Merge pull request #7061 from jonburchel/2025-09-12-break-out-hub-project-docs

Breaks out hub articles into new pages and remove zone pivots from original files

Author: ShannonLeavitt

.openpublishing.redirection.json

@@ -7,7 +7,7 @@
     },
     {
       "source_path": "articles/ai-foundry/how-to/develop/connections-add-sdk.md",
-      "redirect_url": "/azure/ai-foundry/how-to/connections-add?pivots=hub-project",
+      "redirect_url": "/azure/ai-foundry/how-to/connections-add",
       "redirect_document_id": false
     },
     {

articles/ai-foundry/agents/how-to/tools/browser-automation.md

@@ -6,7 +6,7 @@ services: cognitive-services
 manager: nitinme
 ms.service: azure-ai-agent-service
 ms.topic: how-to
-ms.date: 08/12/2025
+ms.date: 09/15/2025
 author: aahill
 ms.author: aahi
 ms.custom: azure-ai-agents
@@ -65,7 +65,7 @@ An example flow would be:
 
         * **Key**: [Get the Playwright access token](https://aka.ms/pww/docs/generate-access-token)
 
-    For more information on creating a connection, see [Create a connection](../../../how-to/connections-add.md?pivots=fdp-project).
+    For more information on creating a connection, see [Create a connection](../../../how-to/connections-add.md).
 
 1. Configure your client by adding a Browser Automation tool using the Azure Playwright connection ID.
 

articles/ai-foundry/concepts/ai-resources.md

@@ -5,7 +5,7 @@ description: This article introduces concepts about Azure AI Foundry hubs for yo
 ms.author: sgilley
 author: sdgilley
 ms.reviewer: deeikele
-ms.date: 08/11/2025
+ms.date: 09/15/2025
 ms.service: azure-ai-foundry
 ms.topic: concept-article
 ms.custom:
@@ -36,7 +36,7 @@ Hubs group one or more projects together with common settings including data acc
 
 ## Create a hub-based project
 
-To start developing, [create a [!INCLUDE [hub-project-name](../includes/hub-project-name.md)]](../how-to/create-projects.md?pivots=hub-project). Hub-based projects can be accessed in [AI Foundry Portal](https://ai.azure.com/?cid=learnDocs) to build with generative AI tools, and [ML Studio](https://ml.azure.com) to build with tools designed for custom machine learning model training.
+To start developing, [create a [!INCLUDE [hub-project-name](../includes/hub-project-name.md)]](../how-to/hub-create-projects.md). Hub-based projects can be accessed in [AI Foundry Portal](https://ai.azure.com/?cid=learnDocs) to build with generative AI tools, and [ML Studio](https://ml.azure.com) to build with tools designed for custom machine learning model training.
 
 ## Project concepts
 
@@ -88,7 +88,7 @@ If not provided by you, the following dependent resources are automatically crea
 
 ## Next steps
 
-- [Create a [!INCLUDE [hub-project-name](../includes/hub-project-name.md)]](../how-to/create-projects.md?pivots=hub-project)
+- [Create a [!INCLUDE [hub-project-name](../includes/hub-project-name.md)]](../how-to/hub-create-projects.md)
 - [Quickstart: Analyze images and video in the chat playground](/azure/ai-foundry/openai/gpt-v-quickstart)
 - [Learn more about Azure AI Foundry](../what-is-azure-ai-foundry.md)
-- [Learn more about projects](../how-to/create-projects.md?pivots=hub-project)
+- [Learn more about hub projects](../how-to/hub-create-projects.md)

articles/ai-foundry/concepts/encryption-keys-portal.md

@@ -17,68 +17,28 @@ ai-usage: ai-assisted
 # Customer intent: As an admin, I want to understand how I can use my own encryption keys with Azure AI Foundry.
 ---
 
-# Customer-managed keys for encryption with Azure AI Foundry
+# Customer-managed keys for encryption with Azure AI Foundry (Foundry projects)
+
+> [!NOTE]
+> An alternate hub-focused CMK article is available: [Customer-managed keys for hub projects](hub-encryption-keys-portal.md).
 
 Customer-managed key (CMK) encryption in [Azure AI Foundry](https://ai.azure.com/?cid=learnDocs) provides enhanced control over encryption of your data. Learn how to use customer-managed keys to add an extra layer of protection and meet compliance requirements more effectively with Azure Key Vault integration.
 
