Merge pull request #8743 from MicrosoftDocs/main

11/21 11:00 AMM IST Publish

Author: Saisang

articles/ai-foundry/azure-ai-foundry-status-dashboard-documentation.md

@@ -38,7 +38,7 @@ During the Preview phase, we're gradually expanding service coverage and refinin
 Yes, subscription options (email, SMS, webhook) are supported in the dashboard.
 
 **Q: Does the dashboard cover all regions and environments?**  
-Currently, the dashboard reflects status for core production services in major regions. Expanded coverage, including specific regions, is in progress.
+Currently, the dashboard reflects status for core production services in [major regions](reference/region-support.md). Expanded coverage, including specific regions, is in progress.
 
 **Q: How should I report discrepancies or missing status updates?**  
 If you notice a gap between your experience and what you see on the dashboard, contact your Microsoft support  representative or file a support ticket through Azure Support.

articles/ai-foundry/concepts/vulnerability-management.md

@@ -6,8 +6,9 @@ ms.service: azure-ai-foundry
 ms.custom:
   - build-2024
   - hub-only
+  - dev-focus
 ms.topic: concept-article
-ms.date: 08/27/2025
+ms.date: 11/20/2025
 ms.reviewer: deeikele
 ms.author: jburchel 
 author: jonburchel 
@@ -18,9 +19,19 @@ ai-usage: ai-assisted
 
 [!INCLUDE [hub-only-alt](../includes/uses-hub-only-alt.md)]
 
-Vulnerability management is the process of detecting, assessing, mitigating, and reporting security vulnerabilities in an organization's systems and software. It's a shared responsibility between you and Microsoft.
+Vulnerability management is the process of detecting, assessing, mitigating, and reporting security vulnerabilities in an organization's systems and software. You and Microsoft share this responsibility.
 
-This article covers your responsibilities and the vulnerability management controls that [Microsoft Foundry](https://ai.azure.com/?cid=learnDocs) provides. Learn how to keep your service instance and apps up to date with the latest security updates and reduce the window of opportunity for attackers.
+This article describes your responsibilities and the vulnerability management controls that Foundry provides. Learn how to keep your service instance and apps up to date with the latest security updates and reduce the window of opportunity for cyberattackers.
+
+## Prerequisites
+
+To manage vulnerabilities in your Foundry environment, you need:
+
+- An Azure subscription
+- A Foundry hub or project
+- Contributor or Owner role on the Foundry hub or project to manage compute resources
+- Azure CLI or access to the Foundry portal for compute management
+- For compute instance recreation: permissions to create and delete compute instances (`Microsoft.MachineLearningServices/workspaces/computes/write` and `Microsoft.MachineLearningServices/workspaces/computes/delete`)
 
 ## Microsoft-managed VM images
 
@@ -57,65 +68,88 @@ In the Foundry portal, Docker images provide the runtime environment for [prompt
 
 Although Microsoft patches base images with each release, using the latest image is a tradeoff between reproducibility and vulnerability management. You choose the environment version for your jobs or model deployments.  
 
-By default, dependencies are layered on top of base images when you're building an image. After you install extra dependencies on Microsoft-provided images, you're responsible for vulnerability management.  
+By default, dependencies are layered on top of base images when you build an image. After you install extra dependencies on Microsoft-provided images, you're responsible for vulnerability management.  
 
-Your Foundry hub includes an Azure Container Registry instance that caches container images. When an image is built, it's pushed to the container registry. The workspace uses the cached image when you deploy the corresponding environment.
+Your hub includes an Azure Container Registry instance that caches container images. When you build an image, you push it to the container registry. The workspace uses the cached image when you deploy the corresponding environment.
 
 The hub doesn't delete any image from your container registry. Review the need for each image over time. To monitor and maintain environment hygiene, use [Microsoft Defender for Container Registry](/azure/defender-for-cloud/defender-for-container-registries-usage) to scan your images for vulnerabilities. To automate processes based on Microsoft Defender triggers, see [Automate remediation responses](/azure/defender-for-cloud/workflow-automation).
 
 
 ## Vulnerability management on compute hosts
 
-Managed compute nodes in Foundry portal use Microsoft-managed OS VM images. When you provision a node, it pulls the latest VM image. This behavior applies to compute instances, serverless compute clusters, and managed inference compute.
+Managed compute nodes in the Foundry portal use Microsoft-managed OS VM images. When you provision a node, it pulls the latest VM image. This behavior applies to compute instances, serverless compute clusters, and managed inference compute.
 
-Although OS VM images are regularly patched, Microsoft doesn't actively scan compute nodes for vulnerabilities while they're in use. For an extra layer of protection, consider network isolation for your compute nodes.
+Although Microsoft regularly patches OS VM images, it doesn't actively scan compute nodes for vulnerabilities while they're in use. For an extra layer of protection, consider network isolation for your compute nodes.
 
