Merge pull request #5052 from MicrosoftDocs/main

5/19/2025 PM Publish

Author: Taojunshen

.gitignore

@@ -11,6 +11,8 @@ _repo.*/
 
 .openpublishing.buildcore.ps1
 
+*sec.endpointdlp
+
 # CoPilot instructions and prompts
 .github/copilot-instructions.md
-.github/prompts/*.md
+.github/prompts/*.md

.openpublishing.publish.config.json

@@ -117,7 +117,7 @@
       "branch_mapping": {}
     },
     {
-      "path_to_root": "foundry-samples",
+      "path_to_root": "foundry-samples-main",
       "url": "https://github.com/azure-ai-foundry/foundry-samples",
       "branch": "main",
       "branch_mapping": {}

articles/ai-foundry/concepts/ai-resources.md

@@ -18,58 +18,56 @@ zone_pivot_groups: project-type
 
 Customer-managed keys (CMKs) in [Azure AI Foundry portal](https://ai.azure.com/) provide enhanced control over the encryption of your data. By using CMKs, you can manage your own encryption keys to add an extra layer of protection and meet compliance requirements more effectively.
 
-## About encryption in Azure AI Foundry portal
+## About encryption in Azure AI Foundry
 
-Azure AI Foundry is a service in the Microsoft Azure cloud, and it also relies on other Azure services. By default, these services use Microsoft-managed encryption keys to encrypt data in transit and at rest.
+Azure AI Foundry is a service in the Microsoft Azure cloud. By default,  services use Microsoft-managed encryption keys to encrypt data in transit and at rest.
 
 ::: zone pivot="hub-project"
 
 Hub and [!INCLUDE [hub](../includes/hub-project-name.md)] resources are implementations of the Azure Machine Learning workspace and encrypt data in transit and at rest. For details, see [Data encryption with Azure Machine Learning](../../machine-learning/concept-data-encryption.md).
 
-Azure AI services data is encrypted and decrypted using [FIPS 140-2](https://en.wikipedia.org/wiki/FIPS_140-2) compliant [256-bit AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) encryption. Encryption and decryption are transparent, meaning encryption and access are managed for you. Your data is secure by default and you don't need to modify your code or applications to take advantage of encryption.
-
 ::: zone-end
 
 ::: zone pivot="fdp-project"
 
-## Service-side storage of encrypted data when using customer-managed keys
+Data is encrypted and decrypted using [FIPS 140-2](https://en.wikipedia.org/wiki/FIPS_140-2) compliant [256-bit AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) encryption. Encryption and decryption are transparent, meaning encryption and access are managed for you. Your data is secure by default and you don't need to modify your code or applications to take advantage of encryption.
+
+::: zone-end
 
-Customer-managed key encryption can be enabled during project creation through the Azure portal or Bicep template. The encrypted data is stored service-side on Microsoft-managed resources. Metadata is stored in multitenant resources using document-level CMK encryption. Due to its dedicated resource model, its Azure cost is charged in your subscription.
+## Storage of encrypted data when using customer-managed keys
+
+Customer-managed key encryption can be enabled during resource creation through the Azure portal or template options. The encrypted data is stored service-side on Microsoft-managed resources using your encryption key. 
 
 > [!NOTE]
-> When you use server-side encryption, Azure charges will continue to accrue during the soft delete retention period.
+> Due to the dedicated hosting model for certain services when using customer-managed key encrypted data, additional charges may apply.
 
-::: zone-end
+> [!NOTE]
+> When you use server-side encryption, Azure charges will continue to accrue during the soft delete retention period.
 
