So Microsoft quietly dropped this thing called Foundry IQ and honestly I don't think enough people are paying attention. The short version, it's a managed knowledge layer that sits inside the Microsoft Foundry ecosystem and gives your AI agents access to your actual enterprise data. Not toy data. Not demo data. Your SharePoint files, your Azure Blob Storage, your OneLake stuff, even public web content. All of it, stitched together into what they call a "knowledge base" that agents can query.
I have been building RAG systems for clients at OZ for a while now and the one thing that always kills us is the plumbing. The chunking, the embeddings, the retrieval pipeline, the permissions, oh God the permissions. Foundry IQ handles all of that. Automatic document chunking, vector embedding generation, metadata extraction, scheduled indexer runs for incremental refresh. This is the stuff that takes weeks to build properly and Microsoft is just... giving it to you as a managed service.
The part that got my attention? It runs queries under the caller's Microsoft Entra identity. End-to-end permission enforcement. It syncs access control lists from supported sources and honors Microsoft Purview sensitivity labels. So if someone shouldn't see a document, the agent won't serve it up. I mean, we built something similar for a client last year and it took us nearly two months. Two months of our lives we won't get back.
How the retrieval actually works
Under the hood, Foundry IQ uses something called "agentic retrieval" which is basically a multi-query pipeline. You throw a complex question at it and it breaks that question into subqueries, runs them in parallel across your knowledge sources, does semantic reranking, and returns a unified response with citations. The citations part matters, it gives you extractive data traced back to source documents so you are not just trusting a black box.
Azure AI Search provides the underlying infrastructure. You get keyword search, vector search, hybrid search, all across both indexed and remote knowledge sources. There is also an optional LLM from Azure OpenAI that handles query planning, and you can configure the "retrieval reasoning effort" with three levels: minimal, low, or medium. No high option, which I find interesting. Maybe they are being careful about cost and latency there.
One knowledge base can connect to multiple agents. Multiple agents sharing one knowledge base. That is actually smart design because in most enterprise setups you don't want five different agents each maintaining their own copy of the same documents. You build the knowledge base once and point your agents at it.
The three IQs nobody is talking about
Here is where it gets interesting and a little confusing. Microsoft now has three "IQ" workloads and they are all separate things:
Fabric IQ: For analytics, it sits on top of Microsoft Fabric and models your business data, ontologies, semantic models, and Power BI stuff.
Work IQ: For Microsoft 365 collaboration signals, documents, meetings, chats, and workflows.
Foundry IQ: The one we are talking about, the knowledge layer for structured and unstructured enterprise data.
They are standalone but you can combine them. On paper this sounds great. In practice I am guessing the integration story is going to be messy for at least another year. That is just how Microsoft rolls with new platform features, the vision is always ahead of the reality by about 12 to 18 months.
Setting it up is not terrible though. You can do it through the Foundry portal or programmatically. Portal gives you a playground for proof-of-concept testing. There is a free tier for Azure AI Search and a free token allocation for agentic retrieval, so you can at least try it without finance team sending you angry emails. But I will say this, free tiers in Azure have a way of becoming very not-free very quickly once you move past demo scale. Always multiply your estimate by 3x, I keep saying this.
The thing that makes Foundry IQ different from just rolling your own RAG pipeline is the permission-awareness baked in from the start. If you are in a regulated industry or just a big enough company where data access matters, building that yourself is painful and error-prone. Microsoft already has the identity infrastructure with Entra, already has the labeling with Purview, so it makes sense they would wire it all together. Whether the execution matches the promise, we will see. It is still in public preview with no SLA, so don't put production workloads on it yet.
