Merge pull request #53355 from wwlpublish/LP-158678-5

Creating pull request

Author: ttorble

learn-pr/wwl-azure/protect-govern-ai-ready-infrastructure-azure/1-introduction.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.protect-govern-ai-ready-infrastructure-azure.introduction
+title: "Introduction"
+metadata:
+  title: "Introduction"
+  description: "Introduction."
+  ms.date: 02/03/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 3
+content: |
+  [!include[](includes/1-introduction.md)]

learn-pr/wwl-azure/protect-govern-ai-ready-infrastructure-azure/2-understand-ai-governance-framework-components.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.protect-govern-ai-ready-infrastructure-azure.understand-ai-governance-framework-components
+title: "Understand AI governance framework components"
+metadata:
+  title: "Understand AI governance framework components"
+  description: "Understand AI governance framework components."
+  ms.date: 02/03/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 12
+content: |
+  [!include[](includes/2-understand-ai-governance-framework-components.md)]

learn-pr/wwl-azure/protect-govern-ai-ready-infrastructure-azure/3-configure-policies-access-controls.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.protect-govern-ai-ready-infrastructure-azure.configure-policies-access-controls
+title: "Configure policies and access controls for AI workloads"
+metadata:
+  title: "Configure policies and access controls for AI workloads"
+  description: "Configure policies and access controls for AI workloads."
+  ms.date: 02/03/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 12
+content: |
+  [!include[](includes/3-configure-policies-access-controls.md)]

learn-pr/wwl-azure/protect-govern-ai-ready-infrastructure-azure/4-implement-responsible-safeguards-content-filter.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.protect-govern-ai-ready-infrastructure-azure.implement-responsible-safeguards-content-filter
+title: "Implement responsible AI safeguards and content filtering"
+metadata:
+  title: "Implement responsible AI safeguards and content filtering"
+  description: "Implement responsible AI safeguards and content filtering."
+  ms.date: 02/03/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 12
+content: |
+  [!include[](includes/4-implement-responsible-safeguards-content-filter.md)]

learn-pr/wwl-azure/protect-govern-ai-ready-infrastructure-azure/5-exercise-deploy-governed-ai-infrastructure.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.protect-govern-ai-ready-infrastructure-azure.exercise-deploy-governed-ai-infrastructure
+title: "Exercise: Configure regional data residency and identity-based access controls"
+metadata:
+  title: "Exercise: Configure Regional Data Residency and Identity‑Based Access Controls"
+  description: "Exercise: Configure Regional Data Residency and Identity‑Based Access Controls."
+  ms.date: 02/03/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 30
+content: |
+  [!include[](includes/5-exercise-deploy-governed-ai-infrastructure.md)]

learn-pr/wwl-azure/protect-govern-ai-ready-infrastructure-azure/6-knowledge-check.yml

@@ -0,0 +1,37 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.protect-govern-ai-ready-infrastructure-azure.knowledge-check
+title: "Module assessment"
+metadata:
+  title: "Knowledge check"
+  description: "Knowledge check"
+  ms.date: 02/03/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+  module_assessment: true
+durationInMinutes: 3
+content: "Choose the best response for each of the following questions."
+quiz:
+  questions:
+  - content: "Your healthcare organization is deploying Azure OpenAI to summarize patient medical records. HIPAA regulations require that all patient data remains within the United States and uses customer-managed encryption keys. Which combination of Azure Policy definitions should you assign to enforce these requirements?"
+    choices:
+    - content: "Assign **Allowed locations** policy restricting deployments to US regions and 'Cognitive Services should use customer-managed key for encryption' policy with Deny effect at the subscription scope containing healthcare workloads"
+      isCorrect: true
+      explanation: "The first option correctly addresses both HIPAA requirements through Azure Policy enforcement: the Allowed locations policy prevents deployments outside authorized US regions, satisfying data residency requirements, while the customer-managed encryption policy ensures patient data is encrypted with keys the organization controls rather than Microsoft-managed keys. Assigning at subscription scope provides comprehensive coverage while allowing specific resource group exceptions if needed."
+    - content: "Assign **Audit usage of custom RBAC roles** policy and 'Diagnostic logs in Azure AI services should be enabled' policy at the resource group scope to monitor compliance through manual review"
+      isCorrect: false
+      explanation: "The second option only provides audit capabilities without preventive enforcement, relying on manual detection after violations occur rather than blocking noncompliant configurations proactively."
+    - content: "Assign 'Require tag on resources' policy mandating 'compliance:HIPAA' tag and 'Allowed resource types' policy limiting deployments to Azure OpenAI Standard tier only at the management group scope"
+      isCorrect: false
+      explanation: "The third option focuses on resource tagging and type restrictions but doesn't directly enforce geographic restrictions or encryption requirements that HIPAA mandates, making it insufficient for healthcare compliance despite supporting general governance practices."
+  - content: "Your data science team needs to deploy Azure OpenAI models for internal research on customer sentiment analysis. The team should be able to create resources and configure models but must not access production customer data or modify deployed production models. Which RBAC role assignment strategy implements least-privilege access for this scenario?"
+    choices:
+    - content: "Assign Cognitive Services Contributor role at the development resource group scope and Cognitive Services User role at the production resource group scope, with separate resource groups isolating development and production environments"
+      isCorrect: true
+      explanation: "The first option implements least-privilege access by granting different permission levels based on environment sensitivity: Cognitive Services Contributor in development allows the team to create and configure resources for research, while Cognitive Services User in production provides read-only access for viewing configurations and consuming endpoints without modification capabilities. Separate resource groups create clear security boundaries that RBAC can enforce, preventing accidental or intentional cross-environment changes."
+    - content: "Assign Owner role at the subscription scope to enable full development flexibility and rely on Azure Policy to prevent unauthorized production changes through approval workflows"
+      isCorrect: false
+      explanation: "The second option violates least-privilege principles by granting Owner role, which includes permissions to modify access controls, delete resources, and change billing settings far beyond what the research scenario requires."
+    - content: "Create a custom role with wildcard permissions for all Cognitive Services operations and assign it at the resource group scope, then configure conditional access policies requiring manager approval for production resource access"
+      isCorrect: false
+      explanation: "The third option wildcard permissions eliminate granular control and still grant excessive access, while conditional access policies alone can't enforce resource-level permission restrictions—they control authentication and access conditions but don't replace RBAC for authorization decisions."

