|
1 | 1 | --- |
2 | 2 | title: Service Configuration in the Azure Portal |
3 | 3 | titleSuffix: Azure AI Search |
4 | | -description: Manage an Azure AI Search service in the Azure portal. |
| 4 | +description: Manage your new Azure AI Search service in the Azure portal. This article provides a day-one checklist for configuring RBAC, managed identities, network security, and more. |
5 | 5 | manager: nitinme |
6 | 6 | author: haileytap |
7 | 7 | ms.author: haileytapia |
8 | 8 | ms.service: azure-ai-search |
9 | | -ms.topic: conceptual |
| 9 | +ms.topic: how-to |
10 | 10 | ms.date: 03/04/2025 |
11 | 11 | --- |
12 | 12 |
|
13 | 13 | # Configure your Azure AI Search service in the Azure portal |
14 | 14 |
|
15 | | -In Azure AI Search, the [Azure portal](https://portal.azure.com) supports a broad range of administrative and content management operations so that you don't have to write code unless you want automation. |
| 15 | +Configuring your new Azure AI Search service involves several tasks to optimize security, access, and performance. This article provides a day-one checklist to help you set up your service in the [Azure portal](https://portal.azure.com). |
16 | 16 |
|
17 | | -Each search service is managed as a standalone resource. Your role assignment determines what operations are exposed in the Azure portal. |
| 17 | +## Day-one configuration checklist |
18 | 18 |
|
19 | | -## Portal and administrator permissions |
| 19 | +After you create a search service, we recommend that you: |
20 | 20 |
|
21 | | -Portal access is through [role assignments](search-security-rbac.md). By default, all search services start with at least one Service Administrator or Owner. Service administrators, co-administrators, and owners have permission to create other administrators and other role assignments. They have full access to all portal pages and operations on a default search service. |
| 21 | +> [!div class="checklist"] |
| 22 | +> |
| 23 | +> + [Configure role-based access](#configure-role-based-access). |
| 24 | +> + [Configure a managed identity](#configure-a-managed-identity). |
| 25 | +> + [Configure network security](#configure-network-security). |
| 26 | +> + [Check capacity and understand billing](#check-capacity-and-understand-billing). |
| 27 | +> + [Enable diagnostic logging](#enable-diagnostic-logging). |
| 28 | +> + [Provide connection information to developers](#provide-connection-information-to-developers). |
22 | 29 |
|
23 | | -If you disable API keys on a search service and use roles only, administrators must grant themselves data plane role assignments for full access to objects and data. These role assignments include Search Service Contributor, Search Index Data Contributor, and Search Index Data Reader. |
| 30 | +### Configure role-based access |
24 | 31 |
|
25 | | -> [!TIP] |
26 | | -> By default, any owner or administrator can create or delete services. To prevent accidental deletions, you can [lock resources](/azure/azure-resource-manager/management/lock-resources). |
27 | | -
|
28 | | -## Azure portal at a glance |
29 | | - |
30 | | -The overview page is the home page of each service. In the following screenshot, the red boxes indicate tasks, tools, and tiles that you might use often, especially if you're new to the service. |
31 | | - |
32 | | -:::image type="content" source="media/search-manage/search-portal-overview-page.png" alt-text="Portal pages for a search service" border="true"::: |
33 | | - |
34 | | -| Area | Description | |
35 | | -|------|-------------| |
36 | | -| 1 | A command bar at the top of the page includes [Import data wizard](search-get-started-portal.md) and [Search explorer](search-explorer.md), used for prototyping and exploration. | |
37 | | -| 2 | The **Essentials** section lists service properties, such as the service endpoint, service tier, and replica and partition counts. | |
38 | | -| 3 | Tabbed pages in the center provide quick access to usage statistics and service health metrics. | |
39 | | -| 4 | Navigation links to existing indexes, indexers, data sources, and skillsets. | |
| 32 | +Portal access is based on [role assignments](search-security-rbac.md). By default, new search services have at least one service administrator or owner. Service administrators, co-administrators, and owners have permission to create more administrators and assign other roles. They also have access to all portal pages and operations on default search services. |
40 | 33 |
|
41 | | -You can't change the search service name, subscription, resource group, region (location), or tier. Switching tiers requires creating a new service or filing a support ticket to request a tier upgrade, which is only supported for Basic and higher. |
42 | | - |
43 | | -## Day-one management checklist |
| 34 | +> [!TIP] |
| 35 | +> By default, any administrator or owner can create or delete services. To prevent accidental deletions, consider [locking your resources](/azure/azure-resource-manager/management/lock-resources). |
44 | 36 |
|
45 | | -On a new search service, we recommend these configuration tasks. |
| 37 | +Each search service comes with [API keys](search-security-api-keys.md) and uses key-based authentication by default. However, we recommend using Microsoft Entra ID and role-based access control (RBAC) for improved security. RBAC eliminates the need to store and pass API keys in plain text. |
