Merge pull request #3417 from MicrosoftDocs/main

3/7/2025 PM Publish

Author: Taojunshen

articles/ai-foundry/how-to/configure-managed-network.md

@@ -747,18 +747,19 @@ __Private endpoints__:
 * When the isolation mode for the managed virtual network is `Allow internet outbound`, private endpoint outbound rules are automatically created as required rules from the managed virtual network for the hub and associated resources __with public network access disabled__ (Key Vault, Storage Account, Container Registry, hub).
 * When the isolation mode for the managed virtual network is `Allow only approved outbound`, private endpoint outbound rules are automatically created as required rules from the managed virtual network for the hub and associated resources __regardless of public network access mode for those resources__ (Key Vault, Storage Account, Container Registry, hub).
 
-__Outbound__ service tag rules:
-
-* `AzureActiveDirectory`
-* `Azure Machine Learning`
-* `BatchNodeManagement.region`
-* `AzureResourceManager`
-* `AzureFrontDoor.FirstParty`
-* `MicrosoftContainerRegistry`
-* `AzureMonitor`
-
-__Inbound__ service tag rules:
-* `AzureMachineLearning`
+For Azure AI Foundry to run with private networking, there are a set of required service tags. There are no alternatives to replacing required service tags. The following table describes each required service tag and its purpose within Azure AI Foundry. 
+
+| Service tag rule | Inbound or Outbound | Purpose |
+| ----------- | ----- | ----- |
+| `AzureMachineLearning` | Inbound | Create, update, and delete of Azure AI Foundry compute instance/cluster. |  
+| `AzureMachineLearning`| Outbound | Using Azure Machine Learning services. Python intellisense in notebooks uses port 18881. Creating, updating, and deleting an Azure Machine Learning compute instance uses port 5831. |
+| `AzureActiveDirectory` | Outbound | Authentication using Microsoft Entra ID. |
+| `BatchNodeManagement.region` | Outbound | Communication with Azure Batch back-end for Azure AI Foundry compute instances/clusters. |
+| `AzureResourceManager` | Outbound | Creation of Azure resources with Azure AI Foundry, Azure CLI, and Azure AI Foundry SDK. |
+| `AzureFrontDoor.FirstParty` | Outbound | Access docker images provided by Microsoft. |
+| `MicrosoftContainerRegistry` | Outbound | Access docker images provided by Microsoft. Setup of the Azure AI Foundry router for Azure Kubernetes Service. |		
+| `AzureMonitor` | Outbound | Used to log monitoring and metrics to Azure Monitor. Only needed if you haven't secured Azure Monitor for the workspace. This outbound is also used to log information for support incidents. |
+| `VirtualNetwork` | Outbound | Required when private endpoints are present in the virtual network or peered virtual networks. |
 
 ## List of scenario specific outbound rules
 
@@ -853,7 +854,7 @@ When you create a private endpoint for hub dependency resources, such as Azure S
 A private endpoint is automatically created for a connection if the target resource is an Azure resource listed previously. A valid target ID is expected for the private endpoint. A valid target ID for the connection can be the Azure Resource Manager ID of a parent resource. The target ID is also expected in the target of the connection or in `metadata.resourceid`. For more on connections, see [How to add a new connection in Azure AI Foundry portal](connections-add.md).
 
 > [!IMPORTANT]
-> As of March 31st 2025, the Azure AI Enterprise Network Connection Approver role must be assigned to the Azure AI Foundry hub's managed identity to approve private endpoints to securely access your Azure resources from the managed virtual network. This doesn't impact existing resources with approved private endpoints as the role is correctly assigned by the service. For new resources, ensure the role is assigned to the hub's managed identity. For Azure Data Factory, Azure Databricks, and Azure Function Apps, the Contributor role should instead be assigned to your hub's managed identity. This role assignment is applicable to both User-assigned identity and System-assigned identity workspaces. 
+> As of April 30th 2025, the Azure AI Enterprise Network Connection Approver role must be assigned to the Azure AI Foundry hub's managed identity to approve private endpoints to securely access your Azure resources from the managed virtual network. This doesn't impact existing resources with approved private endpoints as the role is correctly assigned by the service. For new resources, ensure the role is assigned to the hub's managed identity. For Azure Data Factory, Azure Databricks, and Azure Function Apps, the Contributor role should instead be assigned to your hub's managed identity. This role assignment is applicable to both User-assigned identity and System-assigned identity workspaces. 
 
