Merge pull request #267332 from MicrosoftDocs/main

2/26/2024 PM Publish

Author: Taojunshen

.openpublishing.redirection.virtual-machines.json

@@ -0,0 +1,9 @@
+{
+    "redirections": [
+        {
+            "source_path_from_root": "/articles/virtual-machines/security-recommendations.md",
+            "redirect_url": "/security/benchmark/azure/baselines/virtual-machines-windows-virtual-machines-security-baseline",
+            "redirect_document_id": false
+        }
+    ]
+}

articles/ai-services/media/cognitive-services-encryption/key-vault-access-policy.png

@@ -361,9 +361,9 @@ You can send a streaming request using the `stream` parameter, allowing data to
         {
             "type": "AzureCognitiveSearch",
             "parameters": {
-                "endpoint": "'$SearchEndpoint'",
-                "key": "'$SearchKey'",
-                "indexName": "'$SearchIndex'"
+                "endpoint": "'$AZURE_AI_SEARCH_ENDPOINT'",
+                "key": "'$AZURE_AI_SEARCH_API_KEY'",
+                "indexName": "'$AZURE_AI_SEARCH_INDEX'"
             }
         }
     ],
@@ -386,9 +386,9 @@ When you chat with a model, providing a history of the chat will help the model
         {
             "type": "AzureCognitiveSearch",
             "parameters": {
-                "endpoint": "'$SearchEndpoint'",
-                "key": "'$SearchKey'",
-                "indexName": "'$SearchIndex'"
+                "endpoint": "'$AZURE_AI_SEARCH_ENDPOINT'",
+                "key": "'$AZURE_AI_SEARCH_API_KEY'",
+                "indexName": "'$AZURE_AI_SEARCH_INDEX'"
             }
         }
     ],

articles/ai-services/openai/concepts/use-your-data.md

@@ -6,7 +6,7 @@ author: mrbullwinkle
 manager: nitinme
 ms.service: azure-ai-openai
 ms.topic: conceptual
-ms.date: 11/14/2022
+ms.date: 2/21/2024
 ms.author: mbullwin
 ---
 
@@ -22,37 +22,66 @@ Azure OpenAI is part of Azure AI services. Azure AI services data is encrypted a
 
 By default, your subscription uses Microsoft-managed encryption keys. There's also the option to manage your subscription with your own keys called customer-managed keys (CMK). CMK offers greater flexibility to create, rotate, disable, and revoke access controls. You can also audit the encryption keys used to protect your data.
 
-## Customer-managed keys with Azure Key Vault
+## Use customer-managed keys with Azure Key Vault
 
 Customer-managed keys (CMK), also known as Bring your own key (BYOK), offer greater flexibility to create, rotate, disable, and revoke access controls. You can also audit the encryption keys used to protect your data.
 
 You must use Azure Key Vault to store your customer-managed keys. You can either create your own keys and store them in a key vault, or you can use the Azure Key Vault APIs to generate keys. The Azure AI services resource and the key vault must be in the same region and in the same Microsoft Entra tenant, but they can be in different subscriptions. For more information about Azure Key Vault, see [What is Azure Key Vault?](../../key-vault/general/overview.md).
 
-To enable customer-managed keys, you must also enable both the **Soft Delete** and **Do Not Purge** properties on the key vault.
+To enable customer-managed keys, the key vault containing your keys must meet these requirements:
 
-Only RSA keys of size 2048 are supported with Azure AI services encryption. For more information about keys, see **Key Vault keys** in [About Azure Key Vault keys, secrets and certificates](../../key-vault/general/about-keys-secrets-certificates.md).
+- You must enable both the **Soft Delete** and **Do Not Purge** properties on the key vault.
+- If you use the [Key Vault firewall](/azure/key-vault/general/access-behind-firewall), you must allow trusted Microsoft services to access the key vault.
+- The key vault must use [legacy access policies](/azure/key-vault/general/assign-access-policy).
+- You must grant the Azure OpenAI resource's system-assigned managed identity the following permissions on your key vault: *get key*, *wrap key*, *unwrap key*.
 