 ::: zone pivot="hub-project"
 
-## Data storage in your subscription when using customer-managed keys
+## Service-side storage of encrypted data when using customer-managed keys with AI hub
 
-Hub resources store metadata in your Azure subscription when using customer-managed keys. Data is stored in a Microsoft-managed resource group that includes an Azure Storage account, Azure Cosmos DB resource and Azure AI Search. 
+Two architecture options are available when using customer-managed keys:
 
-> [!IMPORTANT]
-> When using a customer-managed key, the costs for your subscription will be higher because encrypted data is stored in your subscription. To estimate the cost, use the [Azure pricing calculator](https://azure.microsoft.com/pricing/calculator/).
+* **Encrypted data is stored in Microsoft subscription (recommended)**
 
-The encryption key you provide when creating a hub is used to encrypt data that is stored on Microsoft-managed resources. All projects using the same hub store data on the resources in a managed resource group identified by the name `azureml-rg-hubworkspacename_GUID`. Projects use Microsoft Entra ID authentication when interacting with these resources. If your hub has a private link endpoint, network access to the managed resources is restricted. The managed resource group is deleted, when the hub is deleted. 
+  Data is stored service-side on Microsoft-managed resources instead of in managed resources in your subscription. Metadata is stored in multitenant resources using document-level CMK encryption. An Azure AI Search instance is hosted on the Microsoft-side per customer, and for each hub.
 
-The following data is stored on the managed resources.
+* **Encrypted data is stored in your subscription** 
 
-|Service|What it's used for|Example|
-|-----|-----|-----|
-|Azure Cosmos DB|Stores metadata for your Azure AI projects and tools|Index names, tags; Flow creation timestamps; deployment tags; evaluation metrics|
-|Azure AI Search|Stores indices that are used to help query your Azure AI Foundry content.|An index based off your model deployment names|
-|Azure Storage Account|Stores instructions for how customization tasks are orchestrated|JSON representation of flows you create in [Azure AI Foundry portal](https://ai.azure.com/)|
+   Data is stored in your subscription using a Microsoft-managed resource group that includes an Azure Storage account, Azure Cosmos DB resource and Azure AI Search. The configuration of these resources cannot be modified. Changes to its configurations are not supported. 
 
->[!IMPORTANT]
-> Azure AI Foundry uses Azure compute that is managed in the Microsoft subscription, for example when you fine-tune models or or build flows. Its disks are encrypted with Microsoft-managed keys. Compute is ephemeral, meaning after a task is completed the virtual machine is deprovisioned, and the OS disk is deleted. Compute instance machines used for 'Code' experiences are persistant. Azure Disk Encryption isn't supported for the OS disk. 
+   All projects using the same hub store data on the resources in a managed resource group identified by the name `azureml-rg-hubworkspacename_GUID`. Projects use Microsoft Entra ID authentication when interacting with these resources. If your hub has a private link endpoint, network access to the managed resources is restricted. The managed resource group is deleted, when the hub is deleted. 
 
-## (Preview) Service-side storage of encrypted data when using customer-managed keys
+  The following data is stored on the managed resources.
 
-A new architecture for customer-managed key encryption with hubs is available in preview, which resolves the dependency on the managed resource group. In this new model, encrypted data is stored service-side on Microsoft-managed resources instead of in managed resources in your subscription. Metadata is stored in multitenant resources using document-level CMK encryption. An Azure AI Search instance is hosted on the Microsoft-side per customer, and for each hub. Due to its dedicated resource model, its Azure cost is charged in your subscription via the hub resource.
+  |Service|What it's used for|Example|
+  |-----|-----|-----|
+  |Azure Cosmos DB|Stores metadata for your Azure AI projects and tools|Index names, tags; Flow creation timestamps; deployment tags; evaluation metrics|
+  |Azure AI Search|Stores indices that are used to help query your Azure AI Foundry content.|An index based off your model deployment names|
+  |Azure Storage Account|Stores instructions for how customization tasks are orchestrated|JSON representation of flows you create in [Azure AI Foundry portal](https://ai.azure.com/)|
 
-> [!NOTE]
-> - During this preview key rotation and user-assigned identity capabilities are not supported. Service-side encryption is currently not supported in reference to an Azure Key Vault for storing your encryption key that has public network access disabled.
-> - If you are using the preview server-side storage, Azure charges will continue to accrue during the soft delete retention period.
 
