Merge pull request #688 from MicrosoftDocs/main

10/07/2024 PM Publish

Author: Albertyang0

articles/ai-services/openai/how-to/batch.md

@@ -85,7 +85,7 @@ In the Studio UI the deployment type will appear as `Global-Batch`.
 > [!TIP]
 > Each line of your input file for batch processing has a `model` attribute that requires a global batch **deployment name**. For a given input file, all names must be the same deployment name. This is different from OpenAI where the concept of model deployments does not exist. 
 >
-> For the best performance we recommend submitting large files for patch processing, rather than a large number of small files with only a few lines in each file.
+> For the best performance we recommend submitting large files for batch processing, rather than a large number of small files with only a few lines in each file.
 
 ::: zone pivot="programming-language-ai-studio"
 

articles/ai-services/translator/service-limits.md

@@ -7,7 +7,7 @@ author: laujan
 manager: nitinme
 ms.service: azure-ai-translator
 ms.topic: conceptual
-ms.date: 09/26/2024
+ms.date: 10/07/2024
 ms.author: lajanuar
 ---
 
@@ -78,7 +78,7 @@ The Translator has a maximum latency of 15 seconds using standard models and 120
 |Total number of files.|≤ 1000 |
 |Total content size in a batch | ≤ 250 MB|
 |Number of target languages in a batch| ≤ 10 |
-|Size of Translation memory file| ≤ 10 MB|
+|Size of glossary file| ≤ 10 MB|
 
 ##### Synchronous operation limits
 
@@ -87,7 +87,7 @@ The Translator has a maximum latency of 15 seconds using standard models and 120
 |Document size| ≤ 10 MB |
 |Total number of files.|1 |
 |Total number of target languages | 1|
-|Size of Translation memory file| ≤ 1 MB|
+|Size of glossary file| ≤ 1 MB|
 |Translated character limit|6 million characters per minute (cpm).|
 
 ## Next steps

articles/ai-studio/concepts/architecture.md

@@ -74,7 +74,7 @@ While most of the resources used by Azure AI Studio live in your Azure subscript
 - **Metadata storage**: Provided by Azure Storage resources in the Microsoft subscription.  
 
     > [!NOTE]
-    > If you use customer-managed keys, the metadata storage resources are created in your subscription. For more information, see [Customer-managed keys](../../ai-services/encryption/cognitive-services-encryption-keys-portal.md?context=/azure/ai-studio/context/context).
+    > If you use customer-managed keys, the metadata storage resources are created in your subscription. For more information, see [Customer-managed keys](encryption-keys-portal.md).
 
 Managed compute resources and managed virtual networks exist in the Microsoft subscription, but you manage them. For example, you control which VM sizes are used for compute resources, and which outbound rules are configured for the managed virtual network.
 

