AI transformation starts with security. In Azure AI, we’re determined to help organizations of all sizes achieve their business objectives and drive innovation, all on a secure, enterprise-ready foundation.
This month, we’re pleased to highlight new security and IT governance capabilities available in public preview in Azure AI Foundry. These updates can help organizations build and scale GenAI solutions that are secure by default:
- Management center provides cross-functional teams with a simplified, centralized management and governance experience within the Azure AI Foundry portal, saving developers time and easing resource management, security, and compliance workflows.
- Allow select IP addresses to access Azure Machine Learning workspaces, for more granular control of your network security. AI Foundry support is coming soon.
- A new Azure AI Admin role applies a "least privilege" principle by default, helping organizations ensure system identities only have access to the minimum set of resources they need.
- A new identity-based option to access default storage via user credential passthrough provides IT admins with easier management experience and secure by default configurations.
Additionally, we’re pleased to announce the general availability of connections in Azure AI Foundry, which allow users to access external data without copying it to a hub or project, for easier data sharing, management, and access control when building GenAI apps. Below, we share more information about these enterprise features and guidance to help you get started.
Announcing Azure AI Foundry management center
Different roles often need to complete administrative tasks to support AI projects, whether it’s setting up new resources, creating new data connections, or monitoring quota usage in production. Not all of these roles need (or want) the advanced controls of an IT admin and would prefer to get started quickly with streamlined, default settings.
Management center, now available in Azure AI Foundry portal, provides cross-functional teams with simplified, centralized management and governance controls for GenAI applications. Now, AI development, operations, and compliance teams can easily create, manage, and audit their organization’s hubs, projects, and resources from within the Azure AI Foundry portal, reducing the need to visit Azure Portal or different areas of Azure AI Foundry portal for day-to-day administrative tasks. From management center, users get insight into key subscription details, such as access privileges, quota usage, and connected resources to help ensure projects are compliant. For deeper insights, like network configurations and latency, management center also provides IT admins with links out to relevant areas of Azure Portal.
By bringing essential subscription information directly into Azure AI Foundry portal, management center saves organizations time and facilitates easier resource management, security, and compliance workflows across the AI development lifecycle.
Learn more in our documentation.
Monitor and track quota usage within a centralized management centerAllow select IPs to access your workspaces or hubs
Previously, Azure Machine Learning workspaces and Azure AI Foundry hubs provided two access control options: public or private. However, some enterprises cannot implement all private links due to security and management concerns, such as an inability to provide virtual private network (VPN) connections for everyone in their data science team, while also not wanting to use entirely public workspaces.
Now, Azure Machine Learning and Azure AI Foundry customers will have a third option that allows for more fine-grained control: setting up rules that grant inbound access to their workspaces and hubs using specific IPs. In other words, IT admins can allowlist certain IPs to access a workspace or hub without creating an entirely public workspace or creating private endpoints with VPN or ExpressRoute connection. Each Azure AI hub supports up to 200 rules or IPs which grant access to specific internet-based services and on-premises networks to block general internet traffic.
Enable from selected IPs is available now in Azure Machine Learning and is coming soon to Azure AI Foundry. Learn more in our documentation for Azure Machine Learning and Azure AI Foundry.
Allow select IPs to access your workspace or hubs via Azure PortalNew Azure AI Admin role
As part of our commitment to enhancing customer security by default, we are introducing a new built-in role, "Azure AI Administrator," to provision workspace app access to all dependent resources at the resource group level. Previously, the generic "Contributor" role was used. Currently available in public preview, this new role follows the principle of "least privilege" by default, ensuring that system identities have access only to the minimal set of resources required. This approach significantly reduces the risk of breaches or unauthorized access in case of compromised credentials.
Administrators now have the flexibility to apply the scope of this new role either at the default resource group level or at the individual resources level, thereby allowing for a more granular tightening of access.
Learn more in our documentation.
New identity-based access controls for default storage
Many enterprises prefer to avoid credential-based access for their storage accounts due to security risks such as potential credential leaks and accidental granting of highly privileged access. Additionally, the maintenance concerns associated with the cumbersome process of periodic credential rotations can be challenging. To address these issues, default storage accounts in Azure Machine Learning and Azure AI Foundry now offer two access options: the existing credential-based method (using an account key or SAS token) and a new identity-based method (using user credential passthrough), currently available in public preview.
With this update, IT administrators can leverage identity-based access to grant granular permissions at the user level, allowing for more precise control. Additionally, the new method simplifies the setup of secure configurations by default, reducing the IT overhead associated with credential maintenance. This helps ensure more secure and efficient management of access to storage accounts.
Learn more in our documentation.
Data and service connections in Azure AI Foundry
Now generally available, connections in Azure AI Foundry allow you to create data and service references effortlessly. This enables seamless access to standalone AI services and multiple data sources without the need to duplicate the data within your project. Instead, the connection simply provides a reference to the service or data source.
Key Advantages of Connections in Azure AI Foundry:
- Easier discovery of useful connections for team operations: Leverage simplified access to essential services and data sources, enhancing collaboration and productivity within your team.
- Simplified APIs: Utilize an easy-to-use API that seamlessly interacts with disparate storage types such as Microsoft OneLake, Azure Blob Storage, and Azure Data Lake Gen2 or various standalone Azure AI services including Azure Content Safety, Azure Speech, and Azure AI Search.
- Secure credential management: For credential-based access (service principal/SAS/API keys), Azure AI Foundry securely stores credential information in Azure Key Vault. This ensures that you won't need to include sensitive secrets in your scripts or code, thereby enhancing security and simplifying the management of credentials.
Learn more in our documentation.
Build secure, enterprise-ready GenAI apps with Azure AI Foundry
Want to learn about more ways to build trustworthy AI applications? Here are other recent announcements to support your security and governance workflows:
- Unlock AI’s potential with next-gen security and governance capabilities
- New controls for model governance and secure access to on-premises or custom VNET resources
- 5 Ways to Implement Enterprise Security with Azure AI
Whether you’re joining in person or online, we can’t wait to see you at Microsoft Ignite 2024! We’ll share the latest from Azure AI and go deeper into enterprise-grade security capabilities with these sessions:
Microsoft
