How to Deploy Claude on Microsoft Azure: Through the API & Marketplace

Microsoft Azure is the cloud platform of choice for the majority of enterprise Microsoft customers — organisations running SharePoint, Teams, Dynamics 365, and the Microsoft 365 stack. Deploying Claude on Azure means your AI workloads share the same network boundary, authentication system, and compliance frameworks as the rest of your Microsoft estate. For procurement and security teams, that alignment is significant.

The Azure path for Claude deployments is different from AWS Bedrock and Google Cloud Vertex AI. AWS and GCP have formal partnerships with Anthropic that deliver Claude as a native managed service. Azure's primary route to Claude is through the direct Anthropic API, secured and governed through Azure API Management, Azure Private Endpoints, and Microsoft Entra ID. A subset of Claude capabilities is also available through the Azure Marketplace. Understanding which path is right for your organisation is the first architectural decision.

This guide covers both deployment paths, the Azure-native governance tooling that wraps them, and the production architecture patterns that regulated enterprises require. If you need help deciding between Azure, AWS, and GCP for your Claude deployment, our Claude AI strategy consulting service includes a cloud platform assessment.

Two Paths to Claude on Azure

Before writing a line of code, understand the two distinct routes to Claude on Azure and when to use each.

Path 1: Anthropic API Behind Azure API Management

The most common enterprise pattern. Your application calls an Azure API Management (APIM) endpoint inside your Azure tenant. APIM proxies the request to the Anthropic API, adding authentication, rate limiting, request logging, cost attribution, and policy enforcement at the proxy layer. The Anthropic API is called outbound from APIM — traffic exits your Azure network but through a controlled, audited proxy.

This is the right choice for organisations that need enterprise governance controls without waiting for a native Azure integration, and for teams that want a single API gateway managing multiple AI providers (Claude, Azure OpenAI, GPT-4) with consistent policies.

Path 2: Azure Marketplace Offerings

Anthropic and certified partners offer Claude-powered solutions through the Azure Marketplace, including pre-built application templates and managed service offerings. These are suitable for specific use cases (document processing, customer service automation) where a pre-built solution fits, but they offer less architectural flexibility than the direct API path. Check the Azure Marketplace for current Anthropic-published offerings.

Step 1: Azure API Management Gateway for Claude

Azure API Management is the control plane for your Claude deployment on Azure. It sits between your applications and the Anthropic API, providing the enterprise governance layer that the Anthropic API alone doesn't offer: centralised authentication, per-consumer rate limits, request/response logging to Azure Monitor, policy enforcement, and developer portal documentation.

Create the APIM Instance

# Create resource group
az group create \
  --name rg-claude-prod \
  --location eastus

# Create API Management instance (Developer tier for testing, Standard/Premium for prod)
az apim create \
  --name apim-claude-enterprise \
  --resource-group rg-claude-prod \
  --publisher-name "Your Company" \
  --publisher-email "admin@yourcompany.com" \
  --sku-name Standard \
  --location eastus

Import the Anthropic API into APIM

Define the Claude Messages API as an API in APIM using an OpenAPI specification. This creates a managed endpoint inside your Azure tenant that your applications call instead of calling Anthropic directly.

# Store Anthropic API key in Azure Key Vault (never in APIM directly)
az keyvault secret set \
  --vault-name kv-claude-prod \
  --name anthropic-api-key \
  --value "sk-ant-your-key-here"

# Grant APIM managed identity access to Key Vault
az keyvault set-policy \
  --name kv-claude-prod \
  --object-id $(az apim show -n apim-claude-enterprise -g rg-claude-prod --query "identity.principalId" -o tsv) \
  --secret-permissions get

APIM Inbound Policy for Claude

Configure the APIM inbound policy to inject the Anthropic API key from Key Vault, set required headers, and enforce rate limits:

<policies>
  <inbound>
    <base />
    <!-- Get API key from Key Vault -->
    <get-authorization-context provider-id="anthropic-key"
      authorization-id="claude-api-key"
      context-variable-name="auth-context" />
    <set-header name="x-api-key" exists-action="override">
      <value>@(((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</value>
    </set-header>
    <set-header name="anthropic-version" exists-action="override">
      <value>2023-06-01</value>
    </set-header>
    <!-- Rate limiting: 100 calls per minute per consumer -->
    <rate-limit-by-key calls="100" renewal-period="60"
      counter-key="@(context.Subscription.Key)" />
    <!-- Route to Anthropic API -->
    <set-backend-service base-url="https://api.anthropic.com" />
  </inbound>
  <backend>
    <base />
  </backend>
  <outbound>
    <base />
  </outbound>
</policies>

Step 2: Microsoft Entra ID for Authentication

For applications running on Azure (App Service, Azure Functions, Azure Container Apps, AKS), use managed identities instead of API keys. A managed identity is a service principal whose credentials are managed automatically by Azure — no key rotation, no secrets in code, no human intervention required.

