Merge pull request #3038 from andscho-msft/andscho-msft-patch-1

prmerger-automator[bot] · web-flow · commit 07f932834c1d · 2025-02-20T13:34:30.000Z
Add note to not grant users access to the storage account if they don't want them to access the workspace
diff --git a/articles/machine-learning/concept-enterprise-security.md b/articles/machine-learning/concept-enterprise-security.md
@@ -52,6 +52,8 @@ The system-assigned managed identity is used for internal service-to-service aut
 
 We don't recommend that admins revoke the access of the managed identity to the resources mentioned in the preceding table. You can restore access by using the [resync keys operation](how-to-change-storage-access-key.md).
 
+You should not grant users to have permission on the workspace's storage account to users that you do not want to be able to access workspace computes or identities. The workspace's storage account contains code and executables that will be run on your workspace computes. Users that have access to that storage account can edit or change code that will be executed in the context of the workspace, allowing access to workspace data and credentials.
+
 > [!NOTE]
 > If your Azure Machine Learning workspace has compute targets (for example, compute cluster, compute instance, or Azure Kubernetes Service [AKS] instance) that were created _before May 14, 2021_, you might have an additional Microsoft Entra account. The account name starts with `Microsoft-AzureML-Support-App-` and has contributor-level access to your subscription for every workspace region.
 >

Original file line number	Diff line number	Diff line change
`@@ -52,6 +52,8 @@ The system-assigned managed identity is used for internal service-to-service aut`
`52`	`52`
`53`	`53`	`We don't recommend that admins revoke the access of the managed identity to the resources mentioned in the preceding table. You can restore access by using the [resync keys operation](how-to-change-storage-access-key.md).`
`54`	`54`
	`55`	`+You should not grant users to have permission on the workspace's storage account to users that you do not want to be able to access workspace computes or identities. The workspace's storage account contains code and executables that will be run on your workspace computes. Users that have access to that storage account can edit or change code that will be executed in the context of the workspace, allowing access to workspace data and credentials.`
	`56`	`+`
`55`	`57`	`> [!NOTE]`
`56`	`58`	> If your Azure Machine Learning workspace has compute targets (for example, compute cluster, compute instance, or Azure Kubernetes Service [AKS] instance) that were created _before May 14, 2021_, you might have an additional Microsoft Entra account. The account name starts with `Microsoft-AzureML-Support-App-` and has contributor-level access to your subscription for every workspace region.
`57`	`59`	`>`