articles/ai-studio/concepts/encryption-keys-portal.md

@@ -0,0 +1,103 @@
+---
+title: Customer-Managed Keys for Azure AI Studio
+titleSuffix: Azure AI Studio
+description: Learn about using customer-managed keys for encryption to improve data security with Azure AI Studio.
+author: Blackmist
+ms.author: larryfr
+ms.service: azure-ai-services
+ms.custom:
+  - ignite-2023
+ms.topic: concept-article
+ms.date: 10/7/2024
+ms.reviewer: deeikele
+# Customer intent: As an admin, I want to understand how I can use my own encryption keys with Azure AI Studio.
+---
+
+# Customer-managed keys for encryption with Azure AI Studio
+
+Customer-managed keys (CMKs) in Azure AI Studio provide enhanced control over the encryption of your data. By using CMKs, you can manage your own encryption keys to add an extra layer of protection and meet compliance requirements more effectively.
+
+## About encryption in Azure AI Studio
+
+Azure AI Studio layers on top of Azure Machine Learning and Azure AI services. By default, these services use Microsoft-managed encryption keys. 
+
+Hub and project resources are implementations of the Azure Machine Learning workspace and encrypt data in transit and at rest. For details, see [Data encryption with Azure Machine Learning](../../machine-learning/concept-data-encryption.md).
+
+Azure AI services data is encrypted and decrypted using [FIPS 140-2](https://en.wikipedia.org/wiki/FIPS_140-2) compliant [256-bit AES](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) encryption. Encryption and decryption are transparent, meaning encryption and access are managed for you. Your data is secure by default and you don't need to modify your code or applications to take advantage of encryption.
+
+## Data storage in your subscription when using customer-managed keys
+
+Hub resources store metadata in your Azure subscription when using customer-managed keys. Data is stored in a Microsoft-managed resource group that includes an Azure Storage account, Azure Cosmos DB resource and Azure AI Search. 
+
+> [!IMPORTANT]
+> When using a customer-managed key, the costs for your subscription will be higher because encrypted data is stored in your subscription. To estimate the cost, use the [Azure pricing calculator](https://azure.microsoft.com/pricing/calculator/).
+
+The encryption key you provide when creating a hub is used to encrypt data that is stored on Microsoft-managed resources. All projects using the same hub store data on the resources in a managed resource group identified by the name `azureml-rg-hubworkspacename_GUID`. Projects use Microsoft Entra ID authentication when interacting with these resources. If your hub has a private link endpoint, network access to the managed resources is restricted. The managed resource group is deleted, when the hub is deleted. 
+
+The following data is stored on the managed resources.
+
+|Service|What it's used for|Example|
+|-----|-----|-----|
+|Azure Cosmos DB|Stores metadata for your Azure AI projects and tools|Index names, tags; Flow creation timestamps; deployment tags; evaluation metrics|
+|Azure AI Search|Stores indices that are used to help query your AI studio content.|An index based off your model deployment names|
+|Azure Storage Account|Stores instructions for how customization tasks are orchestrated|JSON representation of flows you create in AI Studio|
+
+>[!IMPORTANT]
+> Azure AI Studio uses Azure compute that is managed in the Microsoft subscription, for example when you fine-tune models or or build flows. Its disks are encrypted with Microsoft-managed keys. Compute is ephemeral, meaning after a task is completed the virtual machine is deprovisioned, and the OS disk is deleted. Compute instance machines used for 'Code' experiences are persistant. Azure Disk Encryption isn't supported for the OS disk. 
+
+## (Preview) Service-side storage of encrypted data when using customer-managed keys
+
+A new architecture for customer-managed key encryption with hubs is available in preview, which resolves the dependency on the managed resource group. In this new model, encrypted data is stored service-side on Microsoft-managed resources instead of in managed resources in your subscription. Metadata is stored in multitenant resources using document-level CMK encryption. An Azure AI Search instance is hosted on the Microsoft-side per customer, and for each hub. Due to its dedicated resource model, its Azure cost is charged in your subscription via the hub resource.
+
+> [!NOTE]
+> During this preview key rotation and user-assigned identity capabilities are not supported. Server-side encryption is currently not supported in reference to an Azure Key Vault for storing your encryption key that has public network access disabled.
+
+## Use customer-managed keys with Azure Key Vault
+
+You must use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Azure AI services resource and the key vault must be in the same region and in the same Microsoft Entra tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](/azure/key-vault/general/overview).
+
+To enable customer-managed keys, the key vault containing your keys must meet these requirements:
+
+- You must enable both the **Soft Delete** and **Do Not Purge** properties on the key vault.
+- If you use the [Key Vault firewall](/azure/key-vault/general/access-behind-firewall), you must allow trusted Microsoft services to access the key vault.
+- You must grant your hub's and Azure AI Services resource's system-assigned managed identity the following permissions on your key vault: *get key*, *wrap key*, *unwrap key*.
+
+The following limitations hold for Azure AI Services:
+- Only Azure Key Vault with [legacy access policies](/azure/key-vault/general/assign-access-policy) are supported.
+- Only RSA and RSA-HSM keys of size 2048 are supported with Azure AI services encryption. For more information about keys, see **Key Vault keys** in [About Azure Key Vault keys, secrets, and certificates](/azure/key-vault/general/about-keys-secrets-certificates).
+
+### Enable your Azure AI Services resource's managed identity
+
+If connecting with Azure AI Services, or variants of Azure AI Services such as Azure OpenAI, you need to enable managed identity as a prerequisite for using customer-managed keys.
+
+1. Go to your Azure AI services resource.
+1. On the left, under **Resource Management**, select **Identity**.
+1. Switch the system-assigned managed identity status to **On**.
+1. Save your changes, and confirm that you want to enable the system-assigned managed identity.
+
+## Enable customer-managed keys
+
+Azure AI studio builds on hub as implementation of Azure Machine Learning workspace, Azure AI Services, and lets you connect with other resources in Azure. You must set encryption specifically on each resource.
+
+Customer-managed key encryption is configured via Azure portal in a similar way for each Azure resource:
+1. Create a new Azure resource in Azure portal.
+1. Under the encryption tab, select your encryption key.
+
+:::image type="content" source="../../machine-learning/media/concept-customer-managed-keys/cmk-service-side-encryption.png" alt-text="Screenshot of the encryption tab with the option for server side encryption selected." lightbox="../../machine-learning/media/concept-customer-managed-keys/cmk-service-side-encryption.png":::
+
+Alternatively, use infrastructure-as-code options for automation. Example Bicep templates for Azure AI Studio are available on the Azure Quickstart repo:
+1. [CMK encryption for hub](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.machinelearningservices/aistudio-cmk).
+1. [Service-side CMK encryption preview for hub](https://github.com/azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.machinelearningservices/machine-learning-workspace-cmk-service-side-encryption).
+
+## Limitations
+
+* The customer-managed key for encryption can only be updated to keys in the same Azure Key Vault instance.
+* After deployment, hubs can't switch from Microsoft-managed keys to Customer-managed keys or vice versa.
+* [Azure AI services Customer-Managed Key Request Form](https://aka.ms/cogsvc-cmk) is required to use customer-managed keys in combination with Azure Speech and Content Moderator capabilities.
+* At the time of creation, you can't provide or modify resources that are created in the Microsoft-managed Azure resource group in your subscription.
+* You can't delete Microsoft-managed resources used for customer-managed keys without also deleting your hub.
+* [Azure AI services Customer-Managed Key Request Form](https://aka.ms/cogsvc-cmk) is still required for Speech and Content Moderator.
+
+## Related content
+
+* [What is Azure Key Vault](/azure/key-vault/general/overview)?

