MicrosoftDocs
diff --git a/‎articles/ai-foundry/concepts/authentication-options-ai-foundry.md‎
Lines changed: 3 additions & 6 deletions b/‎articles/ai-foundry/concepts/authentication-options-ai-foundry.md‎
Lines changed: 3 additions & 6 deletions
diff --git a/‎articles/ai-foundry/concepts/disable-preview-features-with-rbac.md‎
Lines changed: 86 additions & 0 deletions b/‎articles/ai-foundry/concepts/disable-preview-features-with-rbac.md‎
Lines changed: 86 additions & 0 deletions
diff --git a/‎articles/ai-foundry/concepts/evaluation-evaluators/custom-evaluators.md‎
Lines changed: 14 additions & 10 deletions b/‎articles/ai-foundry/concepts/evaluation-evaluators/custom-evaluators.md‎
Lines changed: 14 additions & 10 deletions
@@ -12,7 +12,7 @@ ai.usage: ai-assisted
 ---
 
 # Authentication and authorization options in Azure AI Foundry
-
+<!--
 Azure AI Foundry supports multiple authentication approaches to balance security, operational simplicity, and speed. This article explains the control plane and data plane model, compares API key and Microsoft Entra ID (formerly Azure AD) authentication, maps identities to roles, and describes common least privilege scenarios. Use this article with:
 
 - [Role-based access control for Azure AI Foundry](rbac-azure-ai-foundry.md)
@@ -22,7 +22,6 @@ Azure AI Foundry supports multiple authentication approaches to balance security
 
 > [!IMPORTANT]
 > Use Microsoft Entra ID for production workloads to enable conditional access, managed identities, and least privilege RBAC. API keys are convenient for quick evaluation and legacy tooling but lack user level traceability.
-
 ## Control plane vs. data plane
 
 Azure services separate management (_control plane_) from runtime operations (_data plane_).
@@ -40,7 +39,6 @@ _Source file: control-data-plane.mmd (stored alongside the image for maintenance
 
 > [!NOTE]
 > This diagram is conceptual. Check current service documentation for the latest supported resources and operations.
-
 ## Authentication methods
 
 ### API keys
@@ -72,7 +70,6 @@ Microsoft Entra ID uses OAuth 2.0 bearer tokens. Principals get tokens for the r
 
 > [!IMPORTANT]
 > Validate features marked [**TO VERIFY**] against current release notes if you rely on them for compliance-critical scenarios.
-
 | Capability or feature | API Key | Microsoft Entra ID | Notes |
 |---------------------|---------|--------------------|-------|
 | Basic model inference (chat, embeddings) | Yes | Yes | Fully supported. |
@@ -111,7 +108,6 @@ See the authoritative list in [Azure built-in roles (AI + machine learning)](/az
 
 > [!TIP]
 > Create a custom role when a built-in role grants more permissions than you need.
-
 ## Set up Microsoft Entra ID
 