 ## About encryption in Azure AI Foundry
 
-Azure AI Foundry is a service in the Azure cloud. By default, Azure services use Microsoft-managed encryption keys to encrypt data in transit and at rest.
-
-::: zone pivot="hub-project"
-
-When you use hub-based projects, the Azure AI Hub resource acts as a gateway to multiple Azure services, including Azure AI Hub, Azure Storage, and Azure AI Foundry resources. You must configure CMK encryption on each of these services to use CMK encryption throughout with Azure AI Foundry.
-
-* Azure AI Hub resources and [!INCLUDE [hub](../includes/hub-project-name.md)] resources are implementations of the Azure Machine Learning workspace and encrypt data in transit and at rest. For more information, see [Data encryption with Azure Machine Learning](../../machine-learning/concept-data-encryption.md).
-* Azure AI Foundry resources data is encrypted and decrypted by using [FIPS 140-2](https://en.wikipedia.org/wiki/FIPS_140-2)-compliant [256-bit AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) encryption. Encryption and decryption are transparent, which means that encryption and access are managed for you. Your data is secure by default, and you don't need to modify your code or applications to take advantage of encryption.
-* Azure Storage accounts are used to store uploaded data when you use the Azure AI Foundry portal and tools. For more information on how to set up CMK encryption, see [Customer-managed keys for Azure Storage encryption](/azure/storage/common/customer-managed-keys-overview).
-
-::: zone-end
-
-::: zone pivot="fdp-project"
-
 On your Azure AI Foundry resource, data is encrypted and decrypted by using [FIPS 140-2](https://en.wikipedia.org/wiki/FIPS_140-2)-compliant [256-bit AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) encryption. Encryption and decryption are transparent, which means that encryption and access are managed for you. Your data is secure by default, and you don't need to modify your code or applications to take advantage of encryption.
 
-::: zone-end
-
 > [!IMPORTANT]
 > If you [connect Azure AI Foundry with other Azure tools](../how-to/connections-add.md), we recommend that you configure CMK encryption on every other Azure resource to optimize security.
 
-::: zone pivot="hub-project"
-## Data storage options with Azure AI Hub CMK encryption
-
-Two architecture options are available when you use CMKs with Azure AI Hub:
-
-* **(Recommended) Encrypted data is stored in a Microsoft subscription**
-
-   Data is stored service side on Microsoft-managed resources instead of in managed resources in your subscription. Metadata is stored in multitenant resources by using document-level CMK encryption. An Azure AI Search instance is hosted in the Microsoft-subscription per customer, for each hub, to provide data isolation of encrypted data. We recommend that you use this option for any new deployments.
-* **(Legacy) Encrypted data is stored in your subscription**
-
-   Traditionally, on the Machine Learning platform (on which the Azure AI Hub resource is built), data is stored in your subscription by using a Microsoft-managed resource group. The group includes an Azure Storage account, an Azure Cosmos DB resource, and Azure AI Search. You can't modify the configuration of these resources because the changes aren't supported.
-
-  > [!IMPORTANT]
-  > This option is available for backward compatibility. We don't recommend it for new workloads.
-
-  All projects that use the same hub store data on the resources in a managed resource group identified by the name `azureml-rg-hubworkspacename_GUID`. Projects use Microsoft Entra ID authentication when they interact with these resources. If your hub has a private link endpoint, network access to the managed resources is restricted. The managed resource group is deleted when the hub is deleted.
-
-  The following data is stored on the managed resources.
-
-  |Service|What it's used for|Example|
-  |-----|-----|-----|
-  |Azure Cosmos DB|Stores metadata for your Azure AI projects and tools.|Index names and tags, flow creation timestamps, deployment tags, evaluation metrics|
-  |Azure AI Search|Stores indices that are used to help query your Azure AI Foundry content.|An index based off your model deployment names|
-  |Azure Storage account|Stores instructions for how customization tasks are orchestrated.|JSON representation of flows that you create in the [Azure AI Foundry portal](https://ai.azure.com/?cid=learnDocs)|
-
-::: zone-end
-
 ## Use CMKs with Azure Key Vault
 
 You must use Azure Key Vault to store your CMKs. You can either create your own keys and store them in a key vault or use the Key Vault APIs to generate keys. Your Azure resources and the Key Vault resources must be in the same region and in the same Microsoft Entra tenant. You can use different subscriptions for the resources. For more information about Key Vault, see [What is Azure Key Vault?](/azure/key-vault/general/overview).
 