46 | 38 |
|
47 | | -### Enable role-based access |
| 39 | +When you switch from key-based authentication to keyless authentication, service administrators must assign themselves data plane roles for full access to objects and data. These roles include Search Service Contributor, Search Index Data Contributor, and Search Index Data Reader. |
48 | 40 |
|
49 | | -A search service is always created with [API keys](search-security-api-keys.md) and uses key-based authentication by default. However, using Microsoft Entra ID and role assignments is a more secure option because it eliminates storing and passing keys in plain text. |
| 41 | +To configure RBAC: |
50 | 42 |
|
51 | 43 | 1. [Enable roles](search-security-enable-roles.md) on your search service. We recommend the roles-only option. |
52 | 44 |
|
53 | | -1. For administration, [assign data plane roles](search-security-rbac.md) to replace the functionality lost when you disable API keys. Role assignments include Search Service Contributor, Search Index Data Contributor, and Search Index Data Reader. You need all three. |
| 45 | +1. [Assign data plane roles](search-security-rbac.md) to replace the functionality lost when you disable API keys. You need the following roles: |
| 46 | + + Search Service Contributor |
| 47 | + + Search Index Data Contributor |
| 48 | + + Search Index Data Reader |
54 | 49 |
|
55 | | - Sometimes it can take five to ten minutes for role assignments to take effect. Until that happens, the following message appears in the Azure portal pages used for data plane operations. |
| 50 | + Role assignments can take several minutes to take effect. Until then, portal pages used for data plane operations display the following message: |
56 | 51 |
|
57 | | - :::image type="content" source="media/search-security-rbac/you-do-not-have-access.png" alt-text="Screenshot of portal message indicating insufficient permissions."::: |
| 52 | + :::image type="content" source="media/search-security-rbac/you-do-not-have-access.png" alt-text="Screenshot of the portal message indicating insufficient permissions."::: |
58 | 53 |
|
59 | | -1. Continue to [add more role assignments](search-security-rbac.md) for solution developers and apps. |
| 54 | +1. [Assign more roles](search-security-rbac.md) for solution developers and apps. |
60 | 55 |
|
61 | 56 | ### Configure a managed identity |
62 | 57 |
|
63 | | -If you plan to use indexers for automated indexing, applied AI, or integrated vectorization, you should [configure the search service to use a managed identity](search-howto-managed-identities-data-sources.md). You can then add role assignments on other Azure services that authorize your search service to access data and operations. |
| 58 | +If you plan to use indexers for automated indexing, applied AI, or integrated vectorization, you should [configure your search service to use a managed identity](search-howto-managed-identities-data-sources.md). You can then assign roles on other Azure services that authorize your search service to access data and operations. |
64 | 59 |
|
65 | | -For integrated vectorization, a search service identity needs: |
| 60 | +For integrated vectorization, your search service identity needs the following roles: |
66 | 61 |
|
67 | 62 | + Storage Blob Data Reader on Azure Storage |
68 | 63 | + Cognitive Services Data User on an Azure AI multiservice account |
69 | 64 |
|
70 | | -It can take several minutes for role assignments to take effect. |
| 65 | +Role assignments can take several minutes to take effect. |
71 | 66 |
|
72 | | -Before moving on to network security, consider testing all points of connection to validate role assignments. Run either the [Import data wizard](search-get-started-portal.md) or the [Import and vectorize data wizard](search-get-started-portal-image-search.md) to test permissions. |
| 67 | +Before you move on to network security, consider testing all points of connection to validate role assignments. Run either the [Import data wizard](search-get-started-portal.md) or the [Import and vectorize data wizard](search-get-started-portal-image-search.md) to test permissions. |
73 | 68 |
|
74 | 69 | ### Configure network security |
75 | 70 |
|
76 | | -By default, a search service accepts authenticated and authorized requests over public internet connections. Network security restricts access through firewall rules, or by disabling public connections and allowing requests only from Azure virtual networks. |
| 71 | +By default, a search service accepts authenticated and authorized requests over public internet connections. You have two options for enhancing network security: |
77 | 72 |
|
78 | | -+ [Configure network access](service-configure-firewall.md) to restrict access by IP addresses. |
79 | | -+ [Configure a private endpoint](service-create-private-endpoint.md) using Azure Private Link and a private virtual network. |
| 73 | +1. [Configure firewall rules](service-configure-firewall.md) to restrict network access by IP address. |
| 74 | +2. [Configure a private endpoint](service-create-private-endpoint.md) to only allow traffic from Azure virtual networks. |
80 | 75 |
|
81 | | -[Security in Azure AI Search](search-security-overview.md) explains inbound and outbound calls in Azure AI Search. |
| 76 | +To learn about inbound and outbound calls in Azure AI Search, see [Security in Azure AI Search](search-security-overview.md). |