 High-level steps. See the detailed guide: [Configure key-less authentication](../foundry-models/how-to/configure-entra-id.md).
@@ -177,4 +173,5 @@ Some creation workflows can auto assign broad roles, such as granting the resour
 - [Authenticate requests to Azure AI services](/azure/ai-services/authentication)
 - [Configure key-less authentication with Microsoft Entra ID](../foundry-models/how-to/configure-entra-id.md)
 - [Azure built-in roles (AI + machine learning)](/azure/role-based-access-control/built-in-roles#ai-+-machine-learning)
-- [Managed identities for Azure resources](/entra/identity/managed-identities-azure-resources/overview)
+- [Managed identities for Azure resources](/entra/identity/managed-identities-azure-resources/overview)
+-->
@@ -0,0 +1,86 @@
+---
+title: Disable Preview Features with Role-Based Access
+description: Learn how to disable preview features in Azure AI Foundry using role-based access control (RBAC). Create custom roles to manage feature access effectively.
+#customer intent: As an IT admin, I want to disable preview features in Azure AI Foundry through role-based access control so that my organization complies with enterprise policies.
+author: jonburchel
+ms.author: jburchel
+ms.reviewer: meerakurup
+ms.date: 09/25/2025
+ms.topic: concept-article
+ms.service: azure-ai-foundry
+ai.usage: ai-assisted
+---
+
+# Disable preview features in Azure AI Foundry with role-based access control
+
+In Azure AI Foundry projects, some features are in preview. Administrators can bock access to them by denying specific data actions to a custom role, and granting their users role memberships to enable/disable specific features as required. This article lists the data actions for each preview feature so you can disable them on an individual basis. However, since you can't modify built-in roles in Azure AI Foundry projects, you need to create a custom role. For steps to create a custom role, see [Create or update Azure custom roles using the Azure portal - Azure RBAC](/azure/role-based-access-control/custom-roles-portal).
+
+## Agents service data actions
+
+Use these data actions in a custom role definition:
+
+- `Microsoft.CognitiveServices/accounts/AIServices/agents/write`
+- `Microsoft.CognitiveServices/accounts/AIServices/agents/read`
+- `Microsoft.CognitiveServices/accounts/AIServices/agents/delete`
+
+## Content understanding (multimodal intelligence)
+
+The associated data actions to allow or disallow in your custom role
+definition are the following:
+
+- `Microsoft.CognitiveServices/accounts/MultiModalIntelligence/analyzers/read`
+- `Microsoft.CognitiveServices/accounts/MultiModalIntelligence/analyzers/write`
+- `Microsoft.CognitiveServices/accounts/MultiModalIntelligence/analyzers/delete`
+- `Microsoft.CognitiveServices/accounts/MultiModalIntelligence/classifiers/read`
+- `Microsoft.CognitiveServices/accounts/MultiModalIntelligence/classifiers/write`
+- `Microsoft.CognitiveServices/accounts/MultiModalIntelligence/classifiers/delete`
+- `Microsoft.CognitiveServices/accounts/MultiModalIntelligence/batchAnalysisJobs/\*`
+- Optional: include the /labelingProjects data actions if your team labels documents in Foundry.
+
+## Fine-tuning
+
+The associated data actions to allow or disallow in your custom role
+definition are the following:
+
+- `Microsoft.CognitiveServices/accounts/OpenAI/assistants/\*` (include
+  _read_, _write_, and _delete_ and all child resources)
+- `Microsoft.CognitiveServices/accounts/OpenAI/assistants/files/\*`
+- `Microsoft.CognitiveServices/accounts/OpenAI/assistants/threads/\*`
+- `Microsoft.CognitiveServices/accounts/OpenAI/assistants/threads/messages/\*`
+- `Microsoft.CognitiveServices/accounts/OpenAI/assistants/vector_stores/\*`
+
+## Tracing
+
+Allow or deny the following data actions in the custom role definition.
+
+Foundry’s Tracing pane uses Azure Monitor. In the custom role wizard, set the provider to Microsoft.Insights, then add or remove only the read actions you need:
+
+- `Microsoft.Insights/alertRules/read`
+- `Microsoft.Insights/diagnosticSettings/read`
+- `Microsoft.Insights/logDefinitions/read`
+- `Microsoft.Insights/metricdefinitions/read`
+- `Microsoft.Insights/metrics/read`
+
+## Evaluation data actions
+
+The associated data actions to allow or disallow in your custom role
+definition are the following:
+
+- `Microsoft.CognitiveServices/accounts/AIServices/evaluations/write`
+- `Microsoft.CognitiveServices/accounts/AIServices/evaluations/read`
+- `Microsoft.CognitiveServices/accounts/AIServices/evaluations/delete`
+
+## Content safety risks and alerts
+
+The associated data actions to allow or disallow in your custom role
+definition are the following
+
+- `Microsoft.CognitiveServices/accounts/ContentSafety/\*`
+  - …/`Analyze Text`
+  - …/`Analyze Image`
+  - …/`Analyze Protected Material`
+  - …/`Unified Analyze`
+
+## Related content
+
+[Role-based access control for Azure AI Foundry](rbac-azure-ai-foundry.md)
@@ -1,11 +1,11 @@
 ---
-title: Custom evaluators
+title: Custom Evaluators
 titleSuffix: Azure AI Foundry
 description: Learn how to create custom evaluators for your AI applications using code-based or prompt-based approaches.
 author: lgayhardt
 ms.author: lagayhar
 ms.reviewer: mithigpe
-ms.date: 07/31/2025
+ms.date: 10/16/2025
 ms.service: azure-ai-foundry
 ms.topic: reference
 ms.custom:
@@ -15,11 +15,11 @@ ms.custom:
 