 ::: zone-end
 
@@ -95,15 +93,16 @@ To enable customer-managed keys, the key vault containing your keys must meet th
 - If you use the [Key Vault firewall](/azure/key-vault/general/access-behind-firewall), you must allow trusted Microsoft services to access the key vault.
 - You must grant your hub and Azure AI Services resource's system-assigned managed identity the following permissions on your key vault: *get key*, *wrap key*, *unwrap key*.
 
-The following limitations hold for Azure AI Services:
+The following limitations hold for Azure AI Foundry:
 - Only Azure Key Vault with [legacy access policies](/azure/key-vault/general/assign-access-policy) are supported.
 - Only RSA and RSA-HSM keys of size 2048 are supported with Azure AI services encryption. For more information about keys, see **Key Vault keys** in [About Azure Key Vault keys, secrets, and certificates](/azure/key-vault/general/about-keys-secrets-certificates).
+- Updates from Customer-Managed keys to Microsoft-managed keys are currently not supported for project sub-resources. Projects will keep referencing your encryption keys if updated.
 
-### Enable your Azure AI Services resource's managed identity
+### Enable your Azure AI Foundry resource's managed identity
 
-If connecting with Azure AI Services, or variants of Azure AI Services such as Azure OpenAI, you need to enable managed identity as a prerequisite for using customer-managed keys.
+Managed identity must be enabled as a prerequisite for using customer-managed keys.
 
-1. Go to your Azure AI services resource.
+1. Go to your Azure AI Foundry resource in Azure portal.
 1. On the left, under **Resource Management**, select **Identity**.
 1. Switch the system-assigned managed identity status to **On**.
 1. Save your changes, and confirm that you want to enable the system-assigned managed identity.
@@ -149,11 +148,9 @@ Alternatively, use infrastructure-as-code options for automation. Example Bicep
 
 * The customer-managed key for encryption can only be updated to keys in the same Azure Key Vault instance.
 * After deployment, hubs can't switch from Microsoft-managed keys to Customer-managed keys or vice versa.
-* [Azure AI services Customer-Managed Key Request Form](https://aka.ms/cogsvc-cmk) is required to use customer-managed keys in combination with Azure Speech and Content Moderator capabilities.
-* At the time of creation, you can't provide or modify resources that are created in the Microsoft-managed Azure resource group in your subscription.
-* You can't delete Microsoft-managed resources used for customer-managed keys without also deleting your hub.
-* [Azure AI services Customer-Managed Key Request Form](https://aka.ms/cogsvc-cmk) is still required for Speech and Content Moderator.
-* If you are using the [server-side preview](#preview-service-side-storage-of-encrypted-data-when-using-customer-managed-keys), Azure charges will continue to accrue during the soft delete retention period.
+* [Azure AI Foundry Customer-Managed Key Request Form](https://aka.ms/cogsvc-cmk) is required to use customer-managed keys in combination with Azure Speech and Content Moderator capabilities.
+* [Azure AI Foundry Customer-Managed Key Request Form](https://aka.ms/cogsvc-cmk) is still required for Speech and Content Moderator.
+* If your AI Foundry resource is in a soft-deleted state(#preview-service-side-storage-of-encrypted-data-when-using-customer-managed-keys), any additional Azure charges will continue to accrue during the soft delete retention period.
 
 ::: zone-end
 

articles/ai-foundry/concepts/encryption-keys-portal.md

@@ -186,5 +186,5 @@ If you're building agents outside of Azure AI Agent Service, this evaluator acce
 
 ## Related content
 
-- [How to run batch evaluation on a dataset](../../how-to/develop/evaluate-sdk.md#local-evaluation-on-datasets)  
+- [How to run batch evaluation on a dataset](../../how-to/develop/evaluate-sdk.md#local-evaluation-on-test-datasets-using-evaluate)  
 - [How to run batch evaluation on a target](../../how-to/develop/evaluate-sdk.md#local-evaluation-on-a-target)

articles/ai-foundry/concepts/evaluation-evaluators/agent-evaluators.md

@@ -40,7 +40,7 @@ model_config = AzureOpenAIModelConfiguration(
 `AzureOpenAILabelGrader` uses your custom prompt to instruct a model to classify outputs based on labels you define. It returns structured results with explanations for why each label was chosen.
 
