Merge pull request #7283 from jonburchel/2025-09-25-disable-preview-features-with-rbac

denrea · web-flow · commit 5ead44c4a228 · 2025-10-14T13:50:06.000-07:00
Add Disable preview features and Authentication docs
diff --git a/articles/ai-foundry/concepts/authentication-options-ai-foundry.md b/articles/ai-foundry/concepts/authentication-options-ai-foundry.md
@@ -12,7 +12,7 @@ ai.usage: ai-assisted
 ---
 
 # Authentication and authorization options in Azure AI Foundry
-
+<!--
 Azure AI Foundry supports multiple authentication approaches to balance security, operational simplicity, and speed. This article explains the control plane and data plane model, compares API key and Microsoft Entra ID (formerly Azure AD) authentication, maps identities to roles, and describes common least privilege scenarios. Use this article with:
 
 - [Role-based access control for Azure AI Foundry](rbac-azure-ai-foundry.md)
@@ -22,7 +22,6 @@ Azure AI Foundry supports multiple authentication approaches to balance security
 
 > [!IMPORTANT]
 > Use Microsoft Entra ID for production workloads to enable conditional access, managed identities, and least privilege RBAC. API keys are convenient for quick evaluation and legacy tooling but lack user level traceability.
-
 ## Control plane vs. data plane
 
 Azure services separate management (_control plane_) from runtime operations (_data plane_).
@@ -40,7 +39,6 @@ _Source file: control-data-plane.mmd (stored alongside the image for maintenance
 
 > [!NOTE]
 > This diagram is conceptual. Check current service documentation for the latest supported resources and operations.
-
 ## Authentication methods
 
 ### API keys
@@ -72,7 +70,6 @@ Microsoft Entra ID uses OAuth 2.0 bearer tokens. Principals get tokens for the r
 
 > [!IMPORTANT]
 > Validate features marked [**TO VERIFY**] against current release notes if you rely on them for compliance-critical scenarios.
-
 | Capability or feature | API Key | Microsoft Entra ID | Notes |
 |---------------------|---------|--------------------|-------|
 | Basic model inference (chat, embeddings) | Yes | Yes | Fully supported. |
@@ -111,7 +108,6 @@ See the authoritative list in [Azure built-in roles (AI + machine learning)](/az
 
 > [!TIP]
 > Create a custom role when a built-in role grants more permissions than you need.
-
 ## Set up Microsoft Entra ID
 
