CodcompassCodcompass
← Back to Blog
DevOps2026-05-13Β·72 min read

You Can Probably Use Claude Code for Free at Work

By Louis Liu

Current Situation Analysis

Engineering organizations routinely face a fragmented AI tooling landscape. Individual developers subscribe to premium coding assistants at $17–$20 per seat, while the enterprise simultaneously allocates millions in Azure consumption credits toward centralized AI infrastructure. This budgetary silo creates shadow IT spend, bypasses security review, and eliminates centralized observability. The root cause is rarely technical limitation; it is architectural unawareness. Most teams do not realize that Microsoft Foundry (formerly Azure AI Studio) natively supports direct routing for Claude Code, effectively converting a personal subscription expense into a governed, enterprise-backed workflow.

The problem persists because procurement, platform engineering, and development teams operate on separate tracks. Platform teams provision Foundry deployments for application backends, while frontend and infrastructure developers reach for CLI tools that default to direct Anthropic API endpoints. The integration path exists, but it requires explicit environment configuration and Entra ID authentication routing. Without a standardized setup pattern, developers either pay out-of-pocket or bypass corporate AI gateways entirely, losing audit trails, cost allocation tags, and conditional access policies.

Data from enterprise AI adoption patterns shows that centralized model routing reduces per-seat AI spend by 60–80% when leveraging existing Azure Enterprise Agreements. By routing Claude Code through Foundry, organizations retain the exact developer experience while shifting billing to centralized Azure consumption pools. This eliminates subscription duplication, enforces identity-based access control, and aligns AI tooling with existing cloud governance frameworks.

WOW Moment: Key Findings

The architectural shift from direct API consumption to Foundry-backed routing fundamentally changes how AI tooling is provisioned, secured, and billed. The table below contrasts the two approaches across operational dimensions that matter to platform and security teams.

Approach Monthly Cost per Seat Authentication Model Governance & Auditability Deployment Flexibility
Direct Anthropic API $17.00 (subscription) Static API keys None (personal billing) Fixed to Anthropic's public endpoints
Microsoft Foundry Integration $0.00 (covered by Azure credits) Entra ID + Azure CLI tokens Full RBAC, conditional access, spend tagging Custom VNet routing, private endpoints, version pinning

This finding matters because it decouples developer productivity from individual licensing constraints. Foundry acts as a unified inference gateway, allowing organizations to apply existing Azure policies to CLI-based AI workflows. Developers retain identical command-line behavior, while platform teams gain centralized cost allocation, identity verification, and network egress control. The integration requires zero code changes to Claude Code itself; it only requires environment routing and credential delegation.

Core Solution

Implementing Foundry routing for Claude Code involves four architectural decisions: identity delegation, environment routing, model version pinning, and credential lifecycle management. Each decision addresses a specific production requirement.

Step 1: Verify Foundry Deployment Availability

Before configuring the CLI, confirm that your organization has provisioned Claude models within Microsoft Foundry. Navigate to https://ai.azure.com/nextgen, select Build from the top navigation, and open Models in the sidebar. Locate your deployed model identifiers. Typical enterprise deployments use explicit version tags such as claude-opus-4-7, claude-sonnet-4-6, and claude-haiku-4-5. Note the exact deployment names; Foundry's UI recently renamed "resources" to "projects," but the underlying routing identifier remains consistent.

Step 2: Delegate Authentication via Entra ID

Static API keys introduce rotation overhead, secret leakage risk, and bypass conditional access policies. Entra ID + Azure CLI authentication solves this by issuing short-lived OAuth tokens that inherit your organization's identity governance. Install the Azure CLI if not already present, then authenticate against your corporate tenant:

az login --tenant <your-corporate-tenant-id>

Verify the active context matches your enterprise subscription:

az account show --query "{Name:name, TenantId:tenantId, SubscriptionId:id}" -o table

This step ensures Claude Code inherits your corporate identity context rather than falling back to personal Microsoft accounts or cached credentials.

Step 3: Configure Environment Routing

Claude Code reads routing instructions from environment variables. Instead of exporting variables directly into your shell profile, use a structured loader that validates prerequisites before applying configuration. This prevents silent failures when credentials expire or deployments change.