 > [!NOTE]
-> We recommend using Azure Open AI GPT o3-mini for best results.
+> We recommend using Azure OpenAI GPT o3-mini for best results.
 
 Here's an example `data.jsonl` that is used in the following code snippets:
 
@@ -262,5 +262,5 @@ Aside from individual data evaluation results, the grader also returns a metric
 
 ## Related content
 
-- [How to run batch evaluation on a dataset](../../how-to/develop/evaluate-sdk.md#local-evaluation-on-datasets)  
+- [How to run batch evaluation on a dataset](../../how-to/develop/evaluate-sdk.md#local-evaluation-on-test-datasets-using-evaluate)  
 - [How to run batch evaluation on a target](../../how-to/develop/evaluate-sdk.md#local-evaluation-on-a-target)

articles/ai-foundry/concepts/evaluation-evaluators/azure-openai-graders.md

@@ -151,4 +151,5 @@ friendliness_score = friendliness_eval(response="I will not apologize for my beh
 
 ## Related content
 
-- Learn [how to run batch evaluation on a dataset](../../how-to/develop/evaluate-sdk.md#local-evaluation-on-datasets) and [how to run batch evaluation on a target](../../how-to/develop/evaluate-sdk.md#local-evaluation-on-a-target).
+- [How to run batch evaluation on a dataset](../../how-to/develop/evaluate-sdk.md#local-evaluation-on-test-datasets-using-evaluate)  
+- [How to run batch evaluation on a target](../../how-to/develop/evaluate-sdk.md#local-evaluation-on-a-target)

articles/ai-foundry/concepts/evaluation-evaluators/custom-evaluators.md

@@ -160,5 +160,5 @@ While F1 score outputs a numerical score on 0-1 float scale, the other evaluator
 
 ## Related content
 
-- [How to run batch evaluation on a dataset](../../how-to/develop/evaluate-sdk.md#local-evaluation-on-datasets)  
+- [How to run batch evaluation on a dataset](../../how-to/develop/evaluate-sdk.md#local-evaluation-on-test-datasets-using-evaluate)  
 - [How to run batch evaluation on a target](../../how-to/develop/evaluate-sdk.md#local-evaluation-on-a-target)

articles/ai-foundry/concepts/evaluation-evaluators/general-purpose-evaluators.md

@@ -316,5 +316,5 @@ The numerical score on a likert scale (integer 1 to 5) and a higher score is bet
 
 ## Related content
 
-- [How to run batch evaluation on a dataset](../../how-to/develop/evaluate-sdk.md#local-evaluation-on-datasets)  
+- [How to run batch evaluation on a dataset](../../how-to/develop/evaluate-sdk.md#local-evaluation-on-test-datasets-using-evaluate)  
 - [How to run batch evaluation on a target](../../how-to/develop/evaluate-sdk.md#local-evaluation-on-a-target)

articles/ai-foundry/concepts/evaluation-evaluators/rag-evaluators.md

@@ -485,4 +485,4 @@ The label field returns a boolean true or false based on whether or not either o
 ## Related content
 
 - Read the [Transparency Note for Safety Evaluators](../safety-evaluations-transparency-note.md) to learn more about its limitations, use cases and how it was evaluated for quality and accuracy.
-- Learn [how to run batch evaluation on a dataset](../../how-to/develop/evaluate-sdk.md#local-evaluation-on-datasets) and [how to run batch evaluation on a target](../../how-to/develop/evaluate-sdk.md#local-evaluation-on-a-target).
+- Learn [how to run batch evaluation on a dataset](../../how-to/develop/evaluate-sdk.md#local-evaluation-on-test-datasets-using-evaluate) and [how to run batch evaluation on a target](../../how-to/develop/evaluate-sdk.md#local-evaluation-on-a-target).