Skip to content

Commit a6b35ce

Browse files
authored
Merge pull request #2868 from santiagxf/santiagxf/azure-policies
feat: moving azure policies configuration to model inference
2 parents 9e36726 + 93488c4 commit a6b35ce

File tree

6 files changed

+115
-54
lines changed

6 files changed

+115
-54
lines changed
Lines changed: 108 additions & 52 deletions
Original file line numberDiff line numberDiff line change
@@ -1,20 +1,21 @@
11
---
2-
title: Control AI model deployment with custom policies
2+
title: Control model deployment with custom policies
33
titleSuffix: Azure AI Foundry
44
description: "Learn how to use custom Azure Policies to control Azure AI services and Azure OpenAI model deployment with Azure AI Foundry."
5-
author: Blackmist
6-
ms.author: larryfr
5+
manager: scottpolly
76
ms.service: azure-ai-foundry
87
ms.topic: how-to #Don't change
9-
ms.date: 10/25/2024
10-
11-
#customer intent: As an admin, I want control what Azure AI services and Azure OpenAI models can be deployed by my developers.
8+
ms.date: 02/11/2025
9+
author: Blackmist
10+
ms.author: larryfr
11+
reviewer: santiagxf
12+
ms.reviewer: fasantia
1213

1314
---
1415

15-
# Control AI model deployment with custom policies in Azure AI Foundry portal
16+
# Control model deployment with custom policies
1617

17-
When using models from Azure AI services and Azure OpenAI with Azure AI Foundry, you might need to use custom policies to control what models your developers can deploy. Custom Azure Policies allow you to create policy definitions that meet your organization's unique requirements. This article shows you how to create and assign an example custom policy to control model deployment.
18+
When using models from Azure AI Services and Azure OpenAI with Azure AI Foundry, you might need to use custom policies to control which [type of deployment](../concepts/deployment-types.md) options are available to users or which specific models users can deploy. This article guides you on how to create policies to control model deployments using Azure Policies.
1819

1920
## Prerequisites
2021

@@ -24,71 +25,125 @@ When using models from Azure AI services and Azure OpenAI with Azure AI Foundry,
2425

2526
## Create a custom policy
2627

28+
Follow these steps to create and assign an example custom policy to control model deployments:
29+
2730
1. From the [Azure portal](https://portal.azure.com), select **Policy** from the left side of the page. You can also search for **Policy** in the search bar at the top of the page.
28-
1. From the left side of the Azure Policy Dashboard, select **Authoring**, **Definitions**, and then select **+ Policy definition** from the top of the page.
29-
1. In the **Policy Definition** form, use the following values:
31+
32+
2. From the left side of the Azure Policy Dashboard, select **Authoring**, **Definitions**, and then select **+ Policy definition** from the top of the page.
33+
34+
:::image type="content" source="../media/configure-deployment-policies/create-new-policy.png" alt-text="An screenshot showing how to create a new policy definition in Azure Policies." lightbox="../media/configure-deployment-policies/create-new-policy.png":::
35+
36+
3. In the **Policy Definition** form, use the following values:
3037

3138
- **Definition location**: Select the subscription or management group where you want to store the policy definition.
3239
- **Name**: Enter a unique name for the policy definition. For example, `Custom allowed Azure AI services and Azure OpenAI models`.
3340
- **Description**: Enter a description for the policy definition.
3441
- **Category**: You can either create a new category or use an existing one. For example, "AI model governance."
35-
- **Policy rule**: Enter the policy rule in JSON format. The following example shows a policy rule that allows the deployment of specific Azure AI services and Azure OpenAI models:
3642

37-
> [!TIP]
38-
> Azure AI services was originally named Azure Cognitive Services. This name is still used internally by Azure, such as this custom policy where you see a value of `Microsoft.CognitiveServices`. Azure OpenAI is part of Azure AI services, so this policy also applies to Azure OpenAI models.
43+
4. On **Policy rule**, enter the policy rule details in JSON format. Select the scenario that applies to your case better:
3944

