Merge pull request #49418 from MicrosoftDocs/NEW-intro-azureml-authentication-authorization

New intro azureml authentication authorization

Author: JillGrant615

learn-pr/advocates/intro-azure-machine-learning-auth/1-introduction.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.introduction-azure-machine-learning-auth.introduction
+title: Introduction
+metadata:
+  title: Introduction
+  description: Introduction to Azure Machine Learning authentication and authorization.
+  ms.date: 03/06/2025
+  author: Orin-Thomas
+  ms.author: viniap
+  ms.topic: unit
+durationInMinutes: 2
+content: |
+  [!include[](includes/1-introduction.md)]

learn-pr/advocates/intro-azure-machine-learning-auth/2-authentication-azure-machine-learning-workspaces.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.introduction-azure-machine-learning-auth.authentication-azure-machine-learning-workspaces
+title: Authentication for Azure Machine Learning workspaces
+metadata:
+  title: Authentication for Azure Machine Learning workspaces
+  description: Understand authentication for Azure Machine Learning workspaces.
+  ms.date: 03/06/2025
+  author: Orin-Thomas
+  ms.author: viniap
+  ms.topic: unit
+durationInMinutes: 6
+content: |
+  [!include[](includes/2-authentication-azure-machine-learning-workspaces.md)]

learn-pr/advocates/intro-azure-machine-learning-auth/3-manage-access-azure-machine-learning.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.introduction-azure-machine-learning-auth.manage-access-azure-machine-learning
+title: Manage access to Azure Machine Learning
+metadata:
+  title: Manage access to Azure Machine Learning
+  description: Control access to Azure Machine Learning resources.
+  ms.date: 03/06/2025
+  author: Orin-Thomas
+  ms.author: viniap
+  ms.topic: unit
+durationInMinutes: 7
+content: |
+  [!include[](includes/3-manage-access-azure-machine-learning.md)]

learn-pr/advocates/intro-azure-machine-learning-auth/4-authentication-between-azure-machine-learning-other-azure-services.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.introduction-azure-machine-learning-auth.authentication-between-azure-machine-learning-other-azure-services
+title: Authentication between Azure Machine Learning and other Azure services
+metadata:
+  title: Authentication between Azure Machine Learning and other Azure services
+  description: Configure access for workspaces to other Azure services.
+  ms.date: 03/06/2025
+  author: Orin-Thomas
+  ms.author: viniap
+  ms.topic: unit
+durationInMinutes: 10
+content: |
+  [!include[](includes/4-authentication-between-azure-machine-learning-other-azure-services.md)]

learn-pr/advocates/intro-azure-machine-learning-auth/5-knowledge-check.yml

@@ -0,0 +1,51 @@
+### YamlMime:ModuleUnit
+uid: learn.introduction-azure-machine-learning-auth.knowledge-check
+title: Knowledge check
+metadata:
+  title: Knowledge Check
+  description: Knowledge Check
+  ms.date: 03/06/2025
+  author: Orin-Thomas
+  ms.author: viniap
+  ms.topic: unit
+durationInMinutes: 3
+content: Choose the best response for each question. 
+quiz:
+  questions:
+    - content: "When are account keys used for authentication purposes rather than Microsoft Entra ID?"
+      choices:
+        - content: "When accessing other Azure resources."
+          isCorrect: false
+          explanation: "Access between Azure resources (including Azure Machine Learning) use managed-identities which is a feature of Microsoft Entra ID"
+        - content: "When Azure Machine Learning compute clusters or Kubernetes clusters access other Azure services."
+          isCorrect: false
+          explanation: "Azure Machine Learning compute clusters or Kubernetes clusters use managed-identities which is a feature of Entra ID"
+        - content: "When account keys or tokens are used for access to external data sources."
+          isCorrect: true
+          explanation: "In cases on which the data source only accepts credential-based authentication, Azure Machine Learning can use Azure Key Vault to store these secrets"
+    - content: "Which Azure Machine Learning default role should you assign to someone who will be responsible for the compute resources in a workspace?"
+      choices:
+        - content: "Contributor."
+          isCorrect: false
+          explanation: "While contributors can create and delete compute resources in a workspace, they also have additional permissions. Granting Contributor access to someone who is responsible to for the compute resources might pose a security risk"
+        - content: "Azure Machine Learning Compute Operator."
+          isCorrect: true
+          explanation: "Azure Machine Learning Compute Operators can only create, manage, delete, and access compute resources within a workspace"
+        - content: "Azure Machine Learning Data Scientist."
+          isCorrect: false
+          explanation: "Azure Machine Learning Data Scientists can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself."
+    - content: "Which of the following statements is true regarding system-assigned managed identify for Azure Machine Learning?"
+      choices:
+        - content: "When that workspace is deleted, its associated system-assigned identity is also deleted."
+          isCorrect: true
+          explanation: "The lifecycle of system-assigned managed identities is tied to their associated resource. When the resource is deleted, the identity is also deleted."
+        - content: "You must manually enable a system-assigned identity after creating a machine learning workspace."
+          isCorrect: false
+          explanation: "By default, Azure Machine Learning has a system-assigned managed identity and that is a supported scenario"
+        - content: "Azure Machine Learning workspaces are assigned a user-managed identity by default."
+          isCorrect: false
+          explanation: "Creating an Azure Machine Learning workspace automatically creates a system-assigned managed identity. User-managed identities must be manually configured."
+  
+  
+        
+   

