Microsoft Launches Azure Container Apps Sandboxes Preview

Microsoft announced the public preview of Azure Container Apps Sandboxes in an Apps on Azure blog post dated Jun 02, 2026. Per Microsoft documentation, sandboxes are delivered as a first-class ARM resource type, Microsoft.App/SandboxGroups, within Container Apps. The public preview documentation and the Apps on Azure blog state sandboxes start from OCI images, run in hardware-isolated microVM boundaries, support snapshot-based suspend and resume, and are designed for sub-second startup, scale-to-zero billing, and burst scaling to hundreds or thousands of concurrent sandboxes.

The Azure docs list several core capabilities: sub-second startup, strong isolation via microVMs, suspend and resume with full memory and disk state persistence, OCI container image support, lifecycle control, and network egress policy controls (Microsoft Learn page, sandbox overview). The Apps on Azure blog explains sandboxes are provisioned from prewarmed pools and that Sandbox Groups act as the management and configuration boundary for shared settings such as egress allowlists, managed identity assignment, and lifecycle rules. The Linux and Open Source Blog documents an integration path with the Agent Governance Toolkit (AGT) and a Python package agt-sandbox that enforces host-side policy and denies disallowed snippets before they leave the host process.

Editorial analysis: teams that run model-generated code have commonly built bespoke isolation stacks using container runtimes, Kata Containers, or separate clusters to limit blast radius. Microsoft frames sandboxes as a managed alternative that combines hardware-isolated microVMs, fast startup, and snapshot persistence, which addresses both short-lived agent tasks and stateful multi-step agent workflows. This fits a broader vendor trend of offering dedicated, ephemeral execution fabrics aimed at agentic workloads and untrusted code execution.

Editorial analysis: for platform engineers and security teams, the combination of per-session hardware isolation, CI-friendly OCI image support, and built-in egress controls reduces the amount of bespoke plumbing needed to safely execute untrusted code. For teams building agent platforms, the suspend/resume snapshot model also enables longer-running multi-step flows that preserve in-memory context without keeping a VM running continuously, which can change cost and architecture trade-offs compared with persistent VMs or heavy-weight container orchestration.

• •Adoption signals: whether ISVs and agent platforms integrate sandbox APIs and Sandbox Groups into CI/CD pipelines and agent runtimes.
• •Policy tool integration: expansion of AGT integrations and third-party tooling to provide host-side static checks, AST scans, and deny lists, as described in the Linux and Open Source Blog.
• •Feature maturity: any breaking changes after preview, since Microsoft Learn warns preview sandboxes "might not be compatible with future releases" and the API surface may change.

Microsoft documentation calls out role requirements for management operations, specifically the Azure role Container Apps SandboxGroup Data Owner, and warns the API surface for SDK and CLI commands may change during preview. The Apps on Azure blog and docs describe cost behavior as scale-to-zero (no charge when idle) and fast provisioning from prewarmed pools.

Editorial analysis: teams evaluating sandboxing options should compare threat model coverage (microVM isolation, egress proxies, host-side policy enforcement) and operational models (snapshot persistence, image supply chain, identity integration). Observers should also track preview-to-GA changes to APIs and billing behavior before committing critical pipelines to the service.