 ## Select an Azure Firewall version for allowed only approved outbound
 

articles/ai-foundry/how-to/configure-private-link.md

@@ -304,6 +304,7 @@ If you need to configure custom DNS server without DNS forwarding, use the follo
 * `<instance-name>.<region>.instances.azureml.ms` - Only used by the `az ml compute connect-ssh` command to connect to computers in a managed virtual network. Not needed if you aren't using a managed network or SSH connections.
 
 * `<managed online endpoint name>.<region>.inference.ml.azure.com` - Used by managed online endpoints
+* `models.ai.azure.com` - Used for deploying Models as a Service
 
 To find the private IP addresses for your A records, see the [Azure Machine Learning custom DNS](/azure/machine-learning/how-to-custom-dns#find-the-ip-addresses) article.
 To check AI-PROJECT-GUID, go to the Azure portal, select your project, settings, properties, and the workspace ID is displayed.

articles/ai-foundry/how-to/create-hub-terraform.md

@@ -2,7 +2,7 @@
 title: 'Use Terraform to create an Azure AI Foundry hub'
 description: In this article, you create an Azure AI Foundry hub, an Azure AI Foundry project, an AI services resource, and more resources.
 ms.topic: how-to
-ms.date: 02/12/2025
+ms.date: 03/07/2025
 titleSuffix: Azure AI Foundry 
 ms.service: azure-ai-foundry
 manager: scottpolly 
@@ -40,27 +40,27 @@ In this article, you use Terraform to create an [Azure AI Foundry](https://ai.az
 ## Implement the Terraform code
 
 > [!NOTE]
-> The sample code for this article is located in the [Azure Terraform GitHub repo](https://github.com/Azure/terraform/tree/master/quickstart/101-ai-studio). You can view the log file containing the [test results from current and previous versions of Terraform](https://github.com/Azure/terraform/tree/master/quickstart/101-ai-studio/TestRecord.md). You may need to update the resource provider versions used in the template to use the latest available versions.
+> The sample code for this article is located in the [Azure Terraform GitHub repo](https://github.com/Azure/terraform/tree/master/quickstart/101-azure-ai-foundry). You can view the log file containing the [test results from current and previous versions of Terraform](https://github.com/Azure/terraform/tree/master/quickstart/101-azure-ai-foundry/TestRecord.md). You may need to update the resource provider versions used in the template to use the latest available versions.
 > 
 > See more [articles and sample code showing how to use Terraform to manage Azure resources](/azure/terraform)
 
 1. Create a directory in which to test and run the sample Terraform code and make it the current directory.
 
 1. Create a file named `providers.tf` and insert the following code.
 
-    :::code language="Terraform" source="~/terraform_samples/quickstart/101-ai-studio/providers.tf":::
+    :::code language="Terraform" source="~/terraform_samples/quickstart/101-azure-ai-foundry/providers.tf":::
 
 1. Create a file named `main.tf` and insert the following code.
 
-    :::code language="Terraform" source="~/terraform_samples/quickstart/101-ai-studio/main.tf":::
+    :::code language="Terraform" source="~/terraform_samples/quickstart/101-azure-ai-foundry/main.tf":::
 
 1. Create a file named `variables.tf` and insert the following code.
 
-    :::code language="Terraform" source="~/terraform_samples/quickstart/101-ai-studio/variables.tf":::
+    :::code language="Terraform" source="~/terraform_samples/quickstart/101-azure-ai-foundry/variables.tf":::
 
 1. Create a file named `outputs.tf` and insert the following code.
 
-    :::code language="Terraform" source="~/terraform_samples/quickstart/101-ai-studio/outputs.tf":::
+    :::code language="Terraform" source="~/terraform_samples/quickstart/101-azure-ai-foundry/outputs.tf":::
 
 ## Initialize Terraform
 

articles/ai-foundry/model-inference/how-to/use-chat-multi-modal.md

@@ -7,7 +7,7 @@ author: msakande
 reviewer: santiagxf
 ms.service: azure-ai-model-inference
 ms.topic: how-to
-ms.date: 1/21/2025
+ms.date: 03/07/2025
 ms.author: mopeakande
 ms.reviewer: fasantia
 ms.custom: generated

articles/ai-foundry/toc.yml

@@ -102,6 +102,8 @@ items:
           href: ../ai-foundry/model-inference/how-to/use-chat-completions.md?context=/azure/ai-foundry/context/context
         - name: Work with reasoning models
           href: ../ai-foundry/model-inference/how-to/use-chat-reasoning.md?context=/azure/ai-foundry/context/context
+        - name: Work with image and audio content
+          href: ../ai-foundry/model-inference/how-to/use-chat-multi-modal.md?context=/azure/ai-foundry/context/context
     - name: Work with featured models
       items:
       - name: AI21 Jamba models

articles/ai-foundry/what-is-ai-foundry.md

@@ -82,7 +82,7 @@ You can [explore Azure AI Foundry portal (including the model catalog)](./how-to
 
 But for full functionality there are some requirements:
 
-- You need an [Azure account](https://azure.microsoft.com/free/). 
+You need an [Azure account](https://azure.microsoft.com/pricing/purchase-options/azure-account). 
 