The pattern: your Azure application authenticates to APIM using its managed identity (obtaining an Entra ID token). APIM validates the token, applies policies, and forwards the request to the Anthropic API with the injected key from Key Vault. The application code never touches the Anthropic API key directly.

Enable Managed Identity on an Azure Function

# Enable system-assigned managed identity
az functionapp identity assign \
  --name func-claude-processor \
  --resource-group rg-claude-prod

# Get the principal ID
PRINCIPAL_ID=$(az functionapp identity show \
  --name func-claude-processor \
  --resource-group rg-claude-prod \
  --query principalId -o tsv)

# Grant the function app access to call APIM
# (done by assigning the function's identity to an APIM subscription or via Entra ID app roles)
echo "Principal ID: $PRINCIPAL_ID"

Calling Claude from Azure Functions with Managed Identity

import anthropic
import os
from azure.identity import ManagedIdentityCredential
from azure.keyvault.secrets import SecretClient

# Retrieve API key from Key Vault using managed identity
credential = ManagedIdentityCredential()
kv_client = SecretClient(
    vault_url="https://kv-claude-prod.vault.azure.net/",
    credential=credential
)

# Key is fetched at runtime — never hardcoded
api_key = kv_client.get_secret("anthropic-api-key").value

client = anthropic.Anthropic(api_key=api_key)

message = client.messages.create(
    model="claude-3-5-sonnet-20241022",
    max_tokens=1024,
    messages=[
        {"role": "user", "content": "Summarise this compliance document..."}
    ]
)

print(message.content[0].text)

Step 3: Azure Private Endpoints for Network Isolation

For regulated workloads — financial services, healthcare, government — requiring that API traffic doesn't traverse the public internet is a common mandate. The challenge with Claude on Azure is that the Anthropic API is not an Azure service, so it doesn't support Azure Private Endpoints natively. The solution is to route traffic through APIM deployed in an internal virtual network, with all outbound Anthropic API calls routing through Azure NAT Gateway or a virtual appliance.

Internal APIM Deployment

Deploy APIM in Internal mode, which places the APIM gateway endpoint inside your VNet rather than on the public internet. Your applications in the same VNet (or connected via VNet peering) call APIM through a private IP address. APIM's outbound calls to Anthropic still use a public IP, but they can be routed through a controlled NAT Gateway or Azure Firewall for egress filtering and logging.

"# Deploy APIM in internal (VNet injection) mode
az apim update \
  --name apim-claude-enterprise \
  --resource-group rg-claude-prod \
  --virtual-network-type Internal \
  --virtual-network-id /subscriptions/{sub-id}/resourceGroups/{rg}/providers/Microsoft.Network/virtualNetworks/{vnet-name}

# Configure User Defined Route to send Anthropic API traffic through Azure Firewall
# (This provides outbound traffic inspection and logging)
az network route-table route create \
  --resource-group rg-claude-prod \
  --route-table-name rt-apim-subnet \
  --name route-to-firewall \
  --address-prefix 0.0.0.0/0 \
  --next-hop-type VirtualAppliance \
  --next-hop-ip-address 10.0.1.4  # Azure Firewall private IP

With this topology, your applications make private API calls to APIM's internal IP, APIM applies governance policies, and outbound traffic to Anthropic routes through Azure Firewall where it's logged, filtered, and governed. This architecture satisfies most enterprise network security requirements for Claude AI governance.

Step 4: Azure AI Studio for Prompt Testing and Evaluation

Azure AI Studio is Microsoft's browser-based development environment for building, testing, and evaluating AI applications. While it's primarily built around Azure OpenAI models, it supports integration with external AI providers including Claude via API connections. For enterprise teams, Azure AI Studio provides a governed playground for prompt development that connects to your Azure environment rather than requiring individual developers to manage their own API keys.