40-
```json
41-
{
42-
"mode": "All",
43-
"policyRule": {
44-
"if": {
45-
"allOf": [
46-
{
47-
"field": "type",
48-
"equals": "Microsoft.CognitiveServices/accounts/deployments"
49-
},
50-
{
51-
"not": {
52-
"value": "[concat(field('Microsoft.CognitiveServices/accounts/deployments/model.name'), ',', field('Microsoft.CognitiveServices/accounts/deployments/model.version'))]",
53-
"in": "[parameters('allowedModels')]"
54-
}
55-
}
56-
]
45+
# [Enforce specific models](#tab/models)
46+
47+
The following policy allows you to control which specific models and versions are available for deployment. You can enforce this policy at different levels depending on your needs.
48+
49+
```json
50+
{
51+
"mode": "All",
52+
"policyRule": {
53+
"if": {
54+
"allOf": [
55+
{
56+
"field": "type",
57+
"equals": "Microsoft.CognitiveServices/accounts/deployments"
5758
},
58-
"then": {
59-
"effect": "deny"
60-
}
61-
},
62-
"parameters": {
63-
"allowedModels": {
64-
"type": "Array",
65-
"metadata": {
66-
"displayName": "Allowed AI models",
67-
"description": "The list of allowed models to be deployed."
59+
{
60+
"not": {
61+
"value": "[concat(field('Microsoft.CognitiveServices/accounts/deployments/model.name'), ',', field('Microsoft.CognitiveServices/accounts/deployments/model.version'))]",
62+
"in": "[parameters('allowedModels')]"
6863
}
6964
}
65+
]
66+
},
67+
"then": {
68+
"effect": "deny"
69+
}
70+
},
71+
"parameters": {
72+
"allowedModels": {
73+
"type": "Array",
74+
"metadata": {
75+
"displayName": "Allowed AI models",
76+
"description": "The list of allowed models to be deployed."
7077
}
78+
}
7179
}
72-
```
80+
}
81+
```
82+
83+
# [Enforce specific deployment types](#tab/deployments)
7384

74-
1. Select **Save** to save the policy definition. After saving, you arrive at the policy definition's overview page.
75-
1. From the policy definition's overview page, select **Assign policy** to assign the policy definition.
76-
1. From the **Assign policy** page, use the following values on the **Basics** tab:
85+
The following policy allows you to control which types of deployments are allowed in the Azure AI Services or Azure OpenAI Resources. For example, you might want to prevent developers from creating deployments that result in data processed in a different region. Follow these steps to create a policy that denies creating global processing deployment types.
86+
87+
```json
88+
{
89+
"mode": "All",
90+
"policyRule": {
91+
"if": {
92+
"allOf": [
93+
{
94+
"field": "type",
95+
"equals": "Microsoft.CognitiveServices/accounts/deployments"
96+
},
97+
{
98+
"field": "Microsoft.CognitiveServices/accounts/deployments/sku.name",
99+
"equals": "GlobalStandard"
100+
}
101+
]
102+
},
103+
"then": {
104+
"effect": "deny"
105+
}
106+
}
107+
}
108+
```
109+
110+
---
111+
112+
> [!TIP]
113+
> Azure AI services was originally named Azure Cognitive Services. This name is still used internally by Azure, such as this custom policy where you see a value of `Microsoft.CognitiveServices`. Azure OpenAI is part of Azure AI services, so this policy also applies to Azure OpenAI models.
114+
115+
5. Select **Save** to save the policy definition. After saving, you arrive at the policy definition's overview page.
116+
117+
6. From the policy definition's overview page, select **Assign policy** to assign the policy definition.
118+
119+
7. From the **Assign policy** page, use the following values on the **Basics** tab:
77120

78121
- **Scope**: Select the scope where you want to assign the policy. The scope can be a management group, subscription, or resource group.
79122
- **Policy definition**: This field is prepopulated with the title of policy definition you created previously.
80123
- **Assignment name**: Enter a unique name for the assignment.
81124
- **Policy enforcement**: Make sure that the **Policy enforcement** field is set to **Enabled**. If it isn't enabled, the policy isn't enforced.
82125

83126
Select **Next** at the bottom of the page, or the **Parameters** tab at the top of the page.
84-
1. From the **Parameters** tab, set **Allowed AI models** to the list of models that you want to allow. The list should be a comma-separated list of model names and approved versions, surrounded by square brackets. For example, `["gpt-4,0613", "gpt-35-turbo,0613"]`.
127+
128+
8. Configure the parameters for the policy (if any):
129+
130+
# [Enforce specific models](#tab/models)
131+
132+
From the **Parameters** tab, set **Allowed AI models** to the list of models that you want to allow. The list should be a comma-separated list of model names and approved versions, surrounded by square brackets. For example, `["gpt-4,0613", "gpt-35-turbo,0613"]`.
85133

86134
> [!TIP]
87135
> You can find the model names and their versions in the [Azure AI Foundry Model Catalog](https://ai.azure.com/explore/models). Select the model to view the details, and then copy the model name and their version in the title.
88136

