intro, summary, meta data updates

Author: riswinto

learn-pr/wwl-sci/entra-ai-understand/authentication-flows-microsoft-foundry.yml

@@ -1 +1,15 @@
-Authentication flows for AI endpoints in Microsoft Foundry
+### YamlMime:ModuleUnit
+uid: learn.wwl.entra-ai-understand.authentication-flows-microsoft-foundry
+title: Authentication flows for AI endpoints in Microsoft Foundry
+metadata:
+  title: Authentication flows for AI endpoints in Microsoft Foundry
+  description: "Authentication flows for AI endpoints in Microsoft Foundry."
+  ms.date: 2/13/2026
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 5
+content: |
+  [!include[](includes/authentication-flows-microsoft-foundry.md)]

learn-pr/wwl-sci/entra-ai-understand/common-identity-misconfigurations-ai.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.entra-ai-understand.common-identity-misconfigurations-ai
+title: Common identity misconfigurations in AI deployments
+metadata:
+  title: Common identity misconfigurations in AI deployments
+  description: "Common identity misconfigurations in AI deployments."
+  ms.date: 2/13/2026
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 6
+content: |
+  [!include[](includes/common-identity-misconfigurations-ai.md)]

learn-pr/wwl-sci/entra-ai-understand/human-workload-identities-ai-environments.yml

@@ -1 +1,15 @@
-Human and workload identities in AI workloads
+### YamlMime:ModuleUnit
+uid: learn.wwl.entra-ai-understand.human-workload-identities-ai-environments
+title: Human and workload identities in AI workloads
+metadata:
+  title: Human and workload identities in AI workloads
+  description: "Human and workload identities in AI workloads."
+  ms.date: 2/13/2026
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 5
+content: |
+  [!include[](includes/human-workload-identities-ai-environments.md)]

learn-pr/wwl-sci/entra-ai-understand/identity-control-layer-ai-solutions.yml

@@ -1 +1,15 @@
-Identity as the control layer for AI solutions
+### YamlMime:ModuleUnit
+uid: learn.wwl.entra-ai-understand.identity-control-layer-ai-solutions
+title: Identity as the control layer for AI solutions
+metadata:
+  title: Identity as the control layer for AI solutions
+  description: "Identity as the control layer for AI solutions."
+  ms.date: 2/13/2026
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 5
+content: |
+  [!include[](includes/identity-control-layer-ai-solutions.md)]

learn-pr/wwl-sci/entra-ai-understand/includes/authentication-flows-microsoft-foundry.md

@@ -1,4 +1,4 @@
-Understanding that identity governs access isn't enough. You also need to understand how an identity proves who it's when calling an AI endpoint.
+Understanding that identity governs access isn't enough. You also need to understand how an identity proves who it is when calling an AI endpoint.
 
 Every request to an AI endpoint must include valid authentication credentials. Microsoft Foundry relies on industry-standard OAuth 2.0 flows and Microsoft Entra ID to issue and validate access tokens.
 
@@ -21,6 +21,8 @@ That token represents the authenticated identity. It contains claims about:
 
 The caller includes the access token in requests to the AI endpoint. The service validates the token before processing the request.
 
+For example, a web application that calls an AI endpoint uses its service principal to request a token from Microsoft Entra ID. If authentication succeeds, Microsoft Entra issues an access token. The application includes that token in its request, and the AI endpoint validates it before processing the prompt.
+
 If the token is invalid, expired, or improperly scoped, the request fails before reaching the model.
 
 ## Interactive and non-interactive authentication
@@ -57,4 +59,4 @@ Only after successful authentication and authorization does the service process
 
 This flow ensures that every AI interaction in Microsoft Foundry is tied to a verified identity and evaluated against assigned permissions.
 
