Introducing the Azure AI Foundry administration center and additional capabilities for security and governance
Security is where AI transformation begins. Azure AI is supports businesses of all sizes in achieving their goals and fostering innovation on a safe, enterprise-ready platform.
Azure announced this month’s public preview of additional security and IT governance features in Azure AI Foundry. These changes can assist businesses in developing and expanding secure GenAI solutions by default:
- The management center saves developers time and streamlines resource management, security, and compliance workflows by giving cross-functional teams a streamlined, unified administration and governance experience within the Azure AI Foundry interface.
- For more precise network security control, grant access to Azure Machine Learning workspaces to specific IP addresses. Support for AI Foundry will soon be available.
- By implementing the “least privilege” principle by default, a new Azure AI Admin role assists businesses in making sure system identities have access to the bare minimum of resources required.
- IT administrators now have a new identity-based option to access default storage using user credential passthrough, which makes management simpler and default setups more secure.
Furthermore, in order to facilitate data sharing, management, and access control while developing GenAI apps, Azure announced that connections in Azure AI Foundry are now generally available. These connections enable users to access external data without copying it to a hub or project.
Introducing the management center for Azure AI Foundry
In order to assist AI projects, various roles frequently have to finish administrative activities like setting up new resources, establishing new data connections, or keeping an eye on production quota utilization. Not all of these positions require (or desire) the sophisticated controls of an IT administrator and would rather begin rapidly with simplified, default configurations.
The management center, which is now accessible through the Azure AI Foundry interface, offers consolidated, streamlined governance and management capabilities for GenAI apps to cross-functional teams. It is no longer necessary to visit Azure Portal or other sections of the Azure AI Foundry portal for routine administrative tasks because AI development, operations, and compliance teams can now create, manage, and audit their organization’s hubs, projects, and resources with ease from within the Azure AI Foundry portal.
Users may ensure that projects are compliant by using the management center to gain visibility into important subscription details like access credentials, quota consumption, and linked resources. The management center also gives IT administrators links to pertinent sections of Azure Portal for more in-depth information on topics like network setups and latency.
The management center helps companies save time and streamline resource management, security, and compliance processes throughout the AI development lifecycle by integrating crucial subscription data directly into the Azure AI Foundry site.
Permit specific IPs to access your hubs or workplaces
In the past, Azure AI Foundry hubs and Azure Machine Learning workspaces offered either private or public access control. Some businesses, however, are unable to deploy all private links because of security and management issues. For example, they are unable to offer virtual private network (VPN) connections to every member of their data science team and do not wish to employ fully public workspaces.
Customers of Azure AI Foundry and Azure Machine Learning will now have a third option that enables more precise control: creating rules that allow inbound access to their hubs and workspaces using particular IPs. In other words, without setting up a completely public workspace or private endpoints via a VPN or ExpressRoute connection, IT administrators can allowlist specific IPs to access a workspace or hub. Up to 200 rules, or IPs, are supported by each Azure AI hub. These rules allow access to particular internet-based services and on-premises networks while blocking generic internet traffic.
Azure Machine Learning currently offers the ability to enable from specific IPs, and Azure AI Foundry will follow shortly.
New position as an Azure AI administrator
Azure is launching a new built-in role, “Azure AI Administrator,” to grant workspace app access to all dependent resources at the resource group level as part of our dedication to improving client security by default. The generic “Contributor” position was in use before. This new job, which is now in public preview, ensures that system identities have access to the bare minimum of resources necessary by default, adhering to the “least privilege” approach. If credentials are hacked, this method greatly lowers the chance of breaches or illegal access.
A more granular tightening of access is now possible because administrators can choose to apply the scope of this new role at the individual resource level or at the default resource group level.
For default storage, new identity-based access controls
Due to security concerns including possible credential leaks and unintentionally allowing highly privileged access, many businesses would rather not use credential-based access for their storage accounts. Furthermore, it can be difficult to handle the maintenance issues brought on by the laborious procedure of periodic credential rotations. Azure Machine Learning and Azure AI Foundry default storage accounts now provide two access options to address these problems: the credential-based approach, which uses an account key or SAS token, and a new identity-based approach, which uses user credential passthrough and is presently in public preview.
This upgrade enables more accurate control by enabling IT managers to issue granular permissions at the user level by utilizing identity-based access. Furthermore, the new approach lowers the IT overhead related to credential maintenance by making it easier to set up secure configurations by default. This makes it possible to manage storage account access in a more effective and safe manner.
Connections between data and services in Azure AI Foundry
Connections in Azure AI Foundry, which are now widely accessible, let you easily construct data and service references. This eliminates the need to duplicate data within your project and allows for easy access to numerous data sources and standalone AI services. Rather, the connection merely offers a pointer to the data source or service.
Principal Benefits of Azure AI Foundry Connections:
- Finding beneficial links for team operations is made easier: Make use of streamlined access to crucial services and data sources to improve teamwork and productivity.
- Streamlined APIs: Make use of an intuitive API that interoperates with a variety of stand-alone Azure AI services, such as Azure Content Safety, Azure Speech, and Azure AI Search, or with different storage types, such as Microsoft OneLake, Azure Blob Storage, and Azure Data Lake Gen2.
- Safe credential administration: Azure AI Foundry safely saves credential data in Azure Key Vault for credential-based access (service principal/SAS/API keys). This improves security and makes credential management easier by ensuring that you won’t have to include important secrets in your scripts or code.
