Back to Blog
Guides

Evaluating Azure OpenAI LLM Apps in 2026

Azure OpenAI eval has three Azure-specific axes: deployment-name drift, region-pinning, and Content Safety precision on benign queries. Here's the pattern.

·
Updated
·
12 min read
azure-openai llm-evaluation ai-gateway compliance content-safety 2026
Editorial cover image for Evaluating Azure OpenAI LLM Apps in 2026
Table of Contents

Azure OpenAI is how most regulated teams ship LLM features. It carries Microsoft’s enterprise paperwork, lives inside an Azure subscription, and lets compliance attest that prompts and completions stay in a specific region. None of that changes the model. The deployment can still drift to a newer minor version overnight, the region can throttle and shift refusal phrasing, and Azure Content Safety can still block a legitimate medical query that the same model on the OpenAI consumer endpoint would answer. Azure OpenAI eval is generic LLM eval plus three Azure-specific axes: deployment-name versus model-ID confusion, region-pinning behavior, and Azure Content Safety precision and recall on benign queries. The eval that ignores these three ships happy-path metrics that break the moment region failover fires. This post is the working pattern for evaluating Azure OpenAI apps end to end in 2026.

Why generic LLM eval falls short on Azure

A team that already evaluates OpenAI direct apps usually assumes the same harness moves over to Azure. It mostly does. The places it falls short are exactly the places Azure stops behaving like the consumer endpoint, and they line up with the three axes above.

Generic eval grades the model; Azure runs a deployment. Pinning gpt-4o-2024-08-06 on the consumer endpoint pins the model. Pinning a deployment called gpt-4o-prod on Azure pins an alias that resolves to a model version Microsoft controls. Auto-update deployments migrate to newer minor revisions on Microsoft’s schedule. The deployment name is the stable handle the application code knows about. The behavior behind it is not. A regression set that doesn’t read the resolved version off the response header is silent the day a minor revision changes JSON-mode strictness on 11 percent of orders.

Generic eval grades a model in isolation; Azure responses are region-bound. Every Azure OpenAI deployment lives in a region. Regional capacity, regional rollout schedules, and regional policy mean refusal rates, latency distributions, and even system-prompt adherence drift across eastus2, swedencentral, and japaneast for the same nominal model. A pass on the primary region is not a pass on the failover region. The eval has to stratify by region and alert when any region falls below the primary baseline.

Generic eval grades safety on adversarial cases; Azure Content Safety hurts on benign ones. Microsoft applies a deterministic content classifier on input and output. It is fast and predictable and strong on the categories it covers. It is also blind to phrased-around attacks, and the same policy that catches the attack you remember can also block the legitimate clinical-summary query you forgot to test. Generic LLM-safety eval reports recall on a jailbreak set. Azure Content Safety eval has to report precision on a benign set as well, per policy version, and the trade-off has to be visible so the policy edit picks the operating point.

What you need instead is a Bedrock-style trace-first pattern adapted for Azure: capture every call as a span with the Azure-native attributes attached, score the three Azure-specific axes alongside the generic ones, and run the same rubric in CI and on the live trace stream.

Axis one: deployment name versus model ID

Deployment-name confusion is Azure’s biggest gotcha and the easiest to ship without noticing. The fix is structural.

Read the resolved version off the response on every call and assert it against an expected pin. The traceAI OpenAIInstrumentor covers the Azure client automatically and surfaces azure.openai.deployment_name, azure.openai.model_version, and azure.openai.region on every span. The x-ms-deployment-model-version HTTP response header carries the same value if you need it outside the span attributes.

The rubric is a one-line CustomLLMJudge that fails any span where the resolved version drifts from the expected pin:

from fi.evals import CustomLLMJudge

version_pin = CustomLLMJudge(
    name="DeploymentVersionPin",
    rubric=(
        "Score 1 if azure.openai.model_version equals expected_version. "
        "Score 0 otherwise. Cite the deployment_name and resolved version."
    ),
    inputs=["azure_openai_model_version", "expected_version", "deployment_name"],
)

Pair the rubric with a small fixed prompt set you re-run on every drift check. A canary of 30 to 50 prompts per critical deployment, hit on a daily cron, surfaces the silent upgrade the same morning Microsoft promotes it. The behavior change is then a known event the on-call engineer can size, not a customer ticket two weeks later.