Create a validation and routing script:

#!/usr/bin/env bash
# foundry-claude-router.sh

set -euo pipefail

REQUIRED_VARS=(
  "CLAUDE_CODE_USE_FOUNDRY"
  "ANTHROPIC_FOUNDRY_RESOURCE"
  "ANTHROPIC_DEFAULT_OPUS_MODEL"
  "ANTHROPIC_DEFAULT_SONNET_MODEL"
  "ANTHROPIC_DEFAULT_HAIKU_MODEL"
)

for var in "${REQUIRED_VARS[@]}"; do
  if [[ -z "${!var:-}" ]]; then
    echo "[ERROR] Missing required environment variable: $var"
    exit 1
  fi
done

echo "[INFO] Foundry routing validated. Initializing Claude Code session..."
claude

Source this script or integrate it into your project's development workflow. The explicit validation prevents partial configurations from causing silent API fallbacks.

Step 4: Pin Model Deployments Explicitly

Foundry's default model aliases (e.g., opus, sonnet) often resolve to older minor versions until platform teams update the routing table. Relying on aliases introduces unpredictable behavior in automated workflows. Explicitly map each Claude Code tier to your deployed version identifiers:

export CLAUDE_CODE_USE_FOUNDRY=1
export ANTHROPIC_FOUNDRY_RESOURCE="prod-ai-gateway"
export ANTHROPIC_DEFAULT_OPUS_MODEL="claude-opus-4-7"
export ANTHROPIC_DEFAULT_SONNET_MODEL="claude-sonnet-4-6"
export ANTHROPIC_DEFAULT_HAIKU_MODEL="claude-haiku-4-5"

If your organization routes traffic through private endpoints or custom DNS, override the base URL instead of the resource name:

export ANTHROPIC_FOUNDRY_BASE_URL="https://prod-ai-gateway.services.ai.azure.com/anthropic"

Architecture Rationale

  • Entra ID over API Keys: Token-based authentication integrates with Azure Conditional Access, enabling MFA enforcement, device compliance checks, and automatic revocation. Static keys require manual rotation and lack granular revocation.
  • Explicit Model Pinning: Prevents version drift during model updates. Foundry's alias routing is managed by platform teams and may lag behind Anthropic's release cadence.
  • Validation-First Loading: Fails fast when environment state is incomplete. Silent fallbacks to direct Anthropic endpoints bypass corporate billing and security controls.
  • Base URL Override: Supports air-gapped environments, private link configurations, and custom egress proxies without modifying Claude Code's internal routing logic.

Pitfall Guide

1. Tenant Context Drift

Explanation: az login defaults to the first available tenant in your credential cache. If you maintain personal and corporate Microsoft accounts, authentication may route to the wrong directory, causing 401/403 errors when accessing Foundry deployments. Fix: Always specify the tenant ID during login. Verify context with az account show before launching Claude Code. Use az login --tenant <id> in automation scripts to enforce deterministic routing.

2. Deployment Name Case Sensitivity

Explanation: Foundry deployment identifiers are case-sensitive. Claude Code passes the exact string from ANTHROPIC_DEFAULT_*_MODEL to the Foundry routing layer. A mismatch like Claude-Opus-4-7 vs claude-opus-4-7 triggers model resolution failures. Fix: Copy deployment names directly from the Foundry Models dashboard. Implement a pre-flight check that queries the Foundry API to verify deployment existence before session initialization.

3. Credential Cache Staleness

Explanation: Azure CLI tokens expire after configurable intervals (typically 1 hour for access tokens). Claude Code does not automatically refresh expired tokens mid-session, causing abrupt authentication failures during long coding tasks. Fix: Run az login periodically or configure Azure CLI to use device code flow with extended refresh tokens. Integrate token refresh hooks into your shell profile or IDE lifecycle.

4. Implicit Model Versioning

Explanation: Leaving ANTHROPIC_DEFAULT_OPUS_MODEL unset forces Claude Code to use Foundry's default opus alias. Platform teams may not update this alias immediately after new releases, causing your workflow to run on outdated model weights. Fix: Always pin explicit version strings. Document the expected model versions in your team's runbook and automate version verification in CI/CD pipelines.

