|
| 1 | +--- |
| 2 | +title: Control AI model deployment with built-in policies |
| 3 | +titleSuffix: Azure Machine Learning |
| 4 | +description: "Learn how to use built-in Azure policies to control what managed AI Services (MaaS) and Model-as-a-Platform (MaaP) AI models can be deployed." |
| 5 | +author: Blackmist |
| 6 | +ms.author: larryfr |
| 7 | +ms.service: azure-machine-learning |
| 8 | +ms.topic: how-to #Don't change |
| 9 | +ms.date: 09/30/2024 |
| 10 | + |
| 11 | +#customer intent: As an admin, I want control what Managed AI Services (MaaS) and Model-as-a-Platform (MaaP) AI models can be deployed by my developers. |
| 12 | + |
| 13 | +--- |
| 14 | + |
| 15 | +# Control AI model deployment with built-in policies |
| 16 | + |
| 17 | +Azure Policy provides built-in policy definitions that help you govern the deployment of AI models in Managed AI Services (MaaS) and Model-as-a-Platform (MaaP). You can use these policies to control what models your developers can deploy. |
| 18 | + |
| 19 | +## Prerequisites |
| 20 | + |
| 21 | +- An Azure subscription. If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/) before you begin. |
| 22 | +- Permissions to create and assign policies. To create and assign policies, you must be an [Owner](/azure/role-based-access-control/built-in-roles#owner) or [Resource Policy Contributor](/azure/role-based-access-control/built-in-roles#resource-policy-contributor) at the Azure subscription or resource group level. |
| 23 | +- Familiarity with Azure Policy. To learn more, see [What is Azure Policy?](/azure/governance/policy/overview). |
| 24 | + |
| 25 | +## Enable the policy |
| 26 | + |
| 27 | +1. From the [Azure portal](https://portal.azure.com), select **Policy** from the left side of the page. You can also search for **Policy** in the search bar at the top of the page. |
| 28 | +1. From the left side of the Azure Policy Dashboard, select **Authoring**, **Assignments**, and then select **Assign policy** from the top of the page. |
| 29 | +1. In the **Policy Assignment** form, use the following values: |
| 30 | + |
| 31 | + - **Scope**: Select the scope where you want to assign the policy. The scope can be a management group, subscription, or resource group. |
| 32 | + - **Policy definition**: Select the ellipse (...) and search for **Allowed models for AI model deployment**. Select the policy definition from the list. For example, **Allowed models for AI model deployment in MaaS and MaaP**. |
| 33 | + - **Assignment name**: Enter a unique name for the assignment. |
| 34 | + |
| 35 | + The rest of the fields can be left as their default values or you can customize as needed for your organization. |
| 36 | + |
| 37 | +1. Select **Next** at the bottom of the page or the **Parameters** tab at the top of the page. |
| 38 | +1. In the **Parameters** tab, use the following fields: |
| 39 | + |
| 40 | + - **Allowed models**: This field expects the **model ID strings**, separated by commas. To get the model ID strings, use the following steps: |
| 41 | + |
| 42 | + 1. Go to the [Azure Machine Learning Model Catalog](https://ml.azure.com/model/catalog) for your workspace. |
| 43 | + |
| 44 | + > [!NOTE] |
| 45 | + > You must have an Azure Machine Learning workspace to access the Model Catalog. |
| 46 | + |
| 47 | + 1. For each model you want to allow, select the model to view the details. In the model detail information, copy the **Model ID** value. For example, the value might look like `azureml://registries/azure-openai/models/gpt-35-turbo/versions/3`. |
| 48 | + |
| 49 | + > [!IMPORTANT] |
| 50 | + > The model ID value must be an exact match for the model. If the model ID is not an exact match, the model won't be allowed. |
| 51 | +
|
| 52 | + - **Effect**: This field determines whether the policy [audits](/azure/governance/policy/concepts/effect-audit) or [denies](/azure/governance/policy/concepts/effect-deny) the use of the models listed in the **Allowed models** field. |
| 53 | + |
| 54 | +1. Optionally, select the **Non-compliance messages** tab at the top of the page and set a custom message for noncompliance. |
| 55 | +1. Select **Review + create** tab and verify that the policy assignment is correct. When ready, select **Create** to assign the policy. |
| 56 | +1. Notify your developers that the policy is in place. For models that aren't allowed, the **deploy** option is disabled in the Azure Machine Learning studio. |
| 57 | + |
| 58 | +## Monitor compliance |
| 59 | + |
| 60 | +To monitor compliance with the policy, follow these steps: |
| 61 | + |
| 62 | +1. From the [Azure portal](https://portal.azure.com), select **Policy** from the left side of the page. You can also search for **Policy** in the search bar at the top of the page. |
| 63 | +1. From the left side of the Azure Policy Dashboard, select **Compliance**. Each policy assignment is listed with the compliance status. To view more details, select the policy assignment. |
| 64 | + |
| 65 | +## Update the allowed models |
| 66 | + |
| 67 | +To update an existing policy assignment with new models, follow these steps: |
| 68 | + |
| 69 | +1. From the [Azure portal](https://portal.azure.com), select **Policy** from the left side of the page. You can also search for **Policy** in the search bar at the top of the page. |
| 70 | +1. From the left side of the Azure Policy Dashboard, select **Assignments** and find the existing policy assignment. Select the ellipsis (...) next to the assignment and select **Edit assignment**. |
| 71 | +1. From the **Parameters** tab, update the **Allowed models** parameter with the new model IDs. |
| 72 | +1. From the **Review + Save** tab, select **Save** to update the policy assignment. |
| 73 | + |
| 74 | +## Best practices |
| 75 | + |
| 76 | +- **Granular scoping**: Assign policies at the appropriate scope to balance control and flexibility. For example, apply at the subscription level to control all resources in the subscription, or apply at the resource group level to control resources in a specific group. |
| 77 | +- **Policy naming**: Use a consistent naming convention for policy assignments to make it easier to identify the purpose of the policy. Include information such as the purpose and scope in the name. |
| 78 | +- **Documentation**: Keep records of policy assignments and configurations for auditing purposes. Document any changes made to the policy over time. |
| 79 | +- **Regular reviews**: Periodically review policy assignments to ensure they align with your organization's requirements. |
| 80 | +- **Testing**: Test policies in a nonproduction environment before applying them to production resources. |
| 81 | +- **Communication**: Make sure developers are aware of the policies in place and understand the implications for their work. |
| 82 | + |
| 83 | +## Related content |
| 84 | + |
| 85 | +- [Azure Policy overview](/azure/governance/policy/overview) |
| 86 | +- [Azure Machine Learning model catalog](concept-model-catalog.md) |
0 commit comments