-Understanding this sequence prepares you to analyze authentication failures, token misuse, and access control misconfigurations in AI environments.
+Understanding this sequence prepares you to analyze authentication failures, token misuse, and access control misconfigurations in AI environments. It also clarifies how different identity types authenticate and why that distinction matters.

learn-pr/wwl-sci/entra-ai-understand/includes/common-identity-misconfigurations-ai.md

@@ -0,0 +1,85 @@
+Strong authentication and well-defined roles don't guarantee secure AI workloads. Identity design decisions determine whether access boundaries hold under pressure.
+
+Identity design failures cause most AI security incidents, not flaws in the model itself. Common drivers include misconfigured identities, excessive permissions, and weak enforcement controls.
+
+Understanding common misconfigurations helps you recognize risk patterns early.
+
+## Overprivileged application identities
+
+Service principals and managed identities often receive broad permissions for convenience.
+
+For example:
+
+- Assigning contributor access at the subscription level
+- Granting both management and data plane permissions when only one is required
+- Reusing a single application identity across multiple workloads
+
+Because application identities operate without human interaction, excessive permissions can enable automated misuse at scale.
+
+When an overprivileged identity is compromised, the blast radius extends to every resource within its assigned scope.
+
+## Broad scope assignments
+
+Scope selection directly affects blast radius.
+
+Assigning roles at the subscription level might simplify administration, but it broadens access beyond what's necessary. A compromised identity with subscription-level permissions can modify or access multiple AI resources across environments.
+
+Limiting scope to a specific resource group or AI endpoint narrows the scope of access and aligns more closely with least-privilege principles.
+
+Convenience shouldn't override scope discipline.
+
+## Shared credentials and secret management
+
+Application identities that rely on shared secrets introduce additional risk.
+
+Embedding credentials in code, storing them in unsecured configuration files, or failing to rotate secrets increases the likelihood of compromise.
+
+Managed identities reduce some of this risk by removing the need to manage credentials directly. However, they don't eliminate the need for proper role assignment and scope control.
+
+Secret management failures often surface long after initial deployment, when credentials are reused across environments or teams.
+
+## Mixing development and production identities
+
+Using the same identity for development and production workloads expands the potential scope of a compromise.
+
+Development environments often have broader permissions and less restrictive controls. If that identity also has production access, a compromise in development can affect production systems.
+
+Separating identities by environment limits lateral movement and narrows the scope of a compromise.
+
+Environment boundaries should be reflected in identity boundaries.
+
+## Token handling and leakage risks
+
+Access tokens represent authenticated identities. If tokens are logged, exposed in client-side code, or transmitted insecurely, they can be replayed until expiration.
+
+Short token lifetimes and secure storage practices reduce this risk. Monitoring unusual token usage patterns also helps detect misuse.
+
+Authentication doesn't eliminate risk. It defines the boundary of trust.
+
+## Missing Conditional Access enforcement
+
+Authentication alone doesn't guarantee secure access conditions.
+
+If Conditional Access policies aren't applied to relevant identities, attackers might authenticate successfully without meeting device compliance, location, or multifactor requirements.
+
+Conditional Access strengthens identity enforcement by evaluating context in addition to credentials.
+
+Without it, identity security relies solely on credential protection.
+
+Certain operational symptoms often point back to identity design decisions. Unexpected model deployments can indicate excessive management plane permissions, while unusual model invocation patterns or data access spikes might suggest overly broad data plane access. When investigating AI incidents, examining identity scope and role assignments is often more revealing than inspecting the model itself.
+
+## Closing the loop
+
+Identity architecture defines who can access AI resources, what they can do, and where that access applies.
+
+Misconfigurations weaken those boundaries.
+
+Designing identity intentionally means:
+
+- Assigning only required permissions
+- Limiting scope appropriately
+- Separating environments
+- Protecting credentials
+- Enforcing contextual access controls
+
+AI security depends on identity discipline. The tools that monitor posture and detect risk build on these foundations, but they don't replace them.

learn-pr/wwl-sci/entra-ai-understand/includes/human-workload-identities-ai-environments.md

@@ -2,7 +2,7 @@ AI endpoints don't distinguish between human and application requests at runtime
 
 For security design, the type of identity matters.
 
-Understanding the differences between **human**, **application**, and **managed** identities helps you assign permissions correctly and reduce risk.
+Understanding the differences between **human**, **application**, and **managed identities** helps you assign permissions correctly and reduce risk.
 