82 | 77 |
|
83 | 78 | ### Check capacity and understand billing |
84 | 79 |
|
85 | | -By default, a search service is created in a minimum configuration of one replica and partition each. You can [add capacity](search-capacity-planning.md) by adding replicas and partitions, but we recommend waiting until volumes require it. Many customers run production workloads on the minimum configuration. |
| 80 | +By default, a search service is created with one replica and one partition. You can [add capacity](search-capacity-planning.md) by adding replicas and partitions, but we recommend waiting until volumes require it. Many customers run production workloads on the minimum configuration. |
86 | 81 |
|
87 | | -Some features add to the cost of running the service: |
| 82 | +Semantic ranker increases the cost of running your service. You can [disable semantic ranker](semantic-how-to-enable-disable.md) at the service level to prevent the use of this feature. |
88 | 83 |
|
89 | | -+ [How you're charged for Azure AI Search](search-sku-manage-costs.md#how-youre-charged-for-azure-ai-search) explains which features have billing impact. |
90 | | -+ [(Optional) disable semantic ranker](semantic-how-to-enable-disable.md) at the service level to prevent usage of the feature. |
| 84 | +To learn about other features that affect billing, see [How you're charged for Azure AI Search](search-sku-manage-costs.md#how-youre-charged-for-azure-ai-search). |
91 | 85 |
|
92 | 86 | ### Enable diagnostic logging |
93 | 87 |
|
94 | | -[Enable diagnostic logging](search-monitor-enable-logging.md) to track user activity. If you skip this step, you still get [activity logs](/azure/azure-monitor/essentials/activity-log) and [platform metrics](/azure/azure-monitor/essentials/data-platform-metrics#types-of-metrics) automatically, but if you want index and query usage information, you should enable diagnostic logging and choose a destination for logged operations. |
95 | | - |
96 | | -We recommend Log Analytics Workspace for durable storage so that you can run system queries in the Azure portal. |
| 88 | +[Enable diagnostic logging](search-monitor-enable-logging.md) to track user activity. If you skip this step, you still get [activity logs](/azure/azure-monitor/essentials/activity-log) and [platform metrics](/azure/azure-monitor/essentials/data-platform-metrics#types-of-metrics) automatically. However, if you want index and query usage information, you should enable diagnostic logging and choose a destination for logged operations. We recommend Log Analytics Workspace for durable storage so that you can run system queries in the Azure portal. |
97 | 89 |
|
98 | 90 | Internally, Microsoft collects telemetry data about your service and the platform. To learn more about data retention, see [Retention of metrics](/azure/azure-monitor/essentials/data-platform-metrics#retention-of-metrics). |
99 | 91 |
|
100 | | -> [!NOTE] |
101 | | -> See the ["Data residency"](search-security-overview.md#data-residency) section of the security overview article for more information about data location and privacy. |
| 92 | +To learn more about data location and privacy, see [Data residency](search-security-overview.md#data-residency). |
102 | 93 |
|
103 | 94 | ### Enable semantic ranker |
104 | 95 |
|
105 | | -Semantic ranker is free for the first 1,000 requests per month. It's enabled by default on newer services. |
| 96 | +Semantic ranker is free for the first 1,000 requests per month. It's enabled by default on newer search services. |
106 | 97 |
|
107 | | -In Azure portal, under **Settings** on the leftmost pane, select **Semantic ranker** and then choose the Free plan. For more information, see [Enable semantic ranker](semantic-how-to-enable-disable.md). |
| 98 | +To enable semantic ranker in the portal, select **Settings** > **Semantic ranker** from the left pane, and then select the **Free** plan. For more information, see [Enable semantic ranker](semantic-how-to-enable-disable.md). |
108 | 99 |
|
109 | 100 | ### Provide connection information to developers |
110 | 101 |
|
111 | 102 | Developers need the following information to connect to Azure AI Search: |
112 | 103 |
|
113 | | -+ An endpoint or URL, provided on the **Overview** page. |
114 | | -+ An API key from the **Keys** page, or a role assignment (contributor is recommended). |
| 104 | ++ An endpoint or URL from the **Overview** page. |
| 105 | ++ An API key from the **Keys** page or a role assignment (we recommend contributor). |
| 106 | + |
| 107 | +We recommend using the portal for the following wizards and tools: |
| 108 | + |
| 109 | ++ [Import data wizard](search-get-started-portal.md) |
| 110 | ++ [Import and vectorize data](search-get-started-portal-import-vectors.md) |
| 111 | ++ [Search explorer](search-explorer.md) |
115 | 112 |
|
116 | | -We recommend portal access for the following wizards and tools: [Import data wizard](search-get-started-portal.md), [Import and vectorize data](search-get-started-portal-import-vectors.md), [Search explorer](search-explorer.md). Recall that a user must be a contributor or above to run the import wizards. |
| 113 | +Recall that a user must be a contributor or higher to run the import wizards. |
117 | 114 |
|
118 | 115 | ## Related content |
119 | 116 |
|
|
0 commit comments