 Ensuring that your environment is up to date and that compute nodes use the latest OS version is a shared responsibility between you and Microsoft. The service doesn't update busy nodes to the latest VM image. Considerations are slightly different for each compute type, as listed in the following sections.
 
 ### Compute instance
 
-Compute instances get the latest VM image at provisioning. Microsoft releases new VM images monthly. After you deploy a compute instance, it doesn't receive ongoing image updates. To stay current with the latest software updates and security patches, use one of these methods:
+Compute instances get the latest VM image when you provision them. Microsoft releases new VM images monthly. After you deploy a compute instance, it doesn't receive ongoing image updates. To stay current with the latest software updates and security patches, use one of these methods:
 
 * Re-create a compute instance to get the latest OS image (recommended).
 
-  If you use this method, you'll lose data and customizations (such as installed packages) stored on the instance's OS disk and temporary disk.
+  If you use this method, you lose data and customizations (such as installed packages) stored on the instance's OS disk and temporary disk.
 
-  Learn more about image releases in the [Azure Machine Learning compute instance image release notes](/azure/machine-learning/azure-machine-learning-ci-image-release-notes).
+  For more information about image releases, see the [Azure Machine Learning compute instance image release notes](/azure/machine-learning/azure-machine-learning-ci-image-release-notes).
 
 * Regularly update OS and Python packages.
 
-  * Use Linux package management tools to update the package list with the latest versions:
+  Connect to your compute instance terminal and run the following commands to update packages:
+
+  * Update the package list with the latest versions:
 
     ```bash
     sudo apt-get update
     ```
 
-  * Use Linux package management tools to upgrade packages to the latest versions. Package conflicts might occur when you use this approach.
+    Expected output: Package lists are refreshed from repositories.
+
+  * Upgrade packages to the latest versions. Package conflicts might occur when you use this approach:
 
     ```bash
     sudo apt-get upgrade
     ```
 
-  * Use Python package management tools to upgrade packages and check for updates:
+    Expected output: Packages are downloaded and installed. You might be prompted to confirm installation.
+
+  * Check for outdated Python packages:
 
     ```bash
     pip list --outdated
     ```
 
+    Expected output: List of packages with available updates, or empty output if all packages are current.
+
+  **Reference**: [apt-get documentation](https://manpages.ubuntu.com/manpages/focal/man8/apt-get.8.html), [pip list documentation](https://pip.pypa.io/en/stable/cli/pip_list/)
+
+  To verify updates were applied successfully, run:
+
+  ```bash
+  # Check for remaining upgradable packages
+  sudo apt list --upgradable
+  ```
+
+  Expected output: No packages listed means all updates are applied.
+
 Install and run additional scanning software on the compute instance to scan for security issues:
 
-* Use [Trivy](https://github.com/aquasecurity/trivy) to discover OS and Python package-level vulnerabilities.
-* Use [ClamAV](https://www.clamav.net/) to discover malware. It comes preinstalled on compute instances.
+* Use [Trivy](https://github.com/aquasecurity/trivy) to discover OS and Python package-level vulnerabilities. For quick start and usage examples, see the [Trivy documentation](https://aquasecurity.github.io/trivy/).
+* Use [ClamAV](https://www.clamav.net/) to discover malware. It comes preinstalled on compute instances. For usage guidance, see the [ClamAV documentation](https://docs.clamav.net/manual/Usage.html).
+
+For automation examples combining Trivy and ClamAV, see [Compute instance sample setup scripts](https://github.com/Azure/azureml-examples/tree/main/setup/setup-ci).
 
 Installing the Microsoft Defender for Servers agent isn't supported.
 
 ### Endpoints
 
 Endpoints automatically receive OS host image updates with vulnerability fixes. Microsoft updates images at least once a month.
 
-Compute nodes automatically upgrade to the latest VM image version when it's released. You don't need to do anything.  
+Compute nodes automatically upgrade to the latest VM image version when it's released. You don't need to take any action.  
 
-## Next steps
+## Related content
 
-* [Foundry hubs](ai-resources.md)
-* [Create and manage compute instances](../how-to/create-manage-compute.md)
+- [Foundry hubs](ai-resources.md)
+- [Create and manage compute instances](../how-to/create-manage-compute.md)
+- [Azure Machine Learning compute instance image release notes](/azure/machine-learning/azure-machine-learning-ci-image-release-notes)
+- [Vulnerability management best practices](/azure/cloud-adoption-framework/ready/azure-best-practices/ai-machine-learning-enterprise-security)

articles/ai-foundry/default/mcp/build-your-own-mcp-server.md

@@ -26,13 +26,15 @@ This approach enables you to securely integrate internal APIs and services into
 - For local development and debugging:
   - [Visual Studio Code](https://code.visualstudio.com/)
   - [Azure Functions extension](https://marketplace.visualstudio.com/items?itemName=ms-azuretools.vscode-azurefunctions) for Visual Studio Code
-- An Azure API Center resource (optional, required only for organizational tool catalog registration).
+- An [Azure API Center resource](/azure/api-center/overview) (optional, required only for organizational tool catalog registration).
 