 ## Human identities
 
@@ -22,7 +22,7 @@ Overassigning permissions to user accounts increases risk, particularly in the m
 
 ## Application identities
 
-Application identities represent software rather than people. In Microsoft Entra ID, these are typically implemented as service principals associated with application registrations.
+Application identities represent software rather than people. In Microsoft Entra ID, these are typically implemented as service principals associated with application registrations. An application registration defines the application globally, while a service principal represents that application as a security identity within a specific tenant.
 
 They're used when software calls an AI endpoint directly. Examples include:
 
@@ -66,4 +66,4 @@ Each identity type introduces different security considerations:
 
 The identity type you choose affects the potential blast radius if that identity is compromised.
 
-Understanding these distinctions allows you to design access intentionally rather than defaulting to broad or convenient configurations.
+Understanding these distinctions allows you to design access intentionally rather than defaulting to broad or convenient configurations. The next step is defining what those identities are actually permitted to do and where those permissions apply.

learn-pr/wwl-sci/entra-ai-understand/includes/identity-control-layer-ai-solutions.md

@@ -45,4 +45,4 @@ Identity is present at every stage:
 
 Security platforms like Microsoft Defender for Cloud rely on identity context to evaluate risk and surface misconfigurations. Without a clear identity architecture, posture insights lack meaningful context.
 
-Understanding how identity governs AI access is the foundation for designing secure AI workloads. Every subsequent decision about access, roles, conditions, and enforcement builds on this layer.
+Secure AI access rests on four elements: identity, authentication, authorization, and scope. Each layer builds on the previous one. When identity design is sound, these layers work together to create predictable and enforceable access boundaries.

learn-pr/wwl-sci/entra-ai-understand/includes/introduction.md

@@ -0,0 +1,25 @@
+Most AI security conversations focus on model behavior, data exposure, or runtime misuse. In AI workloads running in Azure, identity architecture often determines whether those risks are even possible.
+
+AI workloads don't change how Microsoft Entra ID works. What changes is how identity decisions play out once models are deployed, invoked at scale, and integrated into automated pipelines. The separation between management and data plane operations, combined with scoped role assignments, introduces risk patterns that aren't obvious in traditional application deployments.
+
+In AI environments, identity isn't just about signing in to a portal. It defines what actions are possible across deployment and runtime:
+
+- Who can deploy or modify models
+- Who can invoke endpoints and retrieve data
+- How applications and services authenticate during execution
+- How far permissions extend across subscriptions, resource groups, and individual AI resources
+
+Small gaps between identity type, role assignment, and scope can quietly expand the blast radius. Those gaps often surface only during an incident or investigation.
+
+## Learning objectives
+
+By the end of this module, you'll be able to:
+
+- Explain identity as the control layer for AI solutions in Azure
+- Distinguish between management plane and data plane access in AI workloads
+- Describe authentication flows used by AI endpoints integrated with Microsoft Entra ID
+- Distinguish between human and workload identities
+- Interpret role assignments and scope boundaries across AI resources
+- Recognize common identity design patterns that increase AI risk
+
+Once identity behavior in AI workloads is clear, access decisions become intentional rather than automatic. That clarity is essential when designing role assignments, enforcing least privilege, and applying Conditional Access in AI environments.

learn-pr/wwl-sci/entra-ai-understand/includes/management-data-plane-ai-workloads.md

@@ -38,6 +38,8 @@ A common mistake is assuming that restricting management access is enough. An id
 
 Management plane and data plane permissions are evaluated independently. An identity might have access in one plane but not the other.
 
+Because these planes control different categories of actions, failures have different consequences. Management plane misconfigurations alter how AI resources are structured, deployed, or governed. Data plane misconfigurations affect how models are invoked and what data they can process or expose.
+
 This separation affects:
 
 - How you design role assignments
@@ -51,4 +53,4 @@ Was this action performed through the management plane or the data plane?
 
 That distinction shapes both risk assessment and remediation.
 
-Understanding these two planes prepares you to design access intentionally rather than granting broad permissions that span configuration and runtime activity.
+Understanding these two planes allows you to design access intentionally rather than granting broad permissions that span configuration and runtime activity. That foundation makes it possible to examine how requests are authenticated and validated.