learn-pr/advocates/intro-azure-machine-learning-auth/6-summary.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.introduction-azure-machine-learning-auth.summary
+title: Summary
+metadata:
+  title: Summary
+  description: Module summary
+  ms.date: 03/06/2025
+  author: Orin-Thomas
+  ms.author: viniap
+  ms.topic: unit
+durationInMinutes: 1
+content: |
+  [!include[](includes/6-summary.md)]

learn-pr/advocates/intro-azure-machine-learning-auth/includes/1-introduction.md

@@ -0,0 +1,11 @@
+Azure Machine Learning (ML) is a cloud service for managing machine learning project lifecycles. ML professionals, data scientists, and engineers can use Azure Machine Learning to train and deploy models and manage machine learning operations (MLOps).
+
+An Azure Machine Learning workspace is a centralized environment for managing machine learning projects, allowing collaboration and organization of experiments, datasets, models, and deployments. The workspace provides tools for creating, training, and deploying models, along with managing compute resources and data assets. As a cloud operations professional, you need to manage Azure Machine Learning workspace authentication and authorization.
+
+## Learning objectives ##
+
+After completing this module, you'll be able to:
+
+- Set up authentication for Azure Machine Learning resources and workflows
+- Manage access to Azure Machine Learning workspaces
+- Set up authentication between Azure Machine Learning and other services

learn-pr/advocates/intro-azure-machine-learning-auth/includes/2-authentication-azure-machine-learning-workspaces.md

@@ -0,0 +1,30 @@
+Azure Machine Learning provides workspaces to create and manage machine learning artifacts. Workspaces serve as containers for access management, cost management, and data isolation. As the administrator of an Azure Machine Learning workspace, you'll manage two aspects of authentication and authorization:
+
+- Manage access to Azure Machine Learning workspaces giving users the ability to create new resources or use existing ones.
+- Manage the authentication between Azure Machine Learning and the services it relies on.
+
+Authentication in Azure Machine Learning workspaces can use Microsoft Entra ID or account keys or tokens. Keys and tokens are most only often used for access to external data sources that might not support Entra ID. In those scenarios, you can use Azure Key Vault to securely manage secrets. You should never include account keys or tokens directly in code.
+
+Users authenticate to an Azure Machine Learning workspace using one of the following methods:
+
+**Interactive**: Users can leverage their Microsoft Entra ID to either directly authenticate, or to get a token that is used for authentication. Interactive authentication is used during experimentation and iterative development. Interactive authentication enables you to control access to resources (such as a web service) on a per-user basis.
+
+**Service principal**: Service principal accounts in Microsoft Entra ID can be used by services to authenticate or get a token. A service principal is used to authenticate an automated process to the service without requiring user interaction. For example, a continuous integration and deployment script that trains and tests a model every time the training code changes.
+
+**Azure CLI session**: The Azure CLI extension for Machine Learning (the ml extension or CLI v2) is a command line tool for working with Azure Machine Learning. Users can sign in to Azure via the Azure CLI on their local workstation, without storing credentials in Python code or prompting them to authenticate. Similarly, users can reuse the same scripts as part of continuous integration and deployment pipelines, while authenticating the Azure CLI with a service principal identity.
+
+**Managed identity**: When using the Azure Machine Learning SDK v2 on a compute instance or on an Azure Virtual Machine, users can use a managed identity for Azure. This workflow allows the VM to connect to the workspace using the managed identity, without storing credentials in Python code or prompting the user to authenticate. Azure Machine Learning compute clusters can also be configured to use a managed identity to access the workspace when training models. Whenever possible, using a managed identity is the preferred method and best practice.
+
+You can use Microsoft Entra Conditional Access to further control or restrict access to the workspace for each authentication workflow. For example, you can configure conditional access so that an administrator is only able to access an Azure Machine Learning workspace from a managed device.
+
+Azure Machine Learning can authenticate with other services using the following methods:
+
+Data access can happen along multiple paths depending on the data storage service and your configuration. For example, authentication to the datastore can use an account key, token, security principal, managed identity, or user identity.
+
+Azure Machine Learning workspaces use a managed identity to communicate with other Azure services. By default, this is a system-assigned managed identity, but you can also configure an Azure Machine Learning workspace with a user-assigned managed identity.
+
+Azure Machine Learning uses Azure Container Registry (ACR) to store container images used to train and deploy models. If you allow Azure Machine Learning to automatically create an ACR registry, it enables the **admin account** for that registry.
+
+The Azure Machine Learning compute cluster uses a **managed identity** to retrieve connection information for datastores from Azure Key Vault and to pull container images from ACR. You can also configure identity-based access to datastores, which will instead use the managed identity of the compute cluster.
+
+Managed online endpoints can use a managed identity to access Azure resources when performing inference.