Disable auto-update on regulated deployments unless you’ve decided drift is fine. The Azure portal calls this the “Deployment version update policy” and the default for new deployments is now OnceCurrentVersionExpired, but legacy deployments and ARM templates from earlier years often still carry OnceNewDefaultVersionAvailable. The audit of every deployment’s update policy is one of the cheapest wins in an Azure eval setup and is rarely on the first day’s checklist.

Axis two: region-pinning eval

Azure binds responses to a region for residency. The region also binds the behavior.

Run the same eval suite per region, with azure.openai.region as a stratification key in the scoring report. Three things to watch.

Latency per region. p50, p95, p99 against the primary region; the same three numbers against every failover region the gateway might pick. swedencentral at 14:00 UTC during European business hours is a different distribution than eastus2 at 09:00 UTC. The gateway returns x-fagi-latency-ms per call and the span duration on the LLM span carries the same measurement for direct calls.

Quality per region. Refusal rate, JSON-mode strictness, and groundedness can all drift across regions because Microsoft rolls model and policy updates region-by-region. Score the standard Groundedness, ContextAdherence, TaskCompletion, AnswerRefusal, and LLMFunctionCalling templates per region and alert when any region falls more than 5 points below the primary on any axis. The regional drift is the second most common Azure OpenAI bug behind deployment-version drift.

Residency per region. A regulated workload pinned to westeurope for GDPR cannot fall over to eastus2 under load without breaking the compliance posture. The rubric is a small CustomLLMJudge that reads the region attribute and fails any span outside the allowed set:

region_residency = CustomLLMJudge(
    name="RegionResidencyAdherence",
    rubric=(
        "Score 1 if azure.openai.region is in allowed_regions. "
        "Score 0 otherwise and surface the disallowed region."
    ),
    inputs=["azure_openai_region", "allowed_regions"],
)

This is the rubric SOC 2 and HIPAA auditors ask for by name. Wire it into the production observation path, not just the offline suite, because the offline suite cannot see the runtime failover decision.

Axis three: Azure Content Safety precision and recall

Azure Content Safety is Microsoft’s deterministic input-output filter, with denied topics, harm categories, and prompt-shield classifiers. It is strong on the categories it covers and silent on the rest. It is also the source of the most common user complaint on Azure OpenAI apps: the legitimate query that got refused.

Score it the same way you score Bedrock Guardrails or any other deterministic safety layer: two labelled sets, precision and recall reported per policy version, trade-off visible.

Benign set. Legitimate queries that should pass through to the model. Build it from production traffic samples (sanitised), domain-expert reviewed. Stratify by topic — clinical phrasing, legal opinion phrasing, security research phrasing, named-product complaints — because Content Safety’s failure rate is uneven across topics. Precision is 1 minus the false-block rate.

Adversarial set. Jailbreaks, prompt injection variants, PII probes, and harm-category phrasings that should be blocked. Use a public adversarial corpus (PINT, JailbreakBench) as the floor; promote production attempts into the set weekly. Recall is the fraction Content Safety caught.

Report the precision-recall point per Content Safety policy version. A 0.98-recall, 0.74-precision setup is filling your support queue with refusal complaints. A 0.93-recall, 0.96-precision setup is letting categories of attack through. The eval surfaces the trade-off; the policy edit picks the operating point.