learn-pr/wwl-azure/protect-govern-ai-ready-infrastructure-azure/7-summary.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.protect-govern-ai-ready-infrastructure-azure.summary
+title: "Summary"
+metadata:
+  title: "Summary"
+  description: "Summary."
+  ms.date: 02/03/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 3
+content: |
+  [!include[](includes/7-summary.md)]

learn-pr/wwl-azure/protect-govern-ai-ready-infrastructure-azure/includes/1-introduction.md

@@ -0,0 +1,17 @@
+Your organization deployed Azure OpenAI agents across three departments—sales, customer service, and product development. Within the first week, the Chief Information Security Officer (CISO) raised urgent concerns: customer service agents are processing personal health information without documented safeguards, sales teams are storing prompts containing proprietary pricing strategies in unencrypted logs, and no one can answer the compliance auditor's question about who approved the model deployment. Without clear governance, you risk exposing sensitive data, violating regulatory or HIPAA regulations, and losing stakeholder trust in your AI initiatives.
+
+This module equips you to implement comprehensive AI governance using Microsoft Foundry and Azure AI services. You configure Azure Policy definitions that automatically enforce encryption and regional restrictions, establish Microsoft Entra ID access controls that protect sensitive resources through least-privilege principles, implement Azure AI Content Safety filters that prevent harmful outputs while maintaining operational efficiency, and create monitoring workflows through Azure Monitor and Microsoft Purview that provide audit trails for compliance reviews. By the end, you demonstrate to auditors and leadership that your AI operations balance innovation velocity with risk management and regulatory adherence.
+
+In this module, you learn to:
+
+- Evaluate AI governance requirements and align them with Microsoft Foundry capabilities
+- Configure Azure Policy and role-based access controls for AI workloads
+- Implement content filtering and responsible AI safeguards using Azure AI services
+- Establish monitoring and audit trails for AI operations using Azure Monitor and Microsoft Purview
+- Apply governance best practices for model lifecycle management and data protection
+
+Before starting this module, you should have:
+
+- Familiarity with Azure fundamentals including resource groups, subscriptions, and the Azure portal
+- Basic understanding of AI and machine learning concepts such as models, prompts, and completions
+- Experience navigating the Azure portal and executing Azure CLI commands

learn-pr/wwl-azure/protect-govern-ai-ready-infrastructure-azure/includes/2-understand-ai-governance-framework-components.md