-## Enable customer-managed keys for your resource
+Only RSA and RSA-HSM keys of size 2048 are supported with Azure AI services encryption. For more information about keys, see **Key Vault keys** in [About Azure Key Vault keys, secrets and certificates](../../key-vault/general/about-keys-secrets-certificates.md).
+
+### Enable your Azure OpenAI resource's managed identity
+
+1. Go to your Azure AI services resource.
+1. On the left, under **Resource Management**, select **Identity**.
+1. Switch the system-assigned managed identity status to **On**.
+1. Save your changes, and confirm that you want to enable the system-assigned managed identity.
+
+### Configure your key vault's access permissions
+
+1. In the Azure portal, go to your key vault.
+1. On the left, select **Access policies**.
+   
+   If you see a message advising you that access policies aren't available, [reconfigure your key vault to use legacy access policies](/azure/key-vault/general/assign-access-policy) before continuing.
+1. Select **Create**.
+1. Under **Key permissions**, select **Get**, **Wrap Key**, and **Unwrap Key**. Leave the remaining checkboxes unselected.
+
+   :::image type="content" source="../media/cognitive-services-encryption/key-vault-access-policy.png" alt-text="Screenshot of the Azure portal page for a key vault access policy. The permissions selected are Get Key, Wrap Key, and Unwrap Key.":::
+
+1. Select **Next**.
+1. Search for the name of your Azure OpenAI resource and select its managed identity.
+1. Select **Next**.
+1. Select **Next** to skip configuring any application settings.
+1. Select **Create**.
+
+### Enable customer-managed keys on your Azure OpenAI resource
 
 To enable customer-managed keys in the Azure portal, follow these steps:
 
 1. Go to your Azure AI services resource.
-1. On the left, select **Encryption**.
+1. On the left, under **Resource Management**, select **Encryption**.
 1. Under **Encryption type**, select **Customer Managed Keys**, as shown in the following screenshot.
 
-> [!div class="mx-imgBorder"]
-> ![Screenshot of create a resource user experience](./media/encryption/encryption.png)
+   > [!div class="mx-imgBorder"]
+   > ![Screenshot of create a resource user experience.](./media/encryption/encryption.png)
 
-## Specify a key
+### Specify a key
 
 After you enable customer-managed keys, you can specify a key to associate with the Azure AI services resource.
 
-### Specify a key as a URI
+#### Specify a key as a URI
 
 To specify a key as a URI, follow these steps:
 
 1. In the Azure portal, go to your key vault.
-1. Under **Settings**, select **Keys**.
+1. Under **Objects**, select **Keys**.
 1. Select the desired key, and then select the key to view its versions. Select a key version to view the settings for that version.
 1. Copy the **Key Identifier** value, which provides the URI.
 
@@ -67,9 +96,9 @@ To specify a key as a URI, follow these steps:
 1. Under **Subscription**, select the subscription that contains the key vault.
 1. Save your changes.
 
-### Specify a key from a key vault
+#### Select a key from a key vault
 
-To specify a key from a key vault, first make sure that you have a key vault that contains a key. Then follow these steps:
+To select a key from a key vault, first make sure that you have a key vault that contains a key. Then follow these steps:
 
 1. Go to your Azure AI services resource, and then select **Encryption**.
 1. Under **Encryption key**, select **Select from Key Vault**.

articles/ai-services/openai/encrypt-data-at-rest.md

@@ -1,13 +1,13 @@
 ---
 title: How to migrate to OpenAI Python v1.x
 titleSuffix: Azure OpenAI Service
-description: Learn about migrating to the latest release of the OpenAI Python library with Azure OpenAI
+description: Learn about migrating to the latest release of the OpenAI Python library with Azure OpenAI.
 author: mrbullwinkle 
 ms.author: mbullwin 
 ms.service: azure-ai-openai
 ms.custom: devx-track-python
 ms.topic: how-to
-ms.date: 11/15/2023
+ms.date: 02/26/2024
 manager: nitinme
 ---
 