 # Custom evaluators
 
-Built-in evaluators are great out of the box to start evaluating your application's generations. However you might want to build your own code-based or prompt-based evaluator to cater to your specific evaluation needs.
+To start evaluating your application's generations, built-in evaluators are great out of the box. To cater to your evaluation needs, you can build your own code-based or prompt-based evaluator.
 
 ## Code-based evaluators
 
-Sometimes a large language model isn't needed for certain evaluation metrics. This is when code-based evaluators can give you the flexibility to define metrics based on functions or callable class. You can build your own code-based evaluator, for example, by creating a simple Python class that calculates the length of an answer in `answer_length.py` under directory `answer_len/`:
+You don't need a large language model for certain evaluation metrics. Code-based evaluators can give you the flexibility to define metrics based on functions or callable classes. You can build your own code-based evaluator, for example, by creating a simple Python class that calculates the length of an answer in `answer_length.py` under directory `answer_len/`, as in the following example.
 
 ### Code-based evaluator example: Answer length
 
@@ -32,7 +32,7 @@ class AnswerLengthEvaluator:
         return {"answer_length": len(answer)}
 ```
 
-Then run the evaluator on a row of data by importing a callable class:
+Run the evaluator on a row of data by importing a callable class:
 
 ```python
 from answer_len.answer_length import AnswerLengthEvaluator
@@ -49,13 +49,17 @@ answer_length = answer_length_evaluator(answer="What is the speed of light?")
 
 ## Prompt-based evaluators
 
-To build your own prompt-based large language model evaluator or AI-assisted annotator, you can create a custom evaluator based on a **Prompty** file. Prompty is a file with `.prompty` extension for developing prompt template. The Prompty asset is a markdown file with a modified front matter. The front matter is in YAML format that contains many metadata fields that define model configuration and expected inputs of the Prompty. Let's create a custom evaluator `FriendlinessEvaluator` to measure friendliness of a response.
+To build your own prompt-based large language model evaluator or AI-assisted annotator, you can create a custom evaluator based on a *Prompty* file.
+
+Prompty is a file with the `.prompty` extension for developing prompt template. The Prompty asset is a markdown file with a modified front matter. The front matter is in YAML format. It contains metadata fields that define model configuration and expected inputs of the Prompty.
+
+To measure friendliness of a response, you can create a custom evaluator `FriendlinessEvaluator`:
 
 ### Prompt-based evaluator example: Friendliness evaluator
 
-First, create a `friendliness.prompty` file that describes the definition of the friendliness metric and its grading rubric:
+First, create a `friendliness.prompty` file that defines the friendliness metric and its grading rubric:
 
-```markdown
+```md
 ---
 name: Friendliness Evaluator
 description: Friendliness Evaluator to measure warmth and approachability of answers.
@@ -108,7 +112,7 @@ generated_query: {{response}}
 output:
 ```
 
-Then create a class `FriendlinessEvaluator` to load the Prompty file and process the outputs with json format:
+Then create a class `FriendlinessEvaluator` to load the Prompty file and process the outputs with JSON format:
 
 ```python
 import os
@@ -132,7 +136,7 @@ class FriendlinessEvaluator:
         return response
 ```
 
-Now, you can create your own Prompty-based evaluator and run it on a row of data:
+Now, create your own Prompty-based evaluator and run it on a row of data:
 
 ```python
 from friendliness.friend import FriendlinessEvaluator