 ## Related content
 

articles/ai-services/content-understanding/overview.md

@@ -7,7 +7,7 @@ ms.author: lajanuar
 manager: nitinme
 ms.service: azure-ai-content-understanding
 ms.topic: overview
-ms.date: 02/19/2025
+ms.date: 03/06/2025
 ms.custom: ignite-2024-understanding-release
 
 #customer intent: As a user, I want to learn more about Content Understanding solutions.
@@ -73,17 +73,20 @@ See [Quickstart](quickstart/use-ai-foundry.md) for more examples.
 
 
 ## Responsible AI
+
  Azure AI Content Understanding is designed to guard against processing harmful content, such as graphic violence and gore, hateful speech and bullying, exploitation, abuse, and more. For more information and a full list of prohibited content, *see* our [**Transparency note**](/legal/cognitive-services/content-understanding/transparency-note?toc=/azure/ai-services/content-understanding/toc.json&bc=/azure/ai-services/content-understanding/breadcrumb/toc.json) and our [**Code of Conduct**](https://aka.ms/AI-CoC).
 
 ### Modified Content Filtering
 
-Azure AI Content Understanding now supports turning off content filtering for approved customers. The subscription IDs with approved modified content filtering impacts the Azure AI Content Understanding output.
+Content Understanding now supports modified content filtering for approved customers. The subscription IDs with approved modified content filtering impacts Content Understanding output. By default, Content Understanding employs a content filtering system that identifies specific risk categories for potentially harmful content in both submitted prompts and generated outputs. Modified content filtering allows the system to annotate rather than block potentially harmful output, giving you the ability to determine how to handle potentially harmful content. For more information on content filter types, *see* [Content filtering: filter types](../openai/concepts/content-filter.md#content-filter-types).
 
 > [!IMPORTANT]
 >
 > * Apply for modified content filters via this form: [Azure OpenAI Limited Access Review: Modified Content Filters](https://ncv.microsoft.com/uEfCgnITdR).
 > * For more information, *see* [**Content Filtering**](../openai/concepts/content-filter.md).
 
+To learn more about how to add modified content filtering to your requests, *see* our [REST API quickstart](quickstart/use-rest-api.md#modified-content-filtering).
+
 ## Data privacy and security
 Developers using the Content Understanding service should review Microsoft's policies on customer data. For more information, visit our [**Data, protection and privacy**](https://www.microsoft.com/trust-center/privacy) page.
 

articles/ai-services/content-understanding/quickstart/use-rest-api.md

@@ -22,7 +22,7 @@ ms.date: 11/19/2024
 
 ## Prerequisites
 
-To get started, you need **An active Azure subscription**. If you don't have an Azure account, you can [create a free subscription](https://azure.microsoft.com/free/). 
+To get started, you need **An active Azure subscription**. If you don't have an Azure account, you can [create a free subscription](https://azure.microsoft.com/free/).
 
 * Once you have your Azure subscription, create an [Azure AI Services resource](https://portal.azure.com/#create/Microsoft.CognitiveServicesAIServices) in the Azure portal. This multi-service resource enables access to multiple Azure AI services with a single set of credentials.
 
@@ -174,6 +174,118 @@ First, create a JSON file named `request_body.json` with the following content:
 
