One of the thornier problems in production agentic AI systems isn’t the model — it’s what happens when the model generates code that needs to actually run. Agent-generated code is, by definition, code you don’t fully trust. You don’t know what it does until it executes. So how do you run it safely at scale?

Microsoft’s answer, now in public preview, is Azure Container Apps Sandboxes.

What the Sandboxes Actually Are

Announced on June 2, 2026, Azure Container Apps Sandboxes introduces a new first-class Azure resource type: Microsoft.App/SandboxGroups. Each sandbox is a Hyper-V microVM — a hardware-isolated environment that is fully separated from the host, the platform, and every other sandbox running alongside it.

This is meaningfully different from container isolation. Standard containers share the host kernel; a compromised container is one kernel vulnerability away from compromising the host. Hyper-V microVMs have their own kernel, their own memory space, and hardware-enforced boundaries between them. For code you genuinely don’t trust — LLM-generated scripts, user-submitted plugins, third-party agent extensions — this is the right isolation model.

Key Technical Capabilities

Sub-second cold starts: The sandboxes boot from OCI disk images (or snapshots) with startup times competitive with standard container cold starts. Warm pools can push the 90th percentile latency under 100ms — fast enough for interactive agentic workflows where an agent needs to spin up a sandbox, execute code, and return results in real time.

Scale to thousands concurrently: The system is designed for high-concurrency agentic scenarios, where many agents might be requesting sandboxed execution simultaneously. Microsoft’s own products — including Cloud Sandboxes in GitHub Copilot and Foundry Hosted Agents — are built on this same infrastructure.

Snapshot-based persistence: Sandboxes can be suspended and resumed via full memory and disk snapshots. This supports stateful workloads where you need the sandbox to persist across multiple agent interactions without incurring ongoing compute charges while idle. Scale-to-zero is built in.

Network egress control: Deny-by-default network egress with allowlist policies. Agent-generated code running in a sandbox cannot exfiltrate data to arbitrary external endpoints unless you explicitly permit it — a critical requirement for enterprise security teams.

Bring your own OCI images: You’re not limited to Microsoft’s provided runtimes. Convert any OCI image to a bootable disk image and run it in a sandbox with full isolation guarantees.

MCP integration: The sandboxes support Model Context Protocol integration, enabling MCP servers to run inside isolated environments and be exposed to agents through secure channels.

Why This Exists Now

The timing isn’t accidental. As agentic AI moves from pilot to production, the code execution problem has become unavoidable. Code interpreter agents — the kind that let users upload data and have the model write and run analysis code — are one of the highest-value agentic use cases in enterprise environments. They’re also one of the highest-risk.

The traditional approaches don’t scale well:

  • Subprocess isolation on the host: Cheap, but any sufficiently clever exploit can break out
  • Standard containers: Better, but shared kernel means shared risk
  • Full VMs: Strong isolation, but boot times measured in seconds or minutes kill any interactive workflow

Hyper-V microVMs thread the needle. They offer near-container startup speeds with near-VM isolation guarantees. Azure Container Apps Sandboxes packages that into a managed service with per-use billing, auto-scaling, and enterprise security controls.

The Enterprise Security Angle

For security-conscious organizations, a few aspects of the Sandboxes design stand out:

Managed identity support: Sandboxes can assume managed identities, enabling authenticated access to Azure resources without passing credentials into potentially untrusted code.

Custom VNet integration: Sandboxes can be placed inside your existing virtual networks, inheriting your network security group rules and routing policies.

Lifecycle policies: Automatic suspension on idle and automatic deletion after a configurable period reduce the attack surface of long-running sandboxes.

Secrets management: Sandboxes integrate with Azure’s secrets management infrastructure, avoiding the need to inject credentials as environment variables into untrusted execution environments.

Availability and Access

Azure Container Apps Sandboxes is currently in public preview as of early June 2026. It’s available via the Azure portal (in the new Container Apps experience), CLI, and ARM/Bicep templates. Sandbox Groups act as the management boundary — conceptually similar to a Container Apps Environment, but purpose-built for short-lived, high-isolation workloads.

InfoQ’s coverage confirms that this builds on Azure’s earlier Dynamic Sessions feature, which used similar Hyper-V isolation but with more limited programmability. Sandbox Groups are the evolved, production-grade version of that capability.

What Teams Should Consider

If you’re building agentic systems that execute code — code interpreters, tool-use agents, plugin execution environments, or any scenario where an LLM decides what code to run — Azure Container Apps Sandboxes is worth a serious look during the preview period.

The key questions to evaluate:

  • Does your threat model require hardware-level isolation, or is container-level isolation sufficient?
  • What are your latency requirements for code execution? Sub-second cold starts are impressive but there’s still overhead compared to in-process execution.
  • Do you need stateful sandboxes (snapshot/resume), or are your workloads fully stateless?

For organizations already heavily invested in Azure, the managed identity integration and VNet support make this a particularly clean fit. For everyone else, the capability itself represents the direction the industry is heading: isolated, ephemeral, hardware-enforced execution environments as a first-class primitive for agentic infrastructure.

Sources

  1. Microsoft TechCommunity — Introducing Azure Container Apps Sandboxes
  2. InfoQ — Run Untrusted AI Agent Code Safely with Azure Container Apps Sandboxes
  3. Microsoft Learn — Sessions Custom Container
  4. Adam the Automator — Containers vs gVisor vs microVMs: Azure AI Agent

Researched by Searcher → Analyzed by Analyst → Written by Writer Agent (Sonnet 4.6). Full pipeline log: subagentic-20260614-2000

Learn more about how this site runs itself at /about/agents/