Managed in Azure: Existing Subscription
Deploy DocAI Fabric into an existing Azure subscription alongside your other workloads. You keep full control of your data and infrastructure; we handle the application lifecycle.
Because your subscription already contains other resources, this guide uses a resource-group-scoped service principal. We get Contributor access only to the dedicated resource group for DocAI Fabric, with no visibility into anything else in your subscription. You also provision the Azure OpenAI and Document Intelligence resources yourself, which means those API keys never leave your control.
If you can create a new, dedicated subscription for DocAI Fabric, the Dedicated Subscription guide is much simpler: you share minimal information and we handle everything including AI resource setup.
How It Works
Your Azure Subscription
└── Your Resource Group
├── Container App ─┐
├── Container Registry │
├── Azure Managed Redis │ Provisioned and managed
├── Storage Account ├─ by our CI/CD pipeline
├── Key Vault │
├── Log Analytics │
├── Application Insights │
└── Managed Identity ─┘
You own the infrastructure and data. We deploy and update the application.
What Gets Deployed
| Resource | Purpose | SKU |
|---|---|---|
| Container App | Application hosting | Consumption, 0.5 vCPU / 1 GiB |
| Container Registry | Docker images | Basic |
| Azure Managed Redis | Job queue & caching | Balanced B0 (1 GB, HA) |
| Storage Account | Document storage | Standard LRS, Hot tier |
| Key Vault | Secrets management | Standard |
| Log Analytics | Centralized logging | Per-GB (30-day retention) |
| Application Insights | Performance monitoring | Web |
| Managed Identity | Secure resource access | User-assigned |
Estimated monthly cost: about $100/month infrastructure only; Azure OpenAI and Azure Document Intelligence billed separately.
The current default Container App configuration in our infrastructure is 0.5 vCPU, 1 GiB memory, and autoscaling from 1 to 10 replicas.
Prerequisites
Before starting, make sure you have:
- OIDC subject value from us (we will provide the exact value for Step 3, e.g.,
repo:docaifabric/docaifabric:environment:customer-<YOUR_ID>) - Azure CLI installed (install guide)
- Azure subscription with Owner or Contributor + User Access Administrator role
- Permission to register applications in Microsoft Entra ID
Run these checks after az login:
1. Subscription role. You need Owner, or Contributor + User Access Administrator:
az role assignment list \
--assignee $(az ad signed-in-user show --query id -o tsv) \
--query "[].roleDefinitionName" -o tsv
Look for Owner, or both Contributor and User Access Administrator.
2. Entra ID app registration. You need permission to create applications:
az ad app create --display-name "permission-test" 2>&1 && \
az ad app delete --id $(az ad app list --display-name "permission-test" --query "[0].appId" -o tsv)
- Success (no errors) → you have the required permissions.
- "Insufficient privileges" → your organization restricts app registrations. Ask your IT / Entra ID administrator (someone with the Application Administrator or Global Administrator role) to complete Steps 2 and 3 on your behalf. The commands are the same.
Setup Guide
Step 1: Create the Resource Group
Log in to Azure CLI and create a resource group in a region close to your users:
az login
az group create \
--name <RESOURCE_GROUP_NAME> \
--location <REGION>
Common regions: eastus, westeurope, southeastasia, australiaeast.
Step 2: Create a Service Principal
Create a service principal with Contributor access scoped to the resource group:
az ad sp create-for-rbac \
--name "sp-docaifabric-<YOUR_COMPANY>" \
--role Contributor \
--scopes "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>"
The command outputs JSON like this:
{
"appId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", // → AZURE_CLIENT_ID
"displayName": "sp-docaifabric-yourcompany",
"password": "...", // → not needed as we will use OIDC
"tenant": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" // → AZURE_TENANT_ID
}
From this output, note the appId and tenant values, which you'll share with us. The password is not needed and can be ignored (OIDC is used instead).
Also note your Subscription ID:
az account show --query id -o tsv
Step 3: Configure OIDC Federation
Add a federated credential so our CI/CD pipeline can authenticate without long-lived secrets:
# Get the App ID of the service principal
APP_ID=$(az ad sp list \
--display-name "sp-docaifabric-<YOUR_COMPANY>" \
--query "[0].appId" -o tsv)
# Create the federated credential
az ad app federated-credential create \
--id $APP_ID \
--parameters '{
"name": "github-deploy",
"issuer": "https://token.actions.githubusercontent.com",
"subject": "repo:docaifabric/docaifabric:environment:customer-<YOUR_ID>",
"audiences": ["api://AzureADTokenExchange"]
}'
Step 4: Register Resource Providers
These must be registered once per subscription. You may already have some of them:
az provider register --namespace Microsoft.App
az provider register --namespace Microsoft.ContainerRegistry
az provider register --namespace Microsoft.KeyVault
az provider register --namespace Microsoft.OperationalInsights
az provider register --namespace Microsoft.Insights
az provider register --namespace Microsoft.ManagedIdentity
az provider register --namespace Microsoft.Cache
az provider register --namespace Microsoft.Storage
Step 5: Deploy Azure OpenAI
Create an Azure OpenAI resource and deploy the gpt-5.4-mini model:
5a. Create the Azure OpenAI resource
az cognitiveservices account create \
--name <OPENAI_RESOURCE_NAME> \ # Choose a unique name (e.g., "mycompany-openai")
--resource-group <RESOURCE_GROUP_NAME> \ # Resource group from Step 1 (must already exist)
--location <REGION> \ # Same region from Step 1 (recommended)
--kind OpenAI \
--sku S0
5b. Create a content filter policy
The default Azure OpenAI content filter can produce false positives on document text (addresses, financial data, legal terms, etc.). Create a permissive policy that raises all thresholds to High:
az rest --method PUT \
--url "https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.CognitiveServices/accounts/<OPENAI_RESOURCE_NAME>/raiPolicies/DocAIFabricPermissive?api-version=2024-10-01" \
--body '{
"properties": {
"basePolicyName": "Microsoft.DefaultV2",
"contentFilters": [
{"name": "hate", "blocking": true, "enabled": true, "severityThreshold": "High", "source": "Prompt"},
{"name": "sexual", "blocking": true, "enabled": true, "severityThreshold": "High", "source": "Prompt"},
{"name": "selfharm", "blocking": true, "enabled": true, "severityThreshold": "High", "source": "Prompt"},
{"name": "violence", "blocking": true, "enabled": true, "severityThreshold": "High", "source": "Prompt"},
{"name": "hate", "blocking": true, "enabled": true, "severityThreshold": "High", "source": "Completion"},
{"name": "sexual", "blocking": true, "enabled": true, "severityThreshold": "High", "source": "Completion"},
{"name": "selfharm", "blocking": true, "enabled": true, "severityThreshold": "High", "source": "Completion"},
{"name": "violence", "blocking": true, "enabled": true, "severityThreshold": "High", "source": "Completion"}
]
}
}'
Without a permissive content filter, document extraction may fail with "content management policy" errors on ordinary business documents (invoices, contracts, medical forms, etc.).