For phrased-around attacks Content Safety’s word-list filters miss, layer Future AGI Protect (4 Gemma 3n LoRA adapters covering toxicity, bias, prompt injection, and data privacy, with 65 ms text and 107 ms image median time-to-label per arXiv 2510.13351) plus the 13 guardrail backends in the ai-evaluation SDK (Llama Guard 3 8B/1B, Qwen3Guard, Granite Guardian, WildGuard, ShieldGemma, OpenAI Moderation, Azure Content Safety). The Guardrails aggregator composes them under one verdict:

from fi.evals import Guardrails, RailType, AggregationStrategy
from fi.evals.guardrails import AZURE_CONTENT_SAFETY, LLAMAGUARD_3_8B, PROTECT

output_rail = Guardrails(
    rail_type=RailType.OUTPUT,
    aggregation=AggregationStrategy.WEIGHTED,
    backends=[AZURE_CONTENT_SAFETY, LLAMAGUARD_3_8B, PROTECT],
    weights=[0.3, 0.3, 0.4],
)

verdict = output_rail.check(
    text=response_text,
    context={"deployment": "gpt-4o-prod", "region": "eastus2"},
)

The AI guardrail metrics post walks through the precision-recall scoring for a layered stack.

The traceAI Azure OpenAI instrumentor

The trace is the unit. Azure OpenAI uses the standard OpenAI client with an Azure endpoint and Entra ID or API-key auth, so traceAI’s OpenAIInstrumentor covers it without an Azure-specific package. One line to install, one line to register.

pip install openai traceAI ai-evaluation
import os
from openai import AzureOpenAI
from fi_instrumentation import register, ProjectType
from traceai_openai import OpenAIInstrumentor

trace_provider = register(
    project_type=ProjectType.OBSERVE,
    project_name="azure-openai-prod-eval",
)
OpenAIInstrumentor().instrument(tracer_provider=trace_provider)

client = AzureOpenAI(
    azure_endpoint=os.environ["AZURE_OPENAI_ENDPOINT"],
    api_key=os.environ["AZURE_OPENAI_API_KEY"],
    api_version="2024-10-21",
)

resp = client.chat.completions.create(
    model="gpt-4o-prod",  # deployment name, not model ID
    messages=[
        {"role": "system", "content": "You are a careful clinical assistant."},
        {"role": "user", "content": "Summarize the lab report for the patient."},
    ],
)

Every call now produces a span carrying the deployment name, the resolved model version off the response, the region, token counts, and latency, with the standard fi.span.kind of LLM, TOOL, AGENT, RETRIEVER, GUARDRAIL, EVALUATOR. The same span schema applies whether you call Azure OpenAI directly or front it with the Agent Command Center gateway, so an eval written against the spans is portable across both setups. See the wider LLM observability framework for the broader span model.

If the app needs cross-region failover, PTU plus PAYG accounting in one ledger, or aggregate budget caps, route through the gateway and add the per-call headers (x-fagi-cost, x-fagi-latency-ms, x-fagi-model-used, x-fagi-region-used, x-fagi-guardrail-triggered) to the same span. The full pattern for cost and routing across providers is in the AI gateway codex CLI walk-through.

CI gate: per-axis thresholds, not an aggregate

The bug is treating one aggregate azure_score as the ship gate. An aggregate 0.86 hides a 0.62 on region residency adherence behind a 0.97 on task completion, and the production failure rides on the residency layer. Wire per-axis assertions in the CI fixture, calibrated against historical pass rates:

# config.yaml for `fi run`
assertions:
  - "deployment_version_pin.score >= 1.00 for at_least 100% of cases"
  - "region_residency_adherence.score >= 1.00 for at_least 100% of cases"
  - "content_safety_precision.score >= 0.95 for at_least 95% of cases"
  - "content_safety_recall.score >= 0.93 for at_least 95% of cases"
  - "groundedness.score >= 0.90 for at_least 90% of cases"
  - "task_completion.score >= 0.85 for at_least 90% of cases"
  - "answer_refusal.score >= 0.95 for at_least 95% of benign_cases"

When the gate fails, the failing assertion name is the root cause. One bisect instead of three days. The four distributed runners in the SDK (Celery, Ray, Temporal, Kubernetes) handle the case where seven rubrics across a 200-case suite stratified by region outgrow a single-process budget.

Production observability and Error Feed

Seven rubrics in CI is necessary, not sufficient. The eval set is a snapshot; production is a river. Score the live trace stream with the same rubrics and you get a regression signal the offline set cannot have, because the offline set was frozen before users found the failure mode.