89-
1. Optionally, select the **Non-compliance messages** tab at the top of the page and set a custom message for noncompliance.
90-
1. Select **Review + create** tab and verify that the policy assignment is correct. When ready, select **Create** to assign the policy.
91-
1. Notify your developers that the policy is in place. They receive an error message if they try to deploy a model that isn't in the list of allowed models.
137+
# [Enforce specific deployment types](#tab/deployments)
138+
139+
This policy doesn't require parameters.
140+
141+
9. Optionally, select the **Non-compliance messages** tab at the top of the page and set a custom message for noncompliance.
142+
143+
10. Select **Review + create** tab and verify that the policy assignment is correct. When ready, select **Create** to assign the policy.
144+
145+
11. Notify your developers that the policy is in place. They receive an error message if they try to deploy a model that isn't in the list of allowed models.
146+
92147

93148
## Verify policy assignment
94149

@@ -99,7 +154,10 @@ To verify that the policy is assigned, navigate to **Policy** in the Azure porta
99154
To monitor compliance with the policy, follow these steps:
100155

101156
1. From the [Azure portal](https://portal.azure.com), select **Policy** from the left side of the page. You can also search for **Policy** in the search bar at the top of the page.
102-
1. From the left side of the Azure Policy Dashboard, select **Compliance**. Each policy assignment is listed with the compliance status. To view more details, select the policy assignment.
157+
158+
1. From the left side of the Azure Policy Dashboard, select **Compliance**. Each policy assignment is listed with the compliance status. To view more details, select the policy assignment. The following example shows the compliance report for a policy that blocks deployments of type *Global standard*.
159+
160+
:::image type="content" source="../media/configure-deployment-policies/policy-compliance.png" alt-text="An screenshot showing an example of a policy compliance report for a policy that blocks Global standard deployment SKUs." lightbox="../media/configure-deployment-policies/policy-compliance.png":::
103161

104162
## Update the policy assignment
105163

@@ -112,7 +170,6 @@ To update an existing policy assignment with new models, follow these steps:
112170

113171
## Best practices
114172

115-
- **Obtaining model names**: Use the [Azure AI Foundry Model Catalog](https://ai.azure.com/explore/models), then select the model to view details. Use the model name in the title with the policy.
116173
- **Granular scoping**: Assign policies at the appropriate scope to balance control and flexibility. For example, apply at the subscription level to control all resources in the subscription, or apply at the resource group level to control resources in a specific group.
117174
- **Policy naming**: Use a consistent naming convention for policy assignments to make it easier to identify the purpose of the policy. Include information such as the purpose and scope in the name.
118175
- **Documentation**: Keep records of policy assignments and configurations for auditing purposes. Document any changes made to the policy over time.
@@ -123,6 +180,5 @@ To update an existing policy assignment with new models, follow these steps:
123180
## Related content
124181

125182
- [Azure Policy overview](/azure/governance/policy/overview)
126-
- [Azure AI Foundry model catalog](model-catalog-overview.md)
127-
- [Azure AI services documentation](/azure/ai-services)
183+
- [Deployment types](../concepts/deployment-types.md)
128184

1.13 MB
Loading
90.8 KB
Loading

articles/ai-foundry/model-inference/toc.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -57,7 +57,7 @@ items:
5757
- name: Configure key-less authentication
5858
href: ./how-to/configure-entra-id.md
5959
- name: Control model deployment with custom policies
60-
href: /azure/ai-studio/how-to/custom-policy-model-deployment?context=/azure/ai-foundry/model-inference/context/context
60+
href: ./how-to/configure-deployment-policies.md
6161
- name: Manage cost
6262
href: ./how-to/manage-costs.md
6363
- name: Quotas and limits

articles/ai-studio/.openpublishing.redirection.ai-studio.json

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -210,6 +210,11 @@
210210
"redirect_url": "/azure/ai-foundry/model-inference/how-to/create-model-deployments",
211211
"redirect_document_id": false
212212
},
213+
{
214+
"source_path_from_root": "/articles/ai-studio/how-to/custom-policy-model-deployment.md",
215+
"redirect_url": "/azure/ai-foundry/model-inference/how-to/configure-deployment-policies",
216+
"redirect_document_id": true
217+
},
213218
{
214219
"source_path_from_root": "/articles/ai-studio/ai-services/how-to/content-safety.md",
215220
"redirect_url": "/azure/ai-services/content-safety/how-to/foundry",

articles/ai-studio/toc.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -405,7 +405,7 @@ items:
405405
- name: Built-in policy to allow specific models
406406
href: how-to/built-in-policy-model-deployment.md
407407
- name: Custom policy to allow specific models
408-
href: how-to/custom-policy-model-deployment.md
408+
href: ../ai-foundry/model-inference/how-to/configure-deployment-policies.md?context=/azure/ai-studio/context/context
409409
- name: Vulnerability management
410410
href: concepts/vulnerability-management.md
411411
- name: Disaster recovery

0 commit comments

Comments
 (0)