Refreshes azure-policy.md

jonburchel · jonburchel · commit 9f5a570e3d45 · 2025-09-30T16:19:38.000-04:00
diff --git a/articles/ai-foundry/how-to/azure-policy.md b/articles/ai-foundry/how-to/azure-policy.md
@@ -4,7 +4,7 @@ titleSuffix: Azure AI Foundry
 description: Learn how to use Azure Policy with Azure AI Foundry to make sure your hubs and projects are compliant with your requirements.
 ms.author: jburchel 
 author: jonburchel 
-ms.date: 07/31/2025
+ms.date: 10/01/2025
 ms.service: azure-ai-foundry
 ms.custom:
   - hub-only
@@ -58,27 +58,27 @@ To view the built-in policy definitions, use the following steps:
 1. Select __Definitions__.
 1. For __Type__, select __Built-in__. For __Category__, select __Machine Learning__.
 
-From here, you can select policy definitions to view them. While viewing a definition, you can use the __Assign__ link to assign the policy to a specific scope, and configure the parameters for the policy. For more information, see [Create a policy assignment to identify noncompliant resources using Azure portal](/azure/governance/policy/assign-policy-portal).
+Select a policy definition to view it. While viewing a definition, select __Assign__ to assign the policy to a scope and configure its parameters. For more information, see [Create a policy assignment to identify noncompliant resources using Azure portal](/azure/governance/policy/assign-policy-portal).
 
-You can also assign policies by using [Azure PowerShell](/azure/governance/policy/assign-policy-powershell), [Azure CLI](/azure/governance/policy/assign-policy-azurecli), or [templates](/azure/governance/policy/assign-policy-template).
+Assign policies by using [Azure PowerShell](/azure/governance/policy/assign-policy-powershell), [Azure CLI](/azure/governance/policy/assign-policy-azurecli), or [templates](/azure/governance/policy/assign-policy-template).
 
 ## Conditional access policies
 
-To control who can access your Azure AI Foundry hubs and projects, use [Microsoft Entra Conditional Access](/azure/active-directory/conditional-access/overview). To use Conditional Access for hubs, [assign the Conditional Access policy](/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps) to the following apps:
+Control access to Azure AI Foundry hubs and projects by using [Microsoft Entra Conditional Access](/azure/active-directory/conditional-access/overview). For hubs, [assign the Conditional Access policy](/azure/active-directory/conditional-access/concept-conditional-access-cloud-apps) to these apps:
 
 | App name | App ID | Description |
 |---|---|---|
-| Azure AI Foundry App | cb2ff863-7f30-4ced-ab89-a00194bcf6d9 | Use to control access to the Azure AI Foundry portal. |
-| Azure Machine Learning Web App | d7304df8-741f-47d3-9bc2-df0e24e2071f | Use to control access to Azure Machine Learning studio. |
-| Azure Machine Learning | 0736f41a-0425-bdb5-1563eff02385 | Use to control direct access to the Azure Machine Learning API. For example, when using the SDK or REST API. Azure AI Foundry hub-based projects rely on the Azure Machine Learning API. |
+| Azure AI Foundry App | cb2ff863-7f30-4ced-ab89-a00194bcf6d9 | Controls access to the Azure AI Foundry portal. |
+| Azure Machine Learning Web App | d7304df8-741f-47d3-9bc2-df0e24e2071f | Controls access to Azure Machine Learning studio. |
+| Azure Machine Learning | 0736f41a-0425-bdb5-1563eff02385 | Controls direct access to the Azure Machine Learning API (for example, when using the SDK or REST API). Azure AI Foundry hub-based projects rely on this API. |
 
 ## Configure built-in policies
 
 ### Compute instance should have idle shutdown
 
 This policy controls whether a compute instance should have idle shutdown enabled. Idle shutdown automatically stops the compute instance when it's idle for a specified period of time. This policy is useful for cost savings and to ensure that resources aren't being used unnecessarily.
 
-To configure this policy, set the effect parameter to __Audit__, __Deny__, or __Disabled__. If set to __Audit__, you can create a compute instance without idle shutdown enabled and a warning event is created in the activity log.
+To configure this policy, set the effect parameter to __Audit__, __Deny__, or __Disabled__. If you set the effect to __Audit__, you can create a compute instance without idle shutdown. The service creates a warning event in the activity log.
 