@@ -0,0 +1,39 @@
+You might be wondering how organizations manage AI deployments when projects span multiple teams, handle sensitive data, and must satisfy auditors from healthcare, finance, and privacy regulatory bodies. The answer lies in coordinated controls that work together rather than isolated tools. Enterprise AI governance requires five interconnected pillars that address different aspects of risk and compliance.
+
+At the foundation, policy enforcement through Azure Policy ensures every AI resource meets organizational standards before deployment. Consider a financial services firm that must keep customer data within specific geographic boundaries: Azure Policy definitions evaluate each resource creation request and block deployments to unauthorized regions automatically, preventing compliance violations before they occur. With this approach, your security team defines rules once and enforces them consistently across all subscriptions, eliminating the risk that developers accidentally deploy resources to noncompliant locations.
+
+
+Identity and access management ensures that AI resources are protected through least‑privilege access and adaptive security controls.
+- Microsoft Entra ID and RBAC assign scoped roles that limit access to only what users need, reducing risk from excessive permissions.
+- Conditional access policies strengthen security for contractors and partners by enforcing factors like multifactor authentication and device compliance.
+
+Data protection mechanisms safeguard sensitive information as it moves through AI systems.
+- Microsoft Purview automatically discovers, classifies, and labels sensitive data so protections persist throughout the data lifecycle.
+- Azure Key Vault secures encryption keys in hardware security modules, ensuring data remains protected even from privileged administrators.
+
+Model lifecycle governance controls how AI models are tested, approved, and released to production.
+- Azure Machine Learning enforces versioning and approval gates so models meet performance, security, and compliance standards before deployment.
+- Parallel testing environments allow teams to maintain development speed while reducing risks associated with unvalidated production changes.
+
+:::image type="content" source="../media/azure-policy-regions-compliance.png" alt-text="Diagram showing how Azure Policy enforces region compliance by blocking deployments outside approved EU locations.":::
+
+Azure Monitor and Microsoft Purview provide end‑to‑end auditing and real‑time monitoring that deliver auditable compliance evidence and enable proactive operational response.
+
+- Every policy decision, access request, content filter action, and model deployment are automatically logged to immutable Log Analytics audit trails.
+- Auditors can quickly answer compliance questions—such as model approvals or content safety violations—using authoritative logs instead of manual records.
+- Real‑time Azure Monitor alerts flag policy violations or abuse patterns early, allowing teams to respond before issues become regulatory incidents.
+
+
+The five governance pillars work together as a cohesive framework that balances strong oversight with continued innovation across AI systems.
+
+- Policy enforcement, identity management, data protection, model lifecycle controls, and audit capabilities function as an integrated governance system rather than isolated tools.
+- Microsoft Foundry and Azure AI services supply the technical foundation, while organizations define the policies and procedures that align with regulatory needs, risk tolerance, and operational maturity.
+- Understanding how these components interconnect allows teams to protect stakeholders, meet compliance requirements, and enable innovation without unnecessary friction.
+
+:::image type="content" source="../media/architecture-governance-framework-top-branch.png" alt-text="Diagram showing AI Governance Framework at the top branching into five pillars.":::
+
+*AI governance framework architecture showing five interconnected pillars with their supporting Microsoft services*
+
+
+
+

learn-pr/wwl-azure/protect-govern-ai-ready-infrastructure-azure/includes/3-configure-policies-access-controls.md

@@ -0,0 +1,27 @@
+Consider a scenario where your data science team wants to deploy Azure OpenAI models across development, staging, and production environments. Without governance, developers might choose the most convenient Azure region regardless of data residency requirements, use default encryption that doesn't meet security standards, or deploy expensive SKUs in test environments that inflate costs. Azure Policy definitions prevent these issues by validating resource configurations before deployment succeeds.
+
+With Azure Policy, you define rules once and enforce them consistently. For example, an "Allowed locations" policy restricts Azure OpenAI deployments to European regions only, ensuring regulatory compliance by preventing data transfer outside the EU. When a developer attempts to create a resource in an unauthorized region, the deployment fails immediately with a clear error message explaining the violation and suggesting compliant alternatives. This becomes especially important for organizations operating in multiple regulatory jurisdictions: you assign different policy sets to subscriptions based on their data classification, automatically adapting controls to each workload's risk profile.
+
+Encryption and configuration policies enforce consistent security and cost controls across AI resources.
+- Policy enforcement requires customer‑managed keys in Azure Key Vault for services processing sensitive data, preventing deployments without approved encryption.
+- Policies also restrict unsupported SKU tiers, reducing the risk of accidental cost overruns from inappropriate resource pricing choices.
+
+Identity-based access controls ensure resources are accessed only under appropriate conditions.
+- Microsoft Entra ID conditional access evaluates user context, such as device compliance and location, before granting access to AI roles.
+- Adaptive controls require stronger authentication for higher‑risk scenarios, blocking access from unmanaged or noncompliant devices.
+
+Role-based access control aligns permissions with job responsibilities and enforces separation of duties.
+- Built-in RBAC roles provide scoped access for common tasks, such as consumption, configuration, and usage monitoring.
+- Custom roles allow organizations to separate development and approval responsibilities, reducing the risk of unauthorized or unreviewed production deployments.
+
+
+Security engineers typically assign policies at the subscription or resource group scope to balance governance coverage with administrative overhead. A policy assigned to the subscription affects all resources within that subscription, providing broad protection with minimal configuration. However, resource group scoping enables exceptions for legitimate scenarios—for example, a research group might receive an exemption from the standard SKU policy to experiment with premium-tier features, while production resource groups remain strictly governed. Organizations document exception processes that require business justification, security review, and time-limited approvals, ensuring that policy exemptions don't create permanent compliance gaps.
+
+:::image type="content" source="../media/policy-scenario-decision-tool-interactive.png" alt-text="Diagram showing Azure Policy assignment workflow in the Azure portal.":::
+
+With policies and access controls working together, you establish defense in depth: policies prevent misconfigured resources from being created, conditional access protects against compromised credentials or unauthorized access attempts, and RBAC limits damage from insider threats by restricting each user to the minimum permissions required for their role. This layered approach addresses multiple attack vectors simultaneously while maintaining developer productivity through clear guardrails rather than blanket restrictions.
+
+:::image type="content" source="../media/access-control-policy-validation-flow.png" alt-text="Diagram showing user requesting AI resource access through Microsoft Entra ID authentication.":::
+
+*Access control and policy validation flow showing authentication, authorization, and policy enforcement sequence for AI resource access*
+