@@ -17,7 +17,7 @@ OpenAI has just released a new version of the [OpenAI Python API library](https:
 
 ## Updates
 
-- This is a completely new version of the OpenAI Python API library.
+- This is a new version of the OpenAI Python API library.
 - Starting on November 6, 2023 `pip install openai` and `pip install openai --upgrade` will install `version 1.x` of the OpenAI Python library.
 - Upgrading from `version 0.28.1` to `version 1.x` is a breaking change, you'll need to test and update your code.  
 - Auto-retry with backoff if there's an error
@@ -259,7 +259,7 @@ print(completion.model_dump_json(indent=2))
 
 ## Use your data
 
-For the full configuration steps that are required to make these code examples work, please consult the [use your data quickstart](../use-your-data-quickstart.md).
+For the full configuration steps that are required to make these code examples work, consult the [use your data quickstart](../use-your-data-quickstart.md).
 # [OpenAI Python 0.28.1](#tab/python)
 
 ```python
@@ -270,10 +270,10 @@ import requests
 
 dotenv.load_dotenv()
 
-openai.api_base = os.environ.get("AOAIEndpoint")
+openai.api_base = os.environ.get("AZURE_OPENAI_ENDPOINT")
 openai.api_version = "2023-08-01-preview"
 openai.api_type = 'azure'
-openai.api_key = os.environ.get("AOAIKey")
+openai.api_key = os.environ.get("AZURE_OPENAI_API_KEY")
 
 def setup_byod(deployment_id: str) -> None:
     """Sets up the OpenAI Python SDK to use your own data for the chat endpoint.
@@ -299,19 +299,19 @@ def setup_byod(deployment_id: str) -> None:
 
     openai.requestssession = session
 
-aoai_deployment_id = os.environ.get("AOAIDeploymentId")
+aoai_deployment_id = os.environ.get("AZURE_OPEN_AI_DEPLOYMENT_ID")
 setup_byod(aoai_deployment_id)
 
 completion = openai.ChatCompletion.create(
     messages=[{"role": "user", "content": "What are the differences between Azure Machine Learning and Azure AI services?"}],
-    deployment_id=os.environ.get("AOAIDeploymentId"),
+    deployment_id=os.environ.get("AZURE_OPEN_AI_DEPLOYMENT_ID"),
     dataSources=[  # camelCase is intentional, as this is the format the API expects
         {
             "type": "AzureCognitiveSearch",
             "parameters": {
-                "endpoint": os.environ.get("SearchEndpoint"),
-                "key": os.environ.get("SearchKey"),
-                "indexName": os.environ.get("SearchIndex"),
+                "endpoint": os.environ.get("AZURE_AI_SEARCH_ENDPOINT"),
+                "key": os.environ.get("AZURE_AI_SEARCH_API_KEY"),
+                "indexName": os.environ.get("AZURE_AI_SEARCH_INDEX"),
             }
         }
     ]
@@ -328,9 +328,9 @@ import dotenv
 
 dotenv.load_dotenv()
 
-endpoint = os.environ.get("AOAIEndpoint")
-api_key = os.environ.get("AOAIKey")
-deployment = os.environ.get("AOAIDeploymentId")
+endpoint = os.environ.get("AZURE_OPENAI_ENDPOINT")
+api_key = os.environ.get("AZURE_OPENAI_API_KEY")
+deployment = os.environ.get("AZURE_OPEN_AI_DEPLOYMENT_ID")
 
 client = openai.AzureOpenAI(
     base_url=f"{endpoint}/openai/deployments/{deployment}/extensions",
@@ -351,9 +351,9 @@ completion = client.chat.completions.create(
             {
                 "type": "AzureCognitiveSearch",
                 "parameters": {
-                    "endpoint": os.environ["SearchEndpoint"],
-                    "key": os.environ["SearchKey"],
-                    "indexName": os.environ["SearchIndex"]
+                    "endpoint": os.environ["AZURE_AI_SEARCH_ENDPOINT"],
+                    "key": os.environ["AZURE_AI_SEARCH_API_KEY"],
+                    "indexName": os.environ["AZURE_AI_SEARCH_INDEX"]
                 }
             }
         ]

articles/ai-services/openai/how-to/migration.md

@@ -7,7 +7,7 @@ ms.service: azure-ai-openai
 ms.topic: how-to
 author: aahill
 ms.author: aahi
-ms.date: 02/09/2024
+ms.date: 02/23/2024
 recommendations: false
 ---
 
@@ -43,6 +43,8 @@ When customizing the app, we recommend:
 
 - When you rotate API keys for your Azure OpenAI or Azure AI Search resource, be sure to update the app settings for each of your deployed apps to use the new keys.
 
+Sample source code for Azure OpenAI On Your Data web app is available on [GitHub](https://github.com/microsoft/sample-app-aoai-chatGPT). Source code is provided "as is" and as a sample only. Customers are responsible for all customization and implementation of their web apps using Azure OpenAI On Your Data. 