learn-pr/advocates/intro-azure-machine-learning-auth/includes/3-manage-access-azure-machine-learning.md

@@ -0,0 +1,48 @@
+Azure role-based access control (Azure RBAC) is used to scope the level of access (authorization) allowed to the resources. For example, you would configure separate role assignments to ensure that an admin or automation process might have access to create a compute instance but not use it, while a data scientist could use it but not delete or create it.
+
+Azure Machine Learning applies the same principle for authorization as other Azure resources. You use Azure role-based access control (Azure RBAC) to manage access giving users the ability to create new resources or use existing ones. Users in your Microsoft Entra ID are assigned specific roles, which grant access to resources. Azure provides both built-in roles and the ability to create custom roles for Azure Machine Learning.
+
+## Default Roles ##
+
+The roles related to Azure Machine Learning workspaces are as follows.
+
+| **Role** | **Access level** |
+|---|---|
+| **Azure Machine Learning Data Scientist** | Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself. |
+| **Azure Machine Learning Compute Operator** | Can create, manage, delete, and access compute resources within a workspace. |
+| **Reader** | Read-only actions in the workspace. Readers can list and view assets, including [datastore](/azure/machine-learning/how-to-access-data) credentials, in a workspace. Readers can't create or update these assets. |
+| **Contributor** | View, create, edit, or delete (where applicable) assets in a workspace. For example, contributors can create an experiment, create or attach a compute cluster, submit a run, and deploy a web service. |
+| **Owner** | Full access to the workspace, including the ability to view, create, edit, or delete (where applicable) assets in a workspace. Additionally, you can change role assignments. |
+| **Azure Machine Learning Registry User** | Can get registries and read, write, and delete assets within them. Can't create new registry resources or delete them. |
+
+If the permissions assigned to the built-in roles are insufficient or do not meet your needs, you can create custom roles. Custom roles might possess read, write, delete, and compute resource permissions in that workspace. You can make the custom role available at a specific workspace level, a specific resource group level, or a specific subscription level.
+
+When you create an Azure Machine Learning workspace, you're automatically assigned the role of Owner for that resource. As an owner, you can add and remove roles for the workspace, and assign roles to users or groups.
+
+As a best practice, you can use Microsoft Entra security groups to manage access to workspaces. You assign the RBAC role to an Entra security group and then manage which security principals have the role by managing membership of the group. This approach has the following benefits:
+
+You can assign project leaders group ownership permissions. This means they can manage user access to workspace, without needing Owner role on the workspace resource directly.
+
+You can organize, manage, and revoke users' permissions on workspace and other resources as a group, without having to manage permissions on user-by-user basis. This also makes it simpler to audit the permissions held as it's only a matter of determining group membership.
+
+Using Microsoft Entra groups helps you to avoid reaching the subscription limit on role assignments.
+
+To assign the Azure Machine Learning Data Scientist role, perform the following steps:
+
+1. On the Azure portal, open the Azure Machine Learning resource.
+1. Select Access Control (IAM) on the left-hand side menu.
+1. Select the Add drop-down menu and select Add role assignment.
+1. You can filter the roles by typing "Azure Machine Learning" in the search box.
+1. Select the Azure Machine Learning Data Scientist role and click Next:
+
+   ![Screenshot of configuring an Azure Machine Learning role assignment in the Azure portal.](../media/add-role-assignment.png)
+
+1. On the Members tab, click on the + Select members link.
+1. Look for the individual's account from Microsoft Entra ID and choose Select.
+1. Back to the Members tab, confirm the account selected is shown in the list:
+
+   ![Screenshot of assigning data scientist role in Azure portal to Azure Machine Learning workspace.](../media/add-data-scientist.png)
+
+1. Select Review + assign twice to conclude the assignment.
+1. You can confirm the assignment on the Role assignments tab by filtering the results with the name of the individual you're looking for.
+1. Alternatively, you can select the Check access tab, and the Check access button. On the side-pane, type the name of the individual you're looking for. The Check access pane shows all Roles the individual has been assigned to.