Error Feed is the loop closer inside the eval stack. Failing Azure OpenAI traces flow into ClickHouse with their span embeddings. HDBSCAN soft-clustering groups them into named issues. Each cluster fires a JudgeAgent on Claude Sonnet 4.5 for a 30-turn investigation across eight span-tools (read_span, get_children, get_spans_by_type, search_spans, plus a Haiku Chauffeur for spans over 3000 characters). Prompt-cache hit ratio sits around 90 percent.

Per cluster, the Judge emits three artifacts engineers actually read: a 5-category, 30-subtype taxonomy, a 4-D trace score (factual grounding, privacy and safety, instruction adherence, optimal plan execution; 1-5 each), and an immediate_fix naming the change to ship today. On Azure the typical clusters look like:

  • gpt-4o-prod quietly promoted to a newer minor version mid-week, JSON-mode strictness shifted, downstream parser broke on 11% of orders.” Fix: pin the deployment to the prior version and disable the auto-update policy.
  • “Azure Content Safety blocks legitimate clinical-summary queries on a medical category that the OpenAI consumer endpoint allows.” Fix: relax the denied-topics filter on the medical phrase list and keep Future AGI Protect’s harmful-advice classifier as the second line.
  • swedencentral p95 latency jumped 240 ms at 14:00 UTC when PTU throttled; gateway failed over to eastus2 and broke residency for 38 EU sessions.” Fix: pin the routing rule to swedencentral plus westeurope only and trigger a PTU capacity review.

Each fix feeds the Platform’s self-improving evaluators, so the next eval run already knows the failure mode. The cluster becomes a candidate dataset entry; the on-call engineer promotes representative traces into the offline set. The next PR touching that path has to clear them.

Linear is the only ticket destination wired today; Slack, GitHub, Jira, and PagerDuty are on the roadmap. For the loop from named issue back to fixed agent, the automated optimization for agents post walks through pointing one of agent-opt’s six optimizers (RandomSearch, BayesianSearch with Optuna, MetaPrompt, ProTeGi, GEPA, PromptWizard) at the Azure deployment’s SYSTEM prompt with the eval suite as the scoring function.

Five Azure OpenAI anti-patterns

Patterns we see often enough to name.

  1. Treating the deployment name as the model. It’s an alias. Pin the version, assert it on every span, disable auto-update on regulated deployments. Three lines of work, every Azure eval bug avoided.
  2. Single-region golden set when the gateway can fail over. A pass on eastus2 is not a pass on westeurope. Stratify the suite by region and alert on per-region drift. The regional quality gap is real and rolls out on Microsoft’s schedule.
  3. Recall-only safety reporting. A 0.98-recall Content Safety policy that flags 0.26 of benign clinical queries is making your support queue. Report precision on a benign set alongside recall on the adversarial set, per policy version.
  4. Azure Content Safety alone, no ML-classifier second line. The deterministic filter is blind to phrased-around attacks. Layer Future AGI Protect or the SDK’s 13 guardrail backends through a WEIGHTED Guardrails object so the operating point is tunable rather than guessed.
  5. Mixed PTU and PAYG without per-class cost tracking. PTU is throughput-based, PAYG is token-based. Aggregating them under one number hides where the spend really is. The gateway’s x-fagi-cost header tags each call with the billing class.

How Future AGI ships the Azure eval stack

Three packages do the work. They are designed to be used together but ship independently.

traceAI (Apache 2.0). The OpenAIInstrumentor covers the Azure OpenAI client across Python, TypeScript, and Java with azure.openai.deployment_name, azure.openai.model_version, and azure.openai.region attached to every span. 14 span kinds with the standard fi.span.kind taxonomy. 50+ AI surfaces across four languages. Pluggable semantic conventions at register() time (FI, OTEL_GENAI, OPENINFERENCE, OPENLLMETRY) so the spans flow into whatever OTel collector you already run. PII redaction built in.

ai-evaluation (Apache 2.0). 60+ EvalTemplate classes including Groundedness, ContextAdherence, TaskCompletion, LLMFunctionCalling, AnswerRefusal, and CustomLLMJudge for the Azure-specific axes above. 13 guardrail backends (9 open-weight: Llama Guard 3 8B/1B, Qwen3Guard, Granite Guardian, WildGuard 7B, ShieldGemma 2B; plus 4 API: Turing Flash, Turing Safety, OpenAI Moderation, Azure Content Safety). Four distributed runners (Celery, Ray, Temporal, Kubernetes) parallelize the matrix across deployments, regions, and policy versions.