+
 ### Updating the web app
 
 We recommend pulling changes from the `main` branch for the web app's source code frequently to ensure you have the latest bug fixes, API version, and improvements.

articles/ai-services/openai/how-to/use-web-app.md

@@ -90,9 +90,9 @@ When using the API, pass the `filter` parameter in each API request. For example
         {
             "type": "AzureCognitiveSearch",
             "parameters": {
-                "endpoint": "'$SearchEndpoint'",
-                "key": "'$SearchKey'",
-                "indexName": "'$SearchIndex'",
+                "endpoint": "'$AZURE_AI_SEARCH_ENDPOINT'",
+                "key": "'$AZURE_AI_SEARCH_API_KEY'",
+                "indexName": "'$AZURE_AI_SEARCH_INDEX'",
                 "filter": "my_group_ids/any(g:search.in(g, 'group_id1, group_id2'))"
             }
         }

articles/ai-services/openai/how-to/use-your-data-securely.md

@@ -14,82 +14,82 @@ To successfully make a call against Azure OpenAI, you need the following variabl
 
 |Variable name | Value |
 |--------------------------|-------------|
-| `AOAIEndpoint`               | This value can be found in the **Keys & Endpoint** section when examining your Azure OpenAI resource from the Azure portal. Alternatively, you can find the value in **Azure AI studio** > **Chat playground** > **Code view**. An example endpoint is: `https://my-resoruce.openai.azure.com`.|
-| `AOAIKey` | This value can be found in **Resource management** > **Keys & Endpoint** section when examining your Azure OpenAI resource from the Azure portal. You can use either `KEY1` or `KEY2`. Always having two keys allows you to securely rotate and regenerate keys without causing a service disruption. |
-| `AOAIDeploymentId` | This value corresponds to the custom name you chose for your deployment when you deployed a model. This value can be found under **Resource Management** > **Deployments** in the Azure portal or alternatively under **Management** > **Deployments** in Azure AI studio.|
-| `SearchEndpoint` | This value can be found in the **Overview** section when examining your Azure AI Search resource from the Azure portal. |
-| `SearchKey` | This value can be found in the **Settings** > **Keys** section when examining your Azure AI Search resource from the Azure portal. You can use either the primary admin key or secondary admin key. Always having two keys allows you to securely rotate and regenerate keys without causing a service disruption. |
-| `SearchIndex` | This value corresponds to the name of the index you created to store your data. You can find it in the **Overview** section when examining your Azure AI Search resource from the Azure portal. |
+| `AZURE_OPENAI_ENDPOINT`               | This value can be found in the **Keys & Endpoint** section when examining your Azure OpenAI resource from the Azure portal. Alternatively, you can find the value in **Azure AI studio** > **Chat playground** > **Code view**. An example endpoint is: `https://my-resoruce.openai.azure.com`.|
+| `AZURE_OPENAI_API_KEY` | This value can be found in **Resource management** > **Keys & Endpoint** section when examining your Azure OpenAI resource from the Azure portal. You can use either `KEY1` or `KEY2`. Always having two keys allows you to securely rotate and regenerate keys without causing a service disruption. |
+| `AZURE_OPEN_AI_DEPLOYMENT_ID` | This value corresponds to the custom name you chose for your deployment when you deployed a model. This value can be found under **Resource Management** > **Deployments** in the Azure portal or alternatively under **Management** > **Deployments** in Azure AI studio.|
+| `AZURE_AI_SEARCH_ENDPOINT` | This value can be found in the **Overview** section when examining your Azure AI Search resource from the Azure portal. |
+| `AZURE_AI_SEARCH_API_KEY` | This value can be found in the **Settings** > **Keys** section when examining your Azure AI Search resource from the Azure portal. You can use either the primary admin key or secondary admin key. Always having two keys allows you to securely rotate and regenerate keys without causing a service disruption. |
+| `AZURE_AI_SEARCH_INDEX` | This value corresponds to the name of the index you created to store your data. You can find it in the **Overview** section when examining your Azure AI Search resource from the Azure portal. |
 
 ### Environment variables
 
 # [Command Line](#tab/command-line)
 