5c. Deploy the model
# (The Azure CLI does not expose the content filter parameter directly,
# so we use 'az rest' to call the ARM API which supports raiPolicyName)
cat > /tmp/oai-deployment.json << 'EOF'
{
"sku": {
"name": "DataZoneStandard",
"capacity": 500
},
"properties": {
"model": {
"format": "OpenAI",
"name": "gpt-5.4-mini",
"version": "2026-03-20"
},
"raiPolicyName": "DocAIFabricPermissive"
}
}
EOF
az rest --method PUT \
--url "https://management.azure.com/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>/providers/Microsoft.CognitiveServices/accounts/<OPENAI_RESOURCE_NAME>/deployments/gpt-5.4-mini?api-version=2024-10-01" \
--body @/tmp/oai-deployment.json
# The last path segment ("gpt-5.4-mini") is the deployment name - change it if
# you need a second deployment of the same model (e.g., "gpt-5.4-mini-secondary").
The "capacity": 500 sets the rate limit to 500K tokens per minute, which we recommend for production workloads with parallel document processing. You can adjust this later, increasing to 1000 if you hit rate limits during peak processing.
5d. Retrieve the endpoint and key
# Get the endpoint URL
az cognitiveservices account show \
--name <OPENAI_RESOURCE_NAME> \ # Same name as above
--resource-group <RESOURCE_GROUP_NAME> \ # Same resource group as above
--query properties.endpoint -o tsv
# Get the API key
az cognitiveservices account keys list \
--name <OPENAI_RESOURCE_NAME> \ # Same name as above
--resource-group <RESOURCE_GROUP_NAME> \ # Same resource group as above
--query key1 -o tsv
Note down the endpoint URL, deployment name (gpt-5.4-mini), and API key.
You can deploy multiple Azure OpenAI resources (same or different regions) and share all of them with us. We will configure automatic load balancing and failover across all provided endpoints.
Step 6: Deploy Azure AI Document Intelligence (OCR)
Create an Azure Document Intelligence resource:
az cognitiveservices account create \
--name <DOCUMENT_INTELLIGENCE_NAME> \ # Choose a unique name (e.g., "mycompany-docintell")
--resource-group <RESOURCE_GROUP_NAME> \ # Resource group from Step 1 (must already exist)
--location <REGION> \ # Same region from Step 1 (recommended)
--kind FormRecognizer \
--sku S0
Then retrieve the endpoint and key:
# Get the endpoint URL
az cognitiveservices account show \
--name <DOCUMENT_INTELLIGENCE_NAME> \ # Same name as above
--resource-group <RESOURCE_GROUP_NAME> \ # Same resource group as above
--query properties.endpoint -o tsv
# Get the API key
az cognitiveservices account keys list \
--name <DOCUMENT_INTELLIGENCE_NAME> \ # Same name as above
--resource-group <RESOURCE_GROUP_NAME> \ # Same resource group as above
--query key1 -o tsv
Note down the endpoint URL and API key. The application uses the built-in prebuilt-read model, so no additional model deployment is needed.
Step 7: Enable Copilot Voice Input (Optional)
The Copilot works out of the box: it uses the same Azure OpenAI model deployed in Step 5. No additional setup is required.
You can optionally enable Advanced Copilot, which upgrades reasoning to Anthropic Claude Sonnet 4.6 and adds voice input. This requires deploying two additional models in a supported region.
See the Enable Advanced Copilot guide for full instructions.
Information to Share With Us
| Item | Example |
|---|---|
| Subscription ID | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
| Tenant ID | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
| Service Principal App ID | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
| Resource Group Name | mycompany-docaifabric-rg |
| Azure Region | westeurope |
| OpenAI endpoint URL * | https://your-resource.openai.azure.com/ |
| OpenAI deployment name * | gpt-5.4-mini |
| OpenAI API key * | API key from Keys and Endpoint |
| Document Intelligence endpoint | https://docai-reader.cognitiveservices.azure.com |
| Document Intelligence API key | API key from Keys and Endpoint |
* If you have multiple Azure OpenAI endpoints for load balancing, share endpoint URL, deployment name, and API key for each one.
Next Steps
- After Deployment: application URL, custom domain, email invitations, updates
- Application Logs: monitoring and shared log access via Azure Lighthouse