Agent Command Center (Apache 2.0, single Go binary). The gateway includes Azure OpenAI as one of 100+ native providers and Azure Content Safety as one of 15 third-party guardrail adapters. Every call returns per-model cost, latency, model-used, region-used, and guardrail-triggered headers. 18+ built-in scanners (PII, prompt injection, hallucination, MCP security, tool permissions, custom expression rules, webhook BYOG). ~29k req/s, P99 ≤ 21 ms with guardrails on, on t3.xlarge. The gateway self-hosts inside your Azure subscription with Entra ID auth and Managed Identity, which keeps regulated Azure traffic in-tenant for Microsoft’s commercial paperwork.

The eval-stack story is one package across three surfaces: code-first per-axis scoring through the SDK, hosted self-improving evaluators on the Platform at lower per-eval cost than Galileo Luna-2, and Error Feed sitting inside the same loop so failure clusters drive the next eval run. The Platform is SOC 2 Type II, HIPAA, GDPR, and CCPA certified per the published trust posture, which matters for the regulated workloads that drive most Azure OpenAI adoption; ISO/IEC 27001 is in active audit.

Ready to evaluate your first Azure OpenAI deployment? Wire the OpenAIInstrumentor against a sandboxed Azure deployment this afternoon, drop the seven CI assertions above into your pytest fixture against the ai-evaluation SDK, and route the live trace stream through Agent Command Center so Error Feed can start clustering the deployment-drift, region-drift, and Content-Safety-false-block patterns the offline set hasn’t seen yet.