 - Enable both the **Soft-delete** and **Purge protection** properties on the key vault.
 - Allow trusted Microsoft services to access the key vault if you use the [key vault firewall](/azure/key-vault/general/access-behind-firewall).
-- Grant your [!INCLUDE [fdp](../includes/fdp-project-name.md)] system-assigned managed identity the following permissions on your key vault: Get key, Wrap key, Unwrap key.
-- Note that only RSA and RSA-HSM keys of size 2048 are supported. For more information about keys, see the "Key Vault keys" section in [About Azure Key Vault keys, secrets, and certificates](/azure/key-vault/general/about-keys-secrets-certificates).
+- Grant your project system-assigned managed identity the following permissions on your key vault: Get key, Wrap key, Unwrap key.
+- Only RSA and RSA-HSM keys of size 2048 are supported. For more information about keys, see the "Key Vault keys" section in [About Azure Key Vault keys, secrets, and certificates](/azure/key-vault/general/about-keys-secrets-certificates).
 
 ### Enable the managed identity for your Azure AI Foundry resource
 
@@ -91,12 +51,10 @@ Managed identity must be enabled as a prerequisite for using CMKs.
 
 ## Enable customer-managed keys
 
-::: zone pivot="fdp-project"
-
-CMK encryption is configured via the Azure portal (or alternatively via infrastructure-as-code options) in a similar way for each Azure resource.
+CMK encryption is configured via the Azure portal (or via infrastructure-as-code) similarly for each Azure resource.
 
 > [!IMPORTANT]
-> The key vault that you use for encryption *must be in the same resource group* as the Azure AI Foundry project. Currently, deployment wizards or project configuration workflows don't support key vaults in other resource groups.
+> The key vault that you use for encryption must be in the same resource group as the Azure AI Foundry project. Deployment wizards or project configuration workflows don't currently support key vaults in other resource groups.
 
 1. Create a new Azure AI Foundry resource in the [Azure portal](https://portal.azure.com/).
 1. On the **Encryption** tab, select **Encrypt data using a customer-managed key** > **Select vault and key**. Then select the key vault and the key to use.
@@ -105,82 +63,55 @@ CMK encryption is configured via the Azure portal (or alternatively via infrastr
 
 1. Continue creating your resource as normal.
 
-::: zone-end
-
-::: zone pivot="hub-project"
-
-CMK encryption is configured via the Azure portal (or alternatively via infrastructure-as-code options) in a similar way for each Azure resource.
-
-1. Create a new Azure resource in the Azure portal.
-1. On the **Encryption** tab, select your encryption key.
-1. For Azure AI Hub, select or clear **Use service-side encryption** to select your preferred data storage option. We recommend service-side encryption for any new workload.
-
-   :::image type="content" source="../../machine-learning/media/concept-customer-managed-keys/cmk-service-side-encryption.png" alt-text="Screenshot that shows the Encryption tab with the option for service-side encryption selected." lightbox="../../machine-learning/media/concept-customer-managed-keys/cmk-service-side-encryption.png":::
-
-::: zone-end
-
 ## Encryption key rotation
 
-You can rotate a CMK in Key Vault according to your compliance policies. When the key is rotated, you must update the Azure AI Foundry resource to use the new key URI. Rotating the key doesn't trigger reencryption of data in the resource.
+Rotate a CMK in Key Vault according to your compliance policies. When the key is rotated, update the Azure AI Foundry resource to use the new key URI. Rotating the key doesn't trigger reencryption of existing data.
 
 ### Rotation limitations
 
-* **Same key vault requirement**: You can rotate encryption keys only to another key within the same Key Vault instance. Cross-vault key rotation isn't supported.
-* **Scope of rotation**: The new key must be compatible with the existing encryption configuration. Ensure that the new key is properly configured with the necessary access policies and permissions.
-* **Update from customer managed to Microsoft managed**: When an Azure AI Foundry resource or an Azure AI hub is created, you can update from Microsoft-managed keys to CMKs. You can't switch back from CMKs to Microsoft-managed keys.
+* Same key vault only: rotate to another key within the same Key Vault instance.
+* Scope: new key must have required access policies.
+* Can't revert from CMKs to Microsoft-managed keys after switching.
 
 ### Rotate encryption keys
 
-* In your key vault, create or identify the new key that you want to use for new data encryption.
-* From Azure portal or template options, update the resource configuration to reference the new key within the same key vault.
-* Your resource takes a few minutes to configure wrapping data by using your new encryption key. During this period, certain service operations are available.
-* The service begins using the new key for encryption of newly stored data. Existing data remains encrypted with the previous key unless reprocessed.
+1. In your key vault, create or identify the new key.
+2. Update the resource configuration to reference the new key within the same key vault.
+3. The service begins using the new key for newly stored data; existing data remains under the previous key unless reprocessed.
 
