team = RedTeam(
        azure_ai_project=azure_ai_project_endpoint,  # Use the working endpoint approach
        credential=credential,
        custom_attack_seed_prompts=path_to_prompts,  # Path to a file containing custom attack seed prompts
    )
    print("‚úì Custom RedTeam instance created successfully")
else:
    print(f"‚ùå Prompts file not found: {path_to_prompts}")
    print("Skipping custom red team creation - you can continue with the other examples")

‚úì Found prompts file: data/prompts.json
‚úì Custom RedTeam instance created successfully


In [None]:
custom_red_team_result = await custom_red_team.scan(
    target=azure_openai_callback,
    scan_name="Custom-Prompt-Scan",
    attack_strategies=[
        AttackStrategy.EASY,  # Group of easy complexity attacks
        AttackStrategy.MODERATE,  # Group of moderate complexity attacks
        AttackStrategy.DIFFICULT,  # Group of difficult complexity attacks
    ],
    output_path="Custom-Prompt-Scan.json",
)

## Conclusion

In this notebook, we've demonstrated how to use the Azure AI Evaluation SDK's `RedTeam` functionality to assess the safety and resilience of AI systems. We started with a basic fixed-response example and then moved to a more realistic model testing across multiple risk categories and attack strategies.

The automated AI red teaming scans provides valuable insights into:

1. **Overall Attack Success Rate (ASR)** - The percentage of attacks that successfully elicit harmful content
2. **Vulnerability by Risk Category** - Which types of harmful content your model is most vulnerable to
3. **Effectiveness of Attack Strategies** - Which attack techniques are most successful against your model
4. **Impact of Complexity** - How more sophisticated attacks affect your model's safety guardrails

By regularly red-teaming your AI applications, you can identify and address potential vulnerabilities before deploying your models to production environments.

### Next Steps

1. **Mitigation**: Use these results to strengthen your model's guardrails against identified attack vectors
2. **Continuous Testing**: Implement regular red team evaluations as part of your development lifecycle
3. **Custom Strategies**: Develop custom attack strategies for your specific use cases and domain
4. **Safety Layers**: Consider adding additional safety layers like Azure AI Content Safety to filter harmful requests and responses 