 ```CMD
-setx AOAIEndpoint REPLACE_WITH_YOUR_AOAI_ENDPOINT_VALUE_HERE
+setx AZURE_OPENAI_ENDPOINT REPLACE_WITH_YOUR_AOAI_ENDPOINT_VALUE_HERE
 ```
 ```CMD
-setx AOAIKey REPLACE_WITH_YOUR_AOAI_KEY_VALUE_HERE
+setx AZURE_OPENAI_API_KEY REPLACE_WITH_YOUR_AOAI_KEY_VALUE_HERE
 ```
 ```CMD
-setx AOAIDeploymentId REPLACE_WITH_YOUR_AOAI_DEPLOYMENT_VALUE_HERE
+setx AZURE_OPENAI_DEPLOYMENT_ID REPLACE_WITH_YOUR_AOAI_DEPLOYMENT_VALUE_HERE
 ```
 ```CMD
-setx SearchEndpoint REPLACE_WITH_YOUR_AZURE_SEARCH_RESOURCE_VALUE_HERE
+setx AZURE_AI_SEARCH_ENDPOINT REPLACE_WITH_YOUR_AZURE_SEARCH_RESOURCE_VALUE_HERE
 ```
 ```CMD
-setx SearchKey REPLACE_WITH_YOUR_AZURE_SEARCH_RESOURCE_KEY_VALUE_HERE
+setx AZURE_AI_SEARCH_API_KEY REPLACE_WITH_YOUR_AZURE_SEARCH_RESOURCE_KEY_VALUE_HERE
 ```
 ```CMD
-setx SearchIndex REPLACE_WITH_YOUR_INDEX_NAME_HERE
+setx AZURE_AI_SEARCH_INDEX REPLACE_WITH_YOUR_INDEX_NAME_HERE
 ```
 
 
 # [PowerShell](#tab/powershell)
 
 ```powershell
-[System.Environment]::SetEnvironmentVariable('AOAIEndpoint', 'REPLACE_WITH_YOUR_AOAI_ENDPOINT_VALUE_HERE', 'User')
+[System.Environment]::SetEnvironmentVariable('AZURE_OPENAI_ENDPOINT', 'REPLACE_WITH_YOUR_AOAI_ENDPOINT_VALUE_HERE', 'User')
 ```
 