articles/ai-studio/toc.yml

@@ -324,10 +324,10 @@ items:
         href: how-to/troubleshoot-secure-connection-project.md
     - name: Data protection & encryption
       items:
+      - name: Configure customer-managed keys
+        href: concepts/encryption-keys-portal.md
       - name: Rotate keys
         href: ../ai-services/rotate-keys.md?context=/azure/ai-studio/context/context
-      - name: Configure customer-managed keys
-        href: ../ai-services/encryption/cognitive-services-encryption-keys-portal.md?context=/azure/ai-studio/context/context
     - name: Vulnerability management
       href: concepts/vulnerability-management.md
     - name: Disaster recovery

articles/machine-learning/concept-automl-forecasting-at-scale.md

@@ -28,7 +28,7 @@ The many models [components](concept-component.md) in AutoML enable you to train
 
 The many models training component applies AutoML's [model sweeping and selection](concept-automl-forecasting-sweeping.md) independently to each store in this example. This model independence aids scalability and can benefit model accuracy especially when the stores have diverging sales dynamics. However, a single model approach may yield more accurate forecasts when there are common sales dynamics. See the [distributed DNN training](#distributed-dnn-training-preview) section for more details on that case.
 
-You can configure the data partitioning, the [AutoML settings](how-to-auto-train-forecast.md#configure-experiment) for the models, and the degree of parallelism for many models training jobs. For examples, see our guide section on [many models components](how-to-auto-train-forecast.md#forecasting-at-scale-many-models).        
+You can configure the data partitioning, the [AutoML settings](how-to-auto-train-forecast.md#configure-experiment) for the models, and the degree of parallelism for many models training jobs. For examples, see our guide section on [many models components](how-to-auto-train-forecast.md#forecast-at-scale-many-models).        
 
 ## Hierarchical time series forecasting
 
@@ -49,7 +49,7 @@ AutoML supports the following features for hierarchical time series (HTS):
 * **Retrieving quantile/probabilistic forecasts for levels at or "below" the training level**. Current modeling capabilities support disaggregation of probabilistic forecasts.
 