 High-level steps. See the detailed guide: [Configure key-less authentication](../foundry-models/how-to/configure-entra-id.md).
@@ -177,4 +173,5 @@ Some creation workflows can auto assign broad roles, such as granting the resour
 - [Authenticate requests to Azure AI services](/azure/ai-services/authentication)
 - [Configure key-less authentication with Microsoft Entra ID](../foundry-models/how-to/configure-entra-id.md)
 - [Azure built-in roles (AI + machine learning)](/azure/role-based-access-control/built-in-roles#ai-+-machine-learning)
-- [Managed identities for Azure resources](/entra/identity/managed-identities-azure-resources/overview)
+- [Managed identities for Azure resources](/entra/identity/managed-identities-azure-resources/overview)
+-->
diff --git a/articles/ai-foundry/concepts/disable-preview-features-with-rbac.md b/articles/ai-foundry/concepts/disable-preview-features-with-rbac.md
@@ -0,0 +1,86 @@
+---
+title: Disable Preview Features with Role-Based Access
+description: Learn how to disable preview features in Azure AI Foundry using role-based access control (RBAC). Create custom roles to manage feature access effectively.
+#customer intent: As an IT admin, I want to disable preview features in Azure AI Foundry through role-based access control so that my organization complies with enterprise policies.
+author: jonburchel
+ms.author: jburchel
+ms.reviewer: meerakurup
+ms.date: 09/25/2025
+ms.topic: concept-article
+ms.service: azure-ai-foundry
+ai.usage: ai-assisted
+---
+
+# Disable preview features in Azure AI Foundry with role-based access control
+
+In Azure AI Foundry projects, some features are in preview. Administrators can bock access to them by denying specific data actions to a custom role, and granting their users role memberships to enable/disable specific features as required. This article lists the data actions for each preview feature so you can disable them on an individual basis. However, since you can't modify built-in roles in Azure AI Foundry projects, you need to create a custom role. For steps to create a custom role, see [Create or update Azure custom roles using the Azure portal - Azure RBAC](/azure/role-based-access-control/custom-roles-portal).
+
+## Agents service data actions
+
+Use these data actions in a custom role definition:
+
+- `Microsoft.CognitiveServices/accounts/AIServices/agents/write`
+- `Microsoft.CognitiveServices/accounts/AIServices/agents/read`
+- `Microsoft.CognitiveServices/accounts/AIServices/agents/delete`
+
+## Content understanding (multimodal intelligence)
+
+The associated data actions to allow or disallow in your custom role
+definition are the following:
+
+- `Microsoft.CognitiveServices/accounts/MultiModalIntelligence/analyzers/read`
+- `Microsoft.CognitiveServices/accounts/MultiModalIntelligence/analyzers/write`
+- `Microsoft.CognitiveServices/accounts/MultiModalIntelligence/analyzers/delete`
+- `Microsoft.CognitiveServices/accounts/MultiModalIntelligence/classifiers/read`
+- `Microsoft.CognitiveServices/accounts/MultiModalIntelligence/classifiers/write`
+- `Microsoft.CognitiveServices/accounts/MultiModalIntelligence/classifiers/delete`
+- `Microsoft.CognitiveServices/accounts/MultiModalIntelligence/batchAnalysisJobs/\*`
+- Optional: include the /labelingProjects data actions if your team labels documents in Foundry.
+
+## Fine-tuning
+
+The associated data actions to allow or disallow in your custom role
+definition are the following:
+
+- `Microsoft.CognitiveServices/accounts/OpenAI/assistants/\*` (include
+  _read_, _write_, and _delete_ and all child resources)
+- `Microsoft.CognitiveServices/accounts/OpenAI/assistants/files/\*`
+- `Microsoft.CognitiveServices/accounts/OpenAI/assistants/threads/\*`
+- `Microsoft.CognitiveServices/accounts/OpenAI/assistants/threads/messages/\*`
+- `Microsoft.CognitiveServices/accounts/OpenAI/assistants/vector_stores/\*`
+
+## Tracing
+
+Allow or deny the following data actions in the custom role definition.
+
+Foundry’s Tracing pane uses Azure Monitor. In the custom role wizard, set the provider to Microsoft.Insights, then add or remove only the read actions you need:
+
+- `Microsoft.Insights/alertRules/read`
+- `Microsoft.Insights/diagnosticSettings/read`
+- `Microsoft.Insights/logDefinitions/read`
+- `Microsoft.Insights/metricdefinitions/read`
+- `Microsoft.Insights/metrics/read`
+
+## Evaluation data actions
+
+The associated data actions to allow or disallow in your custom role
+definition are the following:
+
+- `Microsoft.CognitiveServices/accounts/AIServices/evaluations/write`
+- `Microsoft.CognitiveServices/accounts/AIServices/evaluations/read`
+- `Microsoft.CognitiveServices/accounts/AIServices/evaluations/delete`
+
+## Content safety risks and alerts
+
+The associated data actions to allow or disallow in your custom role
+definition are the following
+
+- `Microsoft.CognitiveServices/accounts/ContentSafety/\*`
+  - …/`Analyze Text`
+  - …/`Analyze Image`
+  - …/`Analyze Protected Material`
+  - …/`Unified Analyze`
+
+## Related content
+
+[Role-based access control for Azure AI Foundry](rbac-azure-ai-foundry.md)
diff --git a/articles/ai-foundry/toc-files/security-governance/toc.yml b/articles/ai-foundry/toc-files/security-governance/toc.yml
@@ -1,10 +1,10 @@
 items:
 - name: Identity & access management
   items:
-  - name: Authentication options
-    href: ../../concepts/authentication-options-ai-foundry.md
   - name: Role-based access control
     href: ../../concepts/rbac-azure-ai-foundry.md
+  - name: Disable preview features with RBAC
+    href: ../../concepts/disable-preview-features-with-rbac.md    
   - name: Rotate API access keys
     href: ../../../ai-services/rotate-keys.md?context=/azure/ai-foundry/context/context
   - name: Configure key-less authentication