 ## Build an MCP server by using Azure Functions
 
 Azure Functions is a serverless compute service that provides scale-to-zero capability, burst scaling, and enterprise features including identity-based access and virtual networking. The lightweight programming model makes it straightforward to build MCP servers so you can focus on implementing your business logic rather than infrastructure management.
 
-1. Run the `azd init` command in your target folder to initialize the project from [this sample MCP server template](https://github.com/Azure-Samples/remote-mcp-functions-python):
+1. Open a terminal or command prompt and navigate to the folder where you want to create your project.
+
+1. Run the `azd init` command to initialize the project from [this sample MCP server template](https://github.com/Azure-Samples/remote-mcp-functions-python):
 
    ```bash
    azd init --template remote-mcp-functions-python -e mcpserver-python
@@ -155,6 +157,14 @@ For detailed configuration steps, see [Connect to a Model Context Protocol serve
 
 After connecting your MCP server, agents in your Foundry project can call the tools and functions exposed by your custom server. Test the connection by creating an agent and verifying it can successfully invoke your MCP server's capabilities.
 
+## Troubleshooting
+
+Here are some common issues you might encounter when building and connecting your MCP server:
+
+- **MCP server connection fails**: Ensure that your Azure Function is running and accessible. Check the function logs in the Azure portal for any errors.
+- **Authentication errors**: Verify that you're using the correct system key or API key. If using API Key authentication, ensure the key is correctly configured in the Foundry connection settings.
+- **Tool not found**: If you registered your MCP server in the organizational catalog, make sure you've added it to your agent. If using a custom tool, verify the endpoint URL and tool name.
+
 ## Related content
 
 - [Get started with Agent Service](../../agents/quickstart.md)

articles/ai-foundry/foundry-local/get-started.md

@@ -13,6 +13,7 @@ reviewer: samuel100
 ms.custom:
   - build-2025
   - build-aifnd
+  - peer-review-program 
 keywords:
   - Foundry Tools
   - cognitive

articles/ai-foundry/how-to/add-foundry-to-network-security-perimeter.md

@@ -31,14 +31,14 @@ This article gives only the Foundry-specific pointers you need. All procedural d
 - NSP governs data plane traffic. Control plane (management) operations may still succeed unless separately restricted.
 - Use a managed identity (system or user‑assigned) with appropriate role assignments for any data source access (for example Azure Blob Storage used for batch inputs/outputs).
 - Co-locate dependent services (Azure OpenAI, Azure Storage, Azure AI Search, etc.) in the same NSP when you need mutual access with minimal outbound allow rules.
-- Foundry Agent Service: Supported; Secured Standard Agents with full network isolation rely on Private Link and do not require or support NSP.
+- Foundry Agent Service is supported. Secured Standard Agents with full network isolation rely on Private Link and do not require or support NSP.
 - Private Link takes precedence over NSP evaluation when both are configured; traffic resolves through Private Link first.
 
 For more information, see [Network security perimeter concepts](/azure/private-link/network-security-perimeter-concepts).
 
 ## Prerequisites
 
-Create an existing Foundry resource (or plan to create one) and required managed identity assignments.
+An existing Foundry resource (or plan to create one) and required managed identity assignments.
 
 If any prerequisite behavior is unclear or changes, consult the latest Azure OpenAI + NSP article for parity details in [Azure OpenAI NSP guidance](/azure/ai-foundry/openai/how-to/network-security-perimeter).
 
@@ -49,7 +49,7 @@ Portal (summary):
 2. Select **Associated resources** (or **Resources** depending on UI iteration) > **Add / Associate**.
 3. Choose the target profile, pick your Foundry resource, set access mode (start with Learning), and confirm.
 
-CLI (for automation) and full creation steps: see the NSP quickstarts (CLI or PowerShell):
+For CLI (for automation) and full creation steps, see the NSP quickstarts (CLI or PowerShell):
 - [Create a network security perimeter (CLI)](/azure/private-link/create-network-security-perimeter-cli)
 - [Create a network security perimeter (PowerShell)](/azure/private-link/create-network-security-perimeter-powershell)
 
@@ -58,7 +58,7 @@ After association, traffic evaluation begins per the selected access mode.
 
 ## Access modes (Learning vs Enforced)
 
-Start in Learning to observe would‑be denies. Switch to Enforced once required inbound/outbound rules are defined. Reference [NSP access modes](/azure/private-link/network-security-perimeter-concepts#access-modes) for more details.
+Start in Learning to observe would‑be denies. Switch to Enforced once required inbound/outbound rules are defined. Reference [NSP access modes](/azure/private-link/network-security-perimeter-concepts) for more details.
 
 ## Interaction with `publicNetworkAccess`