Set up an Azure AI Studio project that stores Anthropic API connection credentials in the project's managed key vault. Developers log in with their Entra ID credentials, access the shared Claude connection through the project, and test prompts without ever handling the raw API key. This model significantly improves key hygiene across engineering organisations where individual API key management breaks down at scale.

Step 5: Production Architecture Patterns on Azure

The Azure production stack for Claude deployments combines APIM, managed identities, Key Vault, and your choice of compute tier. These patterns scale from small pilot deployments to organisation-wide rollouts serving thousands of users.

Pattern 1: Azure Functions + APIM (Serverless)

For event-driven workloads — document processing triggered by Blob Storage uploads, email analysis triggered by Service Bus messages, report generation triggered by timer — Azure Functions with APIM is the cleanest pattern. Functions auto-scale to zero, you pay per invocation, and APIM handles all governance at the API layer. This is the recommended architecture for initial enterprise deployments where usage patterns are uncertain.

Pattern 2: Azure Container Apps + APIM (Containerised)

For long-running services, stateful applications, or applications with specific dependency requirements, Azure Container Apps provides Kubernetes-powered container hosting without cluster management overhead. Container Apps support managed identities natively, and their built-in auto-scaling handles Claude workloads that see variable traffic throughout the day — high during business hours, near-zero overnight.

Pattern 3: AKS for High-Scale Enterprise Deployments

For enterprise-wide Claude deployments serving 10,000+ concurrent users — an organisation-wide writing assistant, a company-wide coding tool, a customer-facing chatbot at scale — Azure Kubernetes Service (AKS) provides the control and performance required. AKS with Workload Identity, KEDA for auto-scaling, and Azure Monitor for observability gives you a production platform that can handle genuine enterprise load.

Integrating Claude with Microsoft 365

Many Azure-based Claude deployments have a Microsoft 365 integration requirement — Claude that can read SharePoint documents, analyse Teams transcripts, or draft Outlook emails. The Microsoft Graph API provides programmatic access to M365 data, and combining it with Claude via Azure Functions creates powerful productivity automation workflows.

import anthropic
from msgraph.core import GraphClient
from azure.identity import ManagedIdentityCredential

# Authenticate to Graph API with managed identity
credential = ManagedIdentityCredential()
graph_client = GraphClient(credential=credential)

# Fetch a SharePoint document
document = graph_client.get(
    "/sites/{site-id}/drive/items/{item-id}/content"
).json()

# Analyse with Claude
client = anthropic.Anthropic(api_key=api_key)
response = client.messages.create(
    model="claude-3-5-sonnet-20241022",
    max_tokens=2048,
    messages=[{
        "role": "user",
        "content": f"Summarise the key points from this SharePoint document: {document}"
    }]
)

print(response.content[0].text)

For teams building Copilot Studio extensions or Teams bots powered by Claude, the MCP Servers guide covers how to expose Claude capabilities through MCP as a connector for Microsoft AI tooling. Our MCP server development service includes Microsoft 365 connector patterns.

Azure Monitor and Cost Management

Every Claude deployment on Azure should route logs through Azure Monitor and Application Insights. APIM sends request logs, latency metrics, and error rates to Azure Monitor automatically — configure diagnostic settings on your APIM instance to route everything to a Log Analytics workspace.

For cost attribution, APIM subscription keys map to individual teams or applications. Every Claude API call through APIM is tagged with the subscription key, allowing you to report token consumption by team, application, or cost centre through Azure Cost Management. This chargebacks capability is essential for enterprise governance of AI spending.

# Enable APIM diagnostic logging to Log Analytics
az monitor diagnostic-settings create \
  --name diag-apim-claude \
  --resource /subscriptions/{sub-id}/resourceGroups/rg-claude-prod/providers/Microsoft.ApiManagement/service/apim-claude-enterprise \
  --workspace /subscriptions/{sub-id}/resourceGroups/rg-monitoring/providers/Microsoft.OperationalInsights/workspaces/law-enterprise \
  --logs '[{"category":"GatewayLogs","enabled":true}]' \
  --metrics '[{"category":"AllMetrics","enabled":true}]'

Frequently Asked Questions

Related Articles