Merge pull request #5343 from MicrosoftDocs/main

6/3/2025 AM Publish

Author: Taojunshen

articles/ai-foundry/how-to/configure-managed-network.md

@@ -857,7 +857,7 @@ A private endpoint is automatically created for a connection if the target resou
 
 ### Approval of Private Endpoints
 
-To establish Private Endpoint connections in managed virtual networks using Azure AI Foundry, the workspace managed identity, whether system-assigned or user-assigned, must have permissions to approve the Private Endpoint connections on the target resources. Previously, this was done through automatic role assignments by the Azure AI Foundry service. However, there are security concerns about the automatic role assignment. To improve security, starting April 30th, 2025, we will discontinue this automatic permission grant logic. We recommend assigning the [Azure AI Enterprise Network Connection Approver role](/azure/role-based-access-control/built-in-roles/ai-machine-learning) or a custom role with the necessary Private Endpoint connection permissions on the target resource types and grant this role to the Foundry hub's managed identity to allow Azure AI Foundry services to approve Private Endpoint connections to the target Azure resources.
+To establish Private Endpoint connections in managed virtual networks using Azure AI Foundry, the workspace managed identity, whether system-assigned or user-assigned, and the user identity that initiates the creation of the private endpoint, must have permissions to approve the Private Endpoint connections on the target resources. Previously, this was done through automatic role assignments by the Azure AI Foundry service. However, there are security concerns about the automatic role assignment. To improve security, starting April 30th, 2025, we will discontinue this automatic permission grant logic. We recommend assigning the [Azure AI Enterprise Network Connection Approver role](/azure/role-based-access-control/built-in-roles/ai-machine-learning) or a custom role with the necessary Private Endpoint connection permissions on the target resource types and grant this role to the Foundry hub's managed identity to allow Azure AI Foundry services to approve Private Endpoint connections to the target Azure resources.
 
 Here's the list of private endpoint target resource types covered by covered by the Azure AI Enterprise Network Connection Approver role:
 

articles/ai-foundry/how-to/develop/sdk-overview.md

@@ -33,6 +33,7 @@ The Azure AI Foundry SDK is a set of client libraries and services designed to w
 
 * An Azure subscription. If you don't have one, create a [free account](https://azure.microsoft.com/free/).
 * [Create a [!INCLUDE [fdp-project-name](../../includes/fdp-project-name.md)]](../create-projects.md?pivots=fdp-project) if you don't have one already.
+* [!INCLUDE [find-endpoint](../../includes/find-endpoint.md)]
 * Sign in with the Azure CLI using the same account that you use to access your project:
 
     ```bash
@@ -59,7 +60,7 @@ The Azure AI Foundry Projects client library is a unified library that enables y
     from azure.identity import DefaultAzureCredential
     from azure.ai.projects import AIProjectClient
     
-    project = AIProjectClient.from_connection_string(
+    project = AIProjectClient(
       endpoint="your_project_endpoint",  # Replace with your endpoint
       credential=DefaultAzureCredential())
     ```

articles/ai-services/openai/how-to/dall-e.md

@@ -237,7 +237,7 @@ The format in which DALL-E 3 generated images are returned. Must be one of `url`
 
 ## Call the Image Edit API
 
-The Image Edit API allows you to modify existing images based on text prompts you provide. The API call is similar to the image generation API call, but you also need to provide an image URL or base 64-encoded image data.
+The Image Edit API allows you to modify existing images based on text prompts you provide. The API call is similar to the image generation API call, but you also need to provide an input image (base64-encoded image data).
 
 
 

articles/ai-services/openai/how-to/reinforcement-fine-tuning.md

@@ -176,11 +176,11 @@ Models which we're supporting as grader models are:
     "model": string,
     "pass_threshold": number,
     "range": number[],
-    "sampling_parameters": {
+    "sampling_params": {
         "seed": number,
         "top_p": number,
         "temperature": number,
-        "max_completion_tokens": number,
+        "max_completions_tokens": number,
         "reasoning_effort": "low" | "medium" | "high"
     }
 }

articles/machine-learning/how-to-assign-roles.md

@@ -273,7 +273,7 @@ The following table is a summary of Azure Machine Learning activities and the pe
 