 HTS components in AutoML are built on top of [many models](#many-models), so HTS shares the scalable properties of many models. 
-For examples, see our guide section on [HTS components](how-to-auto-train-forecast.md#forecasting-at-scale-hierarchical-time-series).
+For examples, see our guide section on [HTS components](how-to-auto-train-forecast.md#forecast-at-scale-hierarchical-time-series).
 
 ## Distributed DNN training (preview)
 

articles/machine-learning/concept-automl-forecasting-deep-learning.md

@@ -78,7 +78,7 @@ In the table, $n_{\text{input}} = n_{\text{features}} + 1$, the number of predic
 
 ## TCNForecaster in AutoML
 
-TCNForecaster is an optional model in AutoML. To learn how to use it, see [enable deep learning](./how-to-auto-train-forecast.md#enable-deep-learning).
+TCNForecaster is an optional model in AutoML. To learn how to use it, see [enable deep learning](./how-to-auto-train-forecast.md#enable-learning-for-deep-neural-networks).
 
 In this section, we describe how AutoML builds TCNForecaster models with your data, including explanations of data preprocessing, training, and model search. 
 
@@ -90,9 +90,9 @@ AutoML executes several preprocessing steps on your data to prepare for model tr
 |--|--|
 Fill missing data|[Impute missing values and observation gaps](./concept-automl-forecasting-methods.md#missing-data-handling) and optionally [pad or drop short time series](./how-to-auto-train-forecast.md#short-series-handling)|
 |Create calendar features|Augment the input data with [features derived from the calendar](./concept-automl-forecasting-calendar-features.md) like day of the week and, optionally, holidays for a specific country/region.|
-|Encode categorical data|[Label encode](https://scikit-learn.org/stable/modules/generated/sklearn.preprocessing.LabelEncoder.html) strings and other categorical types; this includes all [time series ID columns](./how-to-auto-train-forecast.md#forecasting-job-settings).|
+|Encode categorical data|[Label encode](https://scikit-learn.org/stable/modules/generated/sklearn.preprocessing.LabelEncoder.html) strings and other categorical types; this includes all [time series ID columns](./how-to-auto-train-forecast.md#forecast-job-settings).|
 |Target transform|Optionally apply the natural logarithm function to the target depending on the results of certain statistical tests.|
-|Normalization|[Z-score normalize](https://en.wikipedia.org/wiki/Standard_score) all numeric data; normalization is performed per feature and per time series group, as defined by the [time series ID columns](./how-to-auto-train-forecast.md#forecasting-job-settings).
+|Normalization|[Z-score normalize](https://en.wikipedia.org/wiki/Standard_score) all numeric data; normalization is performed per feature and per time series group, as defined by the [time series ID columns](./how-to-auto-train-forecast.md#forecast-job-settings).
 
 These steps are included in AutoML's transform pipelines, so they're automatically applied when needed at inference time. In some cases, the inverse operation to a step is included in the inference pipeline. For example, if AutoML applied a $\log$ transform to the target during training, the raw forecasts are exponentiated in the inference pipeline.  
 
@@ -104,7 +104,7 @@ The following table lists and describes input settings and parameters for TCNFor
 
 |Training input|Description|Value|
 |--|--|--|
-|Validation data|A portion of data that is held out from training to guide the network optimization and mitigate over fitting.| [Provided by the user](./how-to-auto-train-forecast.md#training-and-validation-data) or automatically created from training data if not provided.|
+|Validation data|A portion of data that is held out from training to guide the network optimization and mitigate over fitting.| [Provided by the user](./how-to-auto-train-forecast.md#prepare-training-and-validation-data) or automatically created from training data if not provided.|
 |Primary metric|Metric computed from median-value forecasts on the validation data at the end of each training epoch; used for early stopping and model selection.|[Chosen by the user](./how-to-auto-train-forecast.md#configure-experiment); normalized root mean squared error or normalized mean absolute error.|
 |Training epochs|Maximum number of epochs to run for network weight optimization.|100; automated early stopping logic may terminate training at a smaller number of epochs. 
 |Early stopping patience|Number of epochs to wait for primary metric improvement before training is stopped.|20|