5. Environment Variable Scope Leakage

Explanation: Exporting routing variables globally in .zshrc or .bashrc applies them to every terminal session, including personal projects or non-Azure workflows. This can cause accidental billing routing or credential conflicts. Fix: Scope variables to project directories using direnv, .env files loaded by your IDE, or wrapper scripts. Never pollute global shell environments with enterprise routing configuration.

6. Network Egress Restrictions

Explanation: Corporate firewalls or zero-trust proxies may block outbound traffic to *.services.ai.azure.com. Claude Code will fail silently or timeout if DNS resolution or TLS handshakes are intercepted. Fix: Whitelist Foundry endpoints in your egress policy. If using private endpoints, ensure ANTHROPIC_FOUNDRY_BASE_URL points to the internal DNS record. Test connectivity with curl -v before launching the CLI.

7. Permission Boundary Violations

Explanation: Developers with Contributor access may accidentally create new Foundry deployments instead of using existing ones, fragmenting cost allocation and bypassing security review. Fix: Assign Reader or AI Developer roles for CLI routing. Reserve Contributor access for platform engineering teams. Use Azure Policy to restrict model deployment to approved resource groups.

Production Bundle

Action Checklist

  • Verify Foundry deployment: Confirm Claude models exist in https://ai.azure.com/nextgen under Build > Models
  • Authenticate with Entra ID: Run az login --tenant <tenant-id> and validate context with az account show
  • Pin model versions: Set explicit ANTHROPIC_DEFAULT_*_MODEL variables matching Foundry deployment names
  • Scope environment variables: Use project-local .env or direnv instead of global shell exports
  • Validate routing: Execute a pre-flight script that checks required variables and token validity before launching Claude Code
  • Configure egress rules: Ensure corporate proxies allow TLS traffic to *.services.ai.azure.com or internal private endpoints
  • Assign least-privilege RBAC: Grant AI Developer or Reader roles; restrict Contributor access to platform teams
  • Monitor consumption: Tag Azure AI Foundry resources with cost allocation tags and review monthly Azure Cost Management reports

Decision Matrix

Scenario Recommended Approach Why Cost Impact
Enterprise with existing Azure EA Foundry routing via Entra ID Leverages prepaid credits, enforces governance, eliminates per-seat subscriptions $0 incremental; shifts to centralized Azure billing
Startup without Azure credits Direct Anthropic API Simpler setup, no Azure overhead, predictable per-seat pricing $17/mo per developer subscription
Air-gapped or compliance-heavy environment Foundry with private endpoint + base URL override Keeps traffic within VNet, satisfies data residency requirements, enables custom egress controls Azure networking costs; no external API fees
Multi-tenant organization Explicit tenant routing + RBAC scoping Prevents credential drift, isolates cost centers, enforces conditional access Minimal; requires Azure AD Premium for advanced policies

Configuration Template

# .env.foundry-claude
# Load with: source .env.foundry-claude

# Enable Foundry routing
export CLAUDE_CODE_USE_FOUNDRY=1

# Azure resource identifier (replace with your Foundry project name)
export ANTHROPIC_FOUNDRY_RESOURCE="corp-ai-foundry-prod"

# Alternative: Direct base URL for private endpoint routing
# export ANTHROPIC_FOUNDRY_BASE_URL="https://corp-ai-foundry-prod.services.ai.azure.com/anthropic"

# Explicit model version pinning (must match Foundry deployment names exactly)
export ANTHROPIC_DEFAULT_OPUS_MODEL="claude-opus-4-7"
export ANTHROPIC_DEFAULT_SONNET_MODEL="claude-sonnet-4-6"
export ANTHROPIC_DEFAULT_HAIKU_MODEL="claude-haiku-4-5"

# Optional: Azure CLI token refresh interval (in minutes)
export AZURE_TOKEN_REFRESH_INTERVAL=55

Quick Start Guide

  1. Authenticate: Run az login --tenant <your-tenant-id> and verify with az account show.
  2. Verify Deployment: Open https://ai.azure.com/nextgen, navigate to Build > Models, and copy your exact Claude deployment names.
  3. Load Configuration: Create a .env.foundry-claude file using the template above, replacing resource and model names with your deployment identifiers.
  4. Validate & Launch: Source the environment file, run a quick connectivity check (curl -I https://$ANTHROPIC_FOUNDRY_RESOURCE.services.ai.azure.com), then start claude. The CLI will route through Foundry using your Entra ID credentials.