Merge pull request #53354 from wwlpublish/LP156462-3

Fixed Feedback bugs

Author: ttorble

learn-pr/wwl-azure/manage-secure-ai-ready-infrastructure/1-introduction.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.manage-secure-ai-ready-infrastructure.introduction
+title: "Introduction"
+metadata:
+  title: "Introduction"
+  description: "Introduction."
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 5
+content: |
+  [!include[](includes/1-introduction.md)]

learn-pr/wwl-azure/manage-secure-ai-ready-infrastructure/2-configure-azure-rbac-infrastructure-components.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.manage-secure-ai-ready-infrastructure.configure-azure-rbac-infrastructure-components
+title: "Configure Azure RBAC for AI infrastructure components"
+metadata:
+  title: "Configure Azure RBAC for AI infrastructure components"
+  description: "Configure Azure RBAC for AI infrastructure components."
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 13
+content: |
+  [!include[](includes/2-configure-azure-rbac-infrastructure-components.md)]

learn-pr/wwl-azure/manage-secure-ai-ready-infrastructure/3-implement-keyless-authentication-microsoft.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.manage-secure-ai-ready-infrastructure.implement-keyless-authentication-microsoft
+title: "Implement keyless authentication with Microsoft Entra ID managed identities"
+metadata:
+  title: "Implement keyless authentication with Microsoft Entra ID managed identities"
+  description: "Implement keyless authentication with Microsoft Entra ID Managed Identities."
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 14
+content: |
+  [!include[](includes/3-implement-keyless-authentication-microsoft.md)]

learn-pr/wwl-azure/manage-secure-ai-ready-infrastructure/4-deploy-azure-cosmos-agent.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.manage-secure-ai-ready-infrastructure.deploy-azure-cosmos-agent
+title: "Deploy Azure Cosmos DB for NoSQL as an agent conversation store"
+metadata:
+  title: "Deploy Azure Cosmos DB for NoSQL as an agent conversation store"
+  description