Frequently asked questions

Why is evaluating an Azure OpenAI app different from evaluating an OpenAI direct app?
Azure OpenAI eval is generic LLM eval plus three Azure-specific axes that don't exist on the OpenAI consumer endpoint. First, a deployment name like `gpt-4o-prod` is a stable alias for a model version that Microsoft can rotate underneath you, so a regression set must compare the resolved `azure.openai.model_version` against an expected pin on every span. Second, every deployment is region-pinned, and regional capacity changes mean p95 latency and refusal rates shift across `eastus2` versus `swedencentral` versus `japaneast` even for the same model. Third, Azure Content Safety is an inline deterministic filter applied by Microsoft, with its own false-block rate on legitimate medical, legal, and security queries that you need to measure as precision and recall on benign plus adversarial sets. Miss any of the three and you ship happy-path metrics that break the moment region failover fires.
What is deployment-name versus model-ID confusion on Azure OpenAI?
On the OpenAI consumer endpoint the `model` argument is the model itself (`gpt-4o-2024-08-06`). On Azure OpenAI the `model` argument is your deployment name (`gpt-4o-prod`, `chat-eu`, `legacy-fast`), and the actual model version sits behind the alias. Microsoft periodically retires older versions and migrates auto-update deployments to a newer revision; the deployment name stays stable while the underlying behavior shifts. The fix is to read the resolved version off the response (`azure.openai.model_version` on the traceAI span, or the `x-ms-deployment-model-version` response header) and assert it matches a pinned expectation on every eval run. The day Microsoft promotes a new minor revision you see it in CI instead of through a customer ticket two weeks later.
How do you score Azure Content Safety precision and recall?
Build two labelled sets and score them against every Content Safety policy version you ship. Benign set: legitimate queries that should pass through (clinical-summary phrasing, legal opinion phrasing, security research phrasing, named-product complaints). Precision is 1 minus the false-block rate. Adversarial set: jailbreaks, prompt injection variants, PII probes, harm categories that should be blocked. Recall is the fraction Content Safety caught. Report the precision-recall point per policy version, not a single aggregate. A 0.98-recall, 0.74-precision configuration is filling your support queue with refusal complaints; a 0.93-recall, 0.96-precision configuration is letting categories of attack through. The Future AGI Protect ML-classifier layer (4 Gemma 3n LoRA adapters at 65 ms text median per arXiv 2510.13351) plus the 13 guardrail backends in the ai-evaluation SDK cover the phrased-around attacks that Content Safety's word-list filters miss.
How does region pinning affect Azure OpenAI eval?
Three ways. Quality: refusal rate, JSON-mode strictness, and even system-prompt adherence can drift across regional deployments of the same model, because Microsoft rolls policy and model updates region-by-region. Latency: p95 and p99 are regional, and `swedencentral` at 14:00 UTC during European business hours is a different latency distribution than `eastus2` at 09:00 UTC. Residency: a regulated workload pinned to `westeurope` for GDPR cannot fall over to `eastus2` under load without breaking the compliance posture. Run the same suite per region with the region as a stratification key, alert when any region falls more than 5 points below the primary on any axis, and pair it with a `RegionResidencyAdherence` custom judge that fails any span whose `azure.openai.region` attribute is outside the allowed set.
Does FAGI support Azure OpenAI natively?
Yes. The traceAI OpenAI instrumentor (Python, TypeScript, Java) wraps the Azure OpenAI client and emits OTel spans carrying `azure.openai.deployment_name`, `azure.openai.model_version`, `azure.openai.region`, token counts, and latency on every call. The Agent Command Center gateway includes Azure OpenAI as one of 100+ native providers and Azure Content Safety as one of 15 third-party guardrail adapters, with per-call cost, latency, and guardrail-triggered headers returned on every response. The gateway self-hosts as a single Go binary inside your Azure subscription with Entra ID auth, which keeps regulated Azure traffic in-tenant for residency and Microsoft's commercial paperwork. The ai-evaluation SDK ships `AZURE_CONTENT_SAFETY` as one of 13 guardrail backends, composable with `LLAMAGUARD_3_8B` and `PROTECT` under a single `Guardrails` aggregator.
How does Error Feed close the loop on Azure-specific failures?
Failing Azure OpenAI traces flow into ClickHouse with their span embeddings. HDBSCAN soft-clustering groups them by failure signature; a Claude Sonnet 4.5 Judge runs a 30-turn investigation across eight span-tools (`read_span`, `get_children`, `get_spans_by_type`, `search_spans`, plus a Haiku Chauffeur for spans over 3000 characters, ~90% prompt-cache hit) and writes a 5-category, 30-subtype taxonomy with a 4-dimensional trace score and an `immediate_fix` per cluster. On Azure, typical clusters look like 'gpt-4o deployment quietly promoted to a newer minor version, JSON-mode strictness shifted, downstream parser broke', 'Content Safety blocks legitimate clinical-summary queries that the OpenAI consumer endpoint allows', or 'swedencentral p95 latency jumped 240 ms during EU business hours when PTU throttled'. Each fix feeds the Platform's self-improving evaluators, so the next eval run already knows the failure mode. Linear is the only ticket destination wired today; Slack, GitHub, Jira, and PagerDuty are on the roadmap.
Should I run Azure OpenAI behind the Agent Command Center gateway or call it directly?
Both are supported and produce the same span schema, so the eval pipeline is identical either way. Direct calls keep the network hop count down and are correct when you have one region, no failover requirement, and PAYG billing. Gateway-fronted calls add per-request cost, latency, model-used, and guardrail-triggered headers, plus cross-region failover, PTU plus PAYG accounting in one ledger, and the 18+ built-in scanners and 15 third-party guardrail adapters at the gateway layer. Teams that need a single audit log across Azure OpenAI plus OpenAI direct plus Anthropic plus Bedrock pick the gateway; teams optimizing for the absolute lowest tail latency on a single Azure region pick direct. The gateway runs at ~29k req/s with P99 ≤ 21 ms with guardrails on, on `t3.xlarge`, so the latency cost of routing through it is small.
Related Articles
View all
Evaluating LLM PII Detection (2026)
Guides
Evaluating LLM PII Detection (2026)

PII detection eval is per-entity precision AND recall on adversarial AND benign sets. One F1 score hides a HIPAA violation or a blocked customer. The 2026 methodology.

NVJK Kartik
NVJK Kartik ·
12 min