 | Activity | Subscription-level scope | Resource group-level scope | Workspace-level scope |
 | ----- | ----- | ----- | ----- |
-| Create new workspace <sub>1</sub> | Not required | Owner, contributor, or custom role allowing: `Microsoft.Resources/deployments/*` and `Microsoft.MachineLearningServices/workspaces/write` | N/A (becomes Owner or inherits higher scope role after creation) |
+| Create new workspace <sub>1</sub> | Not required | Owner, contributor, or custom role allowing: `Microsoft.Resources/deployments/*`, `Microsoft.MachineLearningServices/workspaces/write` and dependent resources' write permissions (see point 3 down below) | N/A (becomes Owner or inherits higher scope role after creation) |
 | Request subscription level Amlcompute quota or set workspace level quota | Owner, or contributor, or custom role <br>allowing `/locations/updateQuotas/action`<br> at subscription scope | Not authorized | Not authorized |
 | Create new compute cluster | Not required | Not required | Owner, contributor, or custom role allowing: `/workspaces/computes/write` |
 | Create new compute instance | Not required | Not required | Owner, contributor, or custom role allowing: `/workspaces/computes/write` |

articles/machine-learning/how-to-identity-based-service-authentication.md

@@ -626,11 +626,6 @@ az ml environment create --file <yaml file>
 
 You can now use the environment in a [training job](how-to-train-cli.md).
 
-### Build Azure Machine Learning managed environment into base image from private ACR for training or inference
-
-> [!NOTE]
-> Connecting to a private ACR using user-assigned managed identity is not currently supported. **Admin key** is the only auth type supported for private ACR.
-
 <!-- 20240725: this commented block will be restored at a later date TBD . . .
 
 [!INCLUDE [cli v2](includes/machine-learning-cli-v2.md)]

articles/machine-learning/how-to-managed-network.md

@@ -177,7 +177,7 @@ Before following the steps in this article, make sure you have the following pre
 
 ::: zone-end
 
-To establish private endpoint connections in managed virtual networks using Azure Machine Learning, the workspace managed identity, whether system-assigned or user-assigned, must have permissions to approve the Private Endpoint connections on the target resources. After April 30th, 2025, permissions aren't automatically granted to the managed identity and must be assigned manually.
+To establish private endpoint connections in managed virtual networks using Azure Machine Learning, the workspace managed identity, whether system-assigned or user-assigned, and the user identity that initiates the creation of the private endpoint, must have permissions to approve the Private Endpoint connections on the target resources. After April 30th, 2025, permissions aren't automatically granted to the managed identity and must be assigned manually.
 
 Microsoft recommends assigning the _Azure AI Enterprise Network Connection Approver_ role to the managed identity. The following list contains the private endpoint target resource types covered by the __Azure AI Enterprise Network Connection Approver__ role:
 

articles/search/search-filters.md

@@ -24,7 +24,7 @@ A filter is specified using [OData filter expression syntax](search-query-odata-
 
 ## When to use a filter
 
-Filters are foundational to several search experiences, including "find near me" geospatial search, faceted navigation, and security filters that show only  those documents a user is allowed to see. If you implement any one of these experiences, a filter is required. It's the filter attached to the search query that provides the geolocation coordinates, the facet category selected by the user, or the security ID of the requestor.
+Filters are foundational to several search experiences, including "find near me" geospatial search, faceted navigation, and security filters that show only  those documents a user is allowed to see. If you implement any one of these experiences, a filter is required. It's the filter attached to the search query that provides the geolocation coordinates, the facet category selected by the user, or the security ID of the requester.
 
 Common scenarios include:
 

articles/search/search-security-rbac.md

@@ -25,7 +25,7 @@ In Azure AI Search, you can assign Azure roles for:
 + [Read-only access for queries](#assign-roles-for-read-only-queries)
 + [Scoped access to a single index](#grant-access-to-a-single-index)
 
-Per-user access over search results (sometimes referred to as *row-level security* or *document-level security*) isn't supported through role assignments. As a workaround, [create security filters](search-security-trimming-for-azure-search.md) that trim results by user identity, removing documents for which the requestor shouldn't have access. See this [Enterprise chat sample using RAG](/azure/developer/python/get-started-app-chat-template) for a demonstration.
+Per-user access over search results (sometimes referred to as *row-level security* or *document-level security*) isn't supported through role assignments. As a workaround, [create security filters](search-security-trimming-for-azure-search.md) that trim results by user identity, removing documents for which the requester shouldn't have access. See this [Enterprise chat sample using RAG](/azure/developer/python/get-started-app-chat-template) for a demonstration.
 
 Role assignments are cumulative and pervasive across all tools and client libraries. You can assign roles using any of the [supported approaches](/azure/role-based-access-control/role-assignments-steps) described in Azure role-based access control documentation.