 ---
 
+### Modified content filtering
+
+* Customers, who are approved, can customize the Content Understanding default content filtering system. After modifications, the output filters will annotate content rather than block it, offering improved control over content filtering in the Content Understanding output.
+
+* To request approval for modified content filtering, complete the following form: [Azure OpenAI Limited Access Review: Modified Content Filters](https://ncv.microsoft.com/uEfCgnITdR).
+
+* Once approved, create or update your `request_body.json` file to include the `"disableContentFiltering": true` property.
+
+# [Document](#tab/document)
+
+ Here's a document modality code sample using the`"disableContentFiltering": true` property:
+
+   ```json
+   {
+     "description": "Sample invoice analyzer",
+     "scenario": "document",
+     "config": {
+
+       "disableContentFiltering": true,
+
+       "enableFace": true,
+       "returnDetails": true,
+       },
+       "fieldSchema": {
+
+      <insert your schema here>
+
+       }
+   }
+
+   ```
+
+For more information, *see* [**Content Filtering**](../../openai/concepts/content-filter.md).
+
+# [Image](#tab/image)
+
+Here's an image modality code sample using the`"disableContentFiltering": true` property:
+
+   ```json
+   {
+     "description": "Sample chart analyzer",
+     "scenario": "image",
+     "config": {
+
+       "disableContentFiltering": true,
+
+       "returnDetails": true,
+       },
+       "fieldSchema": { 
+
+       <insert your schema here>
+
+       }
+   }
+
+   ```
+
+For more information, *see* [**Content Filtering**](../../openai/concepts/content-filter.md).
+
+# [Audio](#tab/audio)
+
+Here's an audio modality code sample using the`"disableContentFiltering": true` property:
+
+   ```json
+   {
+     "description": "Sample call transcript analyzer",
+     "scenario": "callCenter",
+     "config": {
+
+       "disableContentFiltering": true,
+
+       "returnDetails": true,
+       "locales": ["en-US"]
+       },
+       "fieldSchema": {
+
+       <insert your schema here>
+
+       }
+   }
+
+   ```
+
+For more information, *see* [**Content Filtering**](../../openai/concepts/content-filter.md).
+
+
+# [Video](#tab/video)
+
+ Here's a video modality code sample using the`"disableContentFiltering": true` property:
+
+   ```json
+   {
+     "description": "Sample marketing video analyzer",
+     "scenario": "videoShot",
+     "config": {
+
+       "disableContentFiltering": true,
+
+       },
+       "fieldSchema": {
+
+       <insert your schema here>
+
+       }
+   }
+
+   ```
+For more information, *see* [**Content Filtering**](../../openai/concepts/content-filter.md).
+
+---
+
+
 Before running the following `cURL` commands, make the following changes to the HTTP request:
 
 1. Replace `{endpoint}` and `{key}` with the endpoint and key values from your Azure portal Azure AI Services instance.
@@ -540,8 +652,8 @@ The 200 (`OK`) JSON response includes a `status` field indicating the status of
 
 ---
 
-## Next steps 
+## Next steps
 
-* In this quickstart, you learned how to call the [REST API](/rest/api/contentunderstanding/operation-groups?view=rest-contentunderstanding-2024-12-01-preview&preserve-view=true) to create a custom analyzer. For a user experience, try [**Azure AI Foundry portal**](https://ai.azure.com/). 
+* In this quickstart, you learned how to call the [REST API](/rest/api/contentunderstanding/operation-groups?view=rest-contentunderstanding-2024-12-01-preview&preserve-view=true) to create a custom analyzer. For a user experience, try [**Azure AI Foundry portal**](https://ai.azure.com/).
 
 

articles/ai-services/content-understanding/toc.yml

@@ -5,7 +5,7 @@ items:
   expanded: true
   items:
   - name: What is Azure AI Content Understanding?
-    displayName: document, text, images, video, audio, multimodal, visual, structured, content, field, extraction
+    displayName: document, text, images, video, audio, multimodal, visual, structured, content, field, extraction, content filtering, filter
     href: overview.md
   - name: Create an Azure AI Services resource
     displayName: extract, text, images, OCR, optical character recognition
@@ -29,7 +29,7 @@ items:
 - name: Quickstarts
   items:
   - name: Content Understanding REST API
-    displayName: quickstart, extract, text, images, OCR, optical character recognition
+    displayName: quickstart, extract, text, images, OCR, optical character recognition, content filtering, filter
     href: quickstart/use-rest-api.md
   - name: Content Understanding Azure AI Foundry portal
     displayName: quickstart, extract, text, images, OCR, optical character recognition

articles/machine-learning/how-to-custom-dns.md

@@ -166,6 +166,7 @@ The following FQDNs are for Microsoft Azure operated by 21Vianet regions:
 
 * `<instance-name>-22.<region>.instances.azureml.cn` - Only used by the `az ml compute connect-ssh` command to connect to computes in a private virtual network. Not needed if you aren't using a managed network or SSH connections.
 * `<managed online endpoint name>.<region>.inference.ml.azure.cn` - Used by managed online endpoints
+* `models.ai.azure.com` - Used for deploying Models as a Service
 
 > [!TIP]
 > If you're using hub and project workspaces, each project workspace has its own set of FQDNs. For more information, see the [workspace DNS resolution](#workspace-dns-resolution-path) section.