 ```powershell
-[System.Environment]::SetEnvironmentVariable('AOAIKey', 'REPLACE_WITH_YOUR_AOAI_KEY_VALUE_HERE', 'User')
+[System.Environment]::SetEnvironmentVariable('AZURE_OPENAI_API_KEY', 'REPLACE_WITH_YOUR_AOAI_KEY_VALUE_HERE', 'User')
 ```
 
 ```powershell
-[System.Environment]::SetEnvironmentVariable('AOAIDeploymentId', 'REPLACE_WITH_YOUR_AOAI_DEPLOYMENT_VALUE_HERE', 'User')
+[System.Environment]::SetEnvironmentVariable('AZURE_OPEN_AI_DEPLOYMENT_ID', 'REPLACE_WITH_YOUR_AOAI_DEPLOYMENT_VALUE_HERE', 'User')
 ```
 
 ```powershell
-[System.Environment]::SetEnvironmentVariable('SearchEndpoint', 'REPLACE_WITH_YOUR_AZURE_SEARCH_RESOURCE_VALUE_HERE', 'User')
+[System.Environment]::SetEnvironmentVariable('AZURE_AI_SEARCH_ENDPOINT', 'REPLACE_WITH_YOUR_AZURE_SEARCH_RESOURCE_VALUE_HERE', 'User')
 ```
 
 ```powershell
-[System.Environment]::SetEnvironmentVariable('SearchKey', 'REPLACE_WITH_YOUR_AZURE_SEARCH_RESOURCE_KEY_VALUE_HERE', 'User')
+[System.Environment]::SetEnvironmentVariable('AZURE_AI_SEARCH_API_KEY', 'REPLACE_WITH_YOUR_AZURE_SEARCH_RESOURCE_KEY_VALUE_HERE', 'User')
 ```
 
 ```powershell
-[System.Environment]::SetEnvironmentVariable('SearchIndex', 'REPLACE_WITH_YOUR_INDEX_NAME_HERE', 'User')
+[System.Environment]::SetEnvironmentVariable('AZURE_AI_SEARCH_INDEX', 'REPLACE_WITH_YOUR_INDEX_NAME_HERE', 'User')
 ```
 
 # [Bash](#tab/bash)
 
 ```Bash
-export AOAIEndpoint=REPLACE_WITH_YOUR_AOAI_ENDPOINT_VALUE_HERE
+export AZURE_OPENAI_ENDPOINT=REPLACE_WITH_YOUR_AOAI_ENDPOINT_VALUE_HERE
 ```
 ```Bash
-export AOAIKey=REPLACE_WITH_YOUR_AOAI_KEY_VALUE_HERE
+export AZURE_OPENAI_API_KEY=REPLACE_WITH_YOUR_AOAI_KEY_VALUE_HERE
 ```
 ```Bash
-export AOAIDeploymentId=REPLACE_WITH_YOUR_AOAI_DEPLOYMENT_VALUE_HERE
+export AZURE_OPEN_AI_DEPLOYMENT_ID=REPLACE_WITH_YOUR_AOAI_DEPLOYMENT_VALUE_HERE
 ```
 ```Bash
-export SearchEndpoint=REPLACE_WITH_YOUR_AZURE_SEARCH_RESOURCE_VALUE_HERE
+export AZURE_AI_SEARCH_ENDPOINT=REPLACE_WITH_YOUR_AZURE_SEARCH_RESOURCE_VALUE_HERE
 ```
 ```Bash
-export SearchKey=REPLACE_WITH_YOUR_AZURE_SEARCH_RESOURCE_KEY_VALUE_HERE
+export AZURE_AI_SEARCH_API_KEY=REPLACE_WITH_YOUR_AZURE_SEARCH_RESOURCE_KEY_VALUE_HERE
 ```
 ```Bash
-export SearchIndex=REPLACE_WITH_YOUR_INDEX_NAME_HERE
+export AZURE_AI_SEARCH_INDEX=REPLACE_WITH_YOUR_INDEX_NAME_HERE
 ```
 
 ---