Merge pull request #5531 from MicrosoftDocs/repo_sync_working_branch

Taojunshen · web-flow · commit 9dfa75e14ef1 · 2025-06-14T05:31:36.000+08:00
Confirm merge from repo_sync_working_branch to main to sync with https://github.com/MicrosoftDocs/azure-ai-docs (branch main)
diff --git a/articles/ai-services/agents/how-to/virtual-networks.md b/articles/ai-services/agents/how-to/virtual-networks.md
@@ -78,7 +78,10 @@ For customers without an existing virtual network, the Standard Setup with Priva
 * A Microsoft-managed key vault is used by default. 
 
 
-### Option 1: manually deploy the bicep template
+### Manually deploy the bicep template
+
+> [!NOTE]
+> Using the Bicep template is the only way to deploy a network secured environment for Azure AI Foundry Agent Service.
 
 1. To deploy and customize the bicep templates, [download the template from GitHub](https://github.com/azure-ai-foundry/foundry-samples/tree/main/samples/microsoft/infrastructure-setup/15-private-network-standard-agent-setup). Download the following from the `private-network-standard-agent-setup` folder:
     1. `main-create.bicep`
diff --git a/articles/machine-learning/how-to-assign-roles.md b/articles/machine-learning/how-to-assign-roles.md
@@ -289,6 +289,10 @@ The following table is a summary of Azure Machine Learning activities and the pe
 
 3. These scenarios don't include the permissions needed to create workspace dependent resources. For more information, see the write permissions for [Storage](https://learn.microsoft.com/azure/role-based-access-control/permissions/storage#microsoftstorage), [OperationalInsights](https://learn.microsoft.com/azure/role-based-access-control/permissions/monitor#microsoftoperationalinsights), [Key Vault](https://learn.microsoft.com/azure/role-based-access-control/permissions/security#microsoftkeyvault) and [Container Registry](https://learn.microsoft.com/azure/role-based-access-control/permissions/containers#microsoftcontainerregistry).
 
+4. When attaching user-managed identities, you also need to have `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action` permission on the identities. For more information, see [Azure built-in roles for Identity](/azure/role-based-access-control/built-in-roles/identity).
+
+5. When specifying a serverless compute custom subnet, you also need to have `Microsoft.Network/virtualNetworks/subnets/join/action` on the virtual network. For more information, see [Azure permissions for Networking](/azure/role-based-access-control/permissions/networking).
+
 ###  Deploy into a virtual network or subnet
 
 [!INCLUDE [network-rbac](includes/network-rbac.md)]
