Azure OpenAI
Same OpenAI models, hosted in your Azure tenant. Use this when corporate policy requires prompts stay in your Azure subscription (data residency, compliance, VPN-locked endpoints).
Configuration
~/.insightworker/.env:
LLM_PROVIDER=azure
AZURE_OPENAI_ENDPOINT=https://my-resource.openai.azure.com
AZURE_OPENAI_API_KEY=<from your Azure OpenAI resource>
AZURE_OPENAI_DEPLOYMENT=my-gpt-4o
AZURE_OPENAI_API_VERSION=2024-08-01-previewStep 1 — Create the Azure OpenAI resource
- Azure Portal → Create a resource → Azure OpenAI
- Pick a region with the model you want (US East, EU West, etc.)
- Set pricing tier (Standard is fine for testing)
- Create
After provisioning, find on the resource overview:
- Endpoint →
AZURE_OPENAI_ENDPOINT - Keys and Endpoint tab → copy Key 1 →
AZURE_OPENAI_API_KEY
Step 2 — Deploy a model
In your Azure OpenAI resource:
- Model deployments → Manage Deployments
- Create new deployment
- Pick the model (gpt-4o, gpt-5, etc.) — availability depends on region and your subscription tier
- Give it a deployment name (e.g.
my-gpt-4o) → this goes intoAZURE_OPENAI_DEPLOYMENT
The deployment name is what InsightWorker uses as the "model" — Azure routes by deployment name, not by underlying model id.
Step 3 — API version
AZURE_OPENAI_API_VERSION controls which API contract the SDK uses. Default 2024-08-01-preview works for most current models.
When you upgrade Azure resources or want newer features (e.g. Responses API support), bump the API version per Microsoft's docs.
Verify
curl https://my-resource.openai.azure.com/openai/deployments/my-gpt-4o/chat/completions?api-version=2024-08-01-preview \
-H "api-key: $AZURE_OPENAI_API_KEY" \
-H "Content-Type: application/json" \
-d '{"messages":[{"role":"user","content":"Reply: pong"}],"max_tokens":10}'If you get {"choices":[{"message":{"role":"assistant","content":"pong"}}]} — you're ready.
Where data goes
Azure OpenAI: prompts and responses stay in your Azure subscription, governed by your Azure tenant's data policies. Microsoft does not use API data to train the underlying OpenAI models. This is the regulated-customer-acceptable path.
Private endpoints
For zero internet egress, set up an Azure Private Endpoint for your Azure OpenAI resource. With a private DNS zone wired up, the standard endpoint hostname resolves to a private IP inside your VNet — InsightWorker requires no code change.
Common gotchas
| Symptom | Cause | Fix |
|---|---|---|
| 404 on the deployment | Wrong deployment name | Use the deployment name, not the underlying model ID |
| 401 Unauthorized | Wrong key | Check Key 1 vs. Key 2; both work |
| API version errors | Older API version doesn't support the model | Bump AZURE_OPENAI_API_VERSION to latest |
| Rate limited | Default Azure quota is low | Request quota increase in Azure portal |
| Some GPT-5 features missing | Azure rolls out features after OpenAI | If you need the latest GPT-5-pro, use OpenAI direct or Bedrock; Azure typically lags by weeks |
See also
- openai.md — same model family, OpenAI direct
- overview.md — full provider matrix
Source: docs/providers/azure-openai.md in the public repo. Open a PR with corrections.