Skip to content

Commit 99e0138

Browse files
authored
Update how-to-administrate-data-authentication.md
1 parent 0a27f25 commit 99e0138

File tree

1 file changed

+15
-21
lines changed

1 file changed

+15
-21
lines changed

articles/machine-learning/how-to-administrate-data-authentication.md

Lines changed: 15 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -52,10 +52,6 @@ In general, identity-based data authentication involves these checks:
5252
- Please find more [Azure built-in roles for storage here](../role-based-access-control/built-in-roles/storage.md).
5353

5454

55-
## VNET specific checks for authetication
56-
57-
58-
5955
## Other general checks for authetication
6056
* Where does the access come from?
6157
- User: Is the client IP address in the VNet/subnet range?
@@ -73,33 +69,31 @@ This diagram shows the general flow of a data access call. Here, a user tries to
7369

7470
:::image type="content" source="./media/concept-network-data-access/data-access-flow.svg" alt-text="Diagram of the logic flow when accessing data.":::
7571

76-
## Scenarios and identities
72+
## Scenarios and authentication options
7773

7874
This table lists the identities to use for specific scenarios:
7975

80-
| Scenario | Use workspace</br>Managed Service Identity (MSI) | Identity to use |
81-
|--|--|--|
82-
| Access from UI | Yes | Workspace MSI |
83-
| Access from UI | No | User's Identity |
84-
| Access from Job | Yes/No | Compute MSI |
85-
| Access from Notebook | Yes/No | User's identity |
86-
87-
| Configuration | SDK Local | Job | Dataset Preview | Datastore browse | Notebook VM |
88-
| -- | -- | -- | -- | -- | -- |
89-
| Credential + Workspace MSI | Credential | Credential | Workspace MSI | Credential (Only Account key and SAS token) | Credential | Notebook VM |
90-
| No Credential + Workspace MSI | User Identity | Compute MSI/User identity | Workspace MSI | User identity | User identity |
91-
| Credential + No Workspace MSI | Credential | Credential | Credential | Credential (Only Account key and SAS token) | Credential |
92-
| No Credential + No Workspace MSI | User Identity | Compute MSI/User identity | User Identity | User Identity | User Identity |
76+
| Configuration | SDK Local/Notebook VM | Job | Dataset Preview | Datastore Browse |
77+
| -- | -- | -- | -- | -- |
78+
| Credential + Workspace MSI | Credential | Credential | Workspace MSI | Credential (Only Account key and SAS token) | Credential |
79+
| No Credential + Workspace MSI | Compute MSI/User Identity | Compute MSI/User identity | Workspace MSI | User identity |
80+
| Credential + No Workspace MSI | Credential | Credential | Credential(Not supported for Dataset Preview under private network) | Credential (Only Account key and SAS token) |
81+
| No Credential + No Workspace MSI | Compute MSI/User Identity | Compute MSI/User identity | User Identity | User Identity |
9382

83+
For SDK V1, data authentication in a job is always using compute MSI. And for SDK V2, data authentication in a job depends on the job setting.
9484

95-
Data access is complex and it involves many pieces. For example, data access from Azure Machine Learning studio is different compared to use of the SDK for data access. When you use the SDK in your local development environment, you directly access data in the cloud. When you use studio, you don't always directly access the data store from your client. Studio relies on the workspace to access data on your behalf.
9685

9786
> [!TIP]
9887
> To access data from outside Azure Machine Learning, for example with Azure Storage Explorer, that access probably relies on the *user* identity. For specific information, review the documentation for the tool or service you're using. For more information about how Azure Machine Learning works with data, see [Setup authentication between Azure Machine Learning and other services](how-to-identity-based-service-authentication.md).
9988
100-
## Azure Storage Account
10189

102-
When you use an Azure Storage Account from Azure Machine Learning studio, you must add the managed identity of the workspace to these Azure RBAC roles for the storage account:
90+
## VNET specific requirements
91+
92+
The following will help you set up data authentication to access data behind VNET from an Azure Machine Learning workspace.
93+
94+
### Add permissions of Azure Storage Account to AzureML workspace managed identity
95+
96+
When you use an Azure Storage Account from Azure Machine Learning studio, if you want to see Dataset Preview, you must enable "Use workspace managed identity for data preview and profiling in Azure Machine Learning Studio" in datastore setting, and add these Azure RBAC roles of the storage account to the workspace managed identity:
10397

10498
* [Blob Data Reader](../role-based-access-control/built-in-roles.md#storage-blob-data-reader)
10599
* If the storage account uses a private endpoint to connect to the VNet, you must grant the [Reader](../role-based-access-control/built-in-roles.md#reader) role for the storage account private endpoint to the managed identity.

0 commit comments

Comments
 (0)