 ## Revoke a customer-managed key
 
-To revoke a CMK, you can change the access policy, change the permissions on the key vault, or delete the key.
-
-To change the access policy of the managed identity that your registry uses, run the [az-keyvault-delete-policy](/cli/azure/keyvault#az-keyvault-delete-policy) command:
+Change the access policy, update permissions, or delete the key.
 
+Remove access policy:
 ```azurecli
 az keyvault delete-policy \
   --resource-group <resource-group-name> \
   --name <key-vault-name> \
   --key_id <key-vault-key-id>
 ```
 
-To delete the individual versions of a key, run the [az-keyvault-key-delete](/cli/azure/keyvault/key#az-keyvault-key-delete) command. This operation requires the Keys/Delete permission.
-
+Delete key version:
 ```azurecli
 az keyvault key delete  \
   --vault-name <key-vault-name> \
-  --id <key-ID>                     
+  --id <key-ID>
 ```
-Revoking access to an active CMK while CMK encryption is still enabled prevents downloading of training data and results files, fine-tuning new models, and deploying fine-tuned models. Previously deployed fine-tuned models continue to operate and serve traffic until those deployments are deleted.
+
+Revoking access to an active CMK while CMK encryption is still enabled prevents downloading training data, fine-tuning new models, and deploying fine-tuned models. Existing deployments continue until deleted.
 
 ## Added Azure cost when you use CMKs
 
-When you use CMKs, generally your data is stored by using document-level encryption in Microsoft-managed storage components. To ensure that your data can be stored in isolation and encrypted by using your keys, certain back-end Azure services used by Azure AI Foundry must be hosted in a dedicated manner according to the Azure AI Foundry resource in combination with CMK encryption. More charges apply when you use CMKs to accommodate this dedicated hosting model. These charges show in Microsoft Cost Management as subline items under your Azure AI Foundry resource.
+Using CMKs may incur extra subline cost items due to dedicated hosting of certain encrypted back-end services.
 
 ## Limitations
 
-* Azure AI Foundry resources can be updated from Microsoft-managed keys to CMKs but not from CMKs to Microsoft-managed keys.
-* Azure AI Foundry hub resources can't be updated from Microsoft-managed keys to CMKs, or vice versa, post-creation.
-* CMK for encryption can be updated only to keys in the same Key Vault instance.
-* [Azure AI Foundry Customer-Managed Key Request Form](https://aka.ms/cogsvc-cmk) is required to use CMKs in combination with Azure AI Speech and Azure AI Content Safety capabilities.
-* [Azure AI Foundry Customer-Managed Key Request Form](https://aka.ms/cogsvc-cmk) is required for Azure AI Speech and Azure AI Content Safety.
-* If your Azure AI Foundry resource is in a soft-deleted state, any storage-related charges for CMK encryption continue to accrue during the soft-deleted retention period.
+* Projects can be updated from Microsoft-managed keys to CMKs but not reverted.
+* Project CMK can be updated only to keys in the same Key Vault instance.
+* Request form required for some services: [Azure AI Foundry Customer-Managed Key Request Form](https://aka.ms/cogsvc-cmk) for Speech and Content Safety.
+* Storage-related charges for CMK encryption continue during soft-deleted retention.
 
 ## Related content
 
-Learn more:
-
-* [Customer-managed key encryption](../concepts/encryption-keys-portal.md)
 * [Disable local authorization](../how-to/disable-local-auth.md)
 * [What is Azure Key Vault?](/azure/key-vault/general/overview)
-
-Reference infrastructure-as-code templates:
-
-* [Bicep sample for CMK encryption for an Azure AI Foundry resource](https://github.com/azure-ai-foundry/foundry-samples/tree/main/samples/microsoft/infrastructure-setup/30-customer-managed-keys)
-* [Bicep sample for CMK encryption for Azure an AI Foundry resource and agent service standard setup](https://github.com/azure-ai-foundry/foundry-samples/tree/main/samples/microsoft/infrastructure-setup/31-customer-managed-keys-standard-agent)
-* [Bicep sample for CMK encryption for Azure AI Hub](https://github.com/azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.machinelearningservices/aistudio-cmk-service-side-encryption)