 ### Compute instances should be recreated to get software updates
 
@@ -92,15 +92,15 @@ Controls auditing of compute cluster and instance resources behind a virtual net
 
 To configure this policy, set the effect parameter to __Audit__ or __Disabled__. If set to __Audit__, you can create a compute that isn't configured behind a virtual network and a warning event is created in the activity log.
 
-### Computes should have local authentication methods disabled.
+### Compute clusters and instances should have local authentication disabled
 
 Controls whether a compute cluster or instance should disable local authentication (SSH).
 
 To configure this policy, set the effect parameter to __Audit__, __Deny__, or __Disabled__. If set to __Audit__, you can create a compute with SSH enabled and a warning event is created in the activity log.
 
 If the policy is set to __Deny__, then you can't create a compute unless SSH is disabled. Attempting to create a compute with SSH enabled results in an error. The error is also logged in the activity log. The policy identifier is returned as part of this error.
 
-### Hubs should be encrypted with customer-managed key
+### Hubs should be encrypted with a customer-managed key
 
 Controls whether a hub and its projects should be encrypted with a customer-managed key, or with a Microsoft-managed key to encrypt metrics and metadata. For more information on using customer-managed key, see the [Customer-managed keys](../concepts/encryption-keys-portal.md) article.
 
@@ -116,73 +116,73 @@ To configure this policy, set the effect parameter to __Audit__, __Deny__, or __
 
 If the policy is set to __Deny__, then you can't create a hub that allows network access from the public internet.
 
-### Hubs should use private link
+### Hubs should use Azure Private Link
 
 Controls whether a hub and its projects should use Azure Private Link to communicate with Azure Virtual Network. For more information on using private link, see [Configure a private endpoint](configure-private-link.md).
 
 To configure this policy, set the effect parameter to __Audit__ or __Deny__. If set to __Audit__, you can create a hub without using private link and a warning event is created in the activity log.
 
 If the policy is set to __Deny__, then you can't create a hub unless it uses a private link. Attempting to create a hub without a private link results in an error. The error is also logged in the activity log. The policy identifier is returned as part of this error.
 
-### Hubs should use user-assigned managed identity
+### Hubs should use a user-assigned managed identity
 
 Controls whether a hub is created using a system-assigned managed identity (default) or a user-assigned managed identity. The managed identity for the hub is used to access associated resources such as Azure Storage, Azure Container Registry, Azure Key Vault, and Azure Application Insights.
 
 To configure this policy, set the effect parameter to __Audit__, __Deny__, or __Disabled__. If set to __Audit__, you can create a hub without specifying a user-assigned managed identity. A system-assigned identity is used, and a warning event is created in the activity log.
 
 If the policy is set to __Deny__, then you can't create a hub unless you provide a user-assigned identity during the creation process. Attempting to create a hub without providing a user-assigned identity results in an error. The error is also logged to the activity log. The policy identifier is returned as part of this error.
 
-### Configure computes to modify/disable local authentication
+### Configure compute resources to modify or disable local authentication
 
 This policy modifies any compute cluster or instance creation request to disable local authentication (SSH).
 
 To configure this policy, set the effect parameter to __Modify__ or __Disabled__. If set __Modify__, any creation of a compute cluster or instance within the scope where the policy applies automatically has local authentication disabled.
 
-### Configure hub to use private DNS zones
+### Configure a hub to use private DNS zones
 
 This policy configures a hub to use a private DNS zone, overriding the default DNS resolution for a private endpoint.
 
 To configure this policy, set the effect parameter to __DeployIfNotExists__. Set the __privateDnsZoneId__ to the Azure Resource Manager ID of the private DNS zone to use. 
 
-### Configure hub to disable public network access
+### Configure a hub to disable public network access
 
 Configures a hub and its projects to disable network access from the public internet. Disabling public network access helps protect against data leakage risks. You can instead access your hub and projects by creating private endpoints. For more information, see [Configure a private endpoint](configure-private-link.md).
 
 To configure this policy, set the effect parameter to __Modify__ or __Disabled__. If set to __Modify__, any creation of a hub within the scope where the policy applies automatically has public network access disabled.
 
-### Configure hub with private endpoints
+### Configure a hub with private endpoints
 
 Configures a hub to create a private endpoint within the specified subnet of an Azure Virtual Network.
 
 To configure this policy, set the effect parameter to __DeployIfNotExists__. Set the __privateEndpointSubnetID__ to the Azure Resource Manager ID of the subnet.
 
-### Configure diagnostic hub to send logs to log analytics workspaces
+### Configure diagnostic hub to send logs to Log Analytics workspaces
 
 Configures the diagnostic settings for a hub to send logs to a Log Analytics workspace.
 
 To configure this policy, set the effect parameter to __DeployIfNotExists__ or __Disabled__. If set to __DeployIfNotExists__, the policy creates a diagnostic setting to send logs to a Log Analytics workspace if it doesn't already exist.
 
-### Resource logs in hub should be enabled
+### Resource logs in a hub should be enabled
 
 Audits whether resource logs are enabled for a hub. Resource logs provide detailed information about operations performed on resources in the hub.
 
 To configure this policy, set the effect parameter to __AuditIfNotExists__ or __Disabled__. If set to __AuditIfNotExists__, the policy audits if resource logs aren't enabled for the hub.
 
 ## Create custom definitions
 
-When you need to create custom policies for your organization, you can use the [Azure Policy definition structure](/azure/governance/policy/concepts/definition-structure-basics) to create your own definitions. You can use the [Azure Policy Visual Studio Code extension](https://marketplace.visualstudio.com/items?itemName=AzurePolicy.azurepolicyextension) to author and test your policies.
+Create custom policies by using the [Azure Policy definition structure](/azure/governance/policy/concepts/definition-structure-basics). Use the [Azure Policy Visual Studio Code extension](https://marketplace.visualstudio.com/items?itemName=AzurePolicy.azurepolicyextension) to author and test policies.
 
-To discover the policy aliases you can use in your definition, use the following Azure CLI command to list the aliases for Azure Machine Learning:
+List policy aliases for Azure Machine Learning with this Azure CLI command:
 
 ```azurecli
 az provider show --namespace Microsoft.MachineLearningServices --expand "resourceTypes/aliases" --query "resourceTypes[].aliases[].name"
 ```
 
-To discover the allowed values for a specific alias, visit the [Azure Machine Learning REST API](/rest/api/azureml/) reference.
+Find allowed values for a specific alias in the [Azure Machine Learning REST API](/rest/api/azureml/) reference.
 
-For a tutorial (not Azure Machine Learning specific) on how to create custom policies, visit [Create a custom policy definition](/azure/governance/policy/tutorials/create-custom-policy-definition).
+For a general tutorial on creating custom policies, see [Create a custom policy definition](/azure/governance/policy/tutorials/create-custom-policy-definition).
 
-### Example: Block serverless spark compute jobs
+### Example: Deny serverless Spark compute jobs
 
 ```json
 {
@@ -210,14 +210,14 @@ For a tutorial (not Azure Machine Learning specific) on how to create custom pol
 }
 ```
 
-### Example: Configure no public IP for managed computes
+### Example: Deny public IPs for managed computes
 
 ```json
 {
     "properties": {
         "displayName": "Deny compute instance and compute cluster creation with public IP",
         "description": "Deny compute instance and compute cluster creation with public IP",
-        "mode": "all",
+        "mode": "All",
         "parameters": {
             "effectType": {
                 "type": "string",
@@ -266,5 +266,5 @@ For a tutorial (not Azure Machine Learning specific) on how to create custom pol
 
 * [Azure Policy documentation](/azure/governance/policy/overview)
 * [Working with security policies with Microsoft Defender for Cloud](/azure/security-center/tutorial-security-policy)
-* The [Cloud Adoption Framework scenario for data management and analytics](/azure/cloud-adoption-framework/scenarios/data-management/) outlines considerations in running data and analytics workloads in the cloud
-* [Learn how to use policy to integrate Azure Private Link with Azure Private DNS zones](/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale)
+* The [Cloud Adoption Framework scenario for data management and analytics](/azure/cloud-adoption-framework/scenarios/data-management/) outlines considerations for running data and analytics workloads in the cloud.
+* [Use policy to integrate Azure Private Link with Azure Private DNS zones](/azure/cloud-adoption-framework/ready/azure-best-practices/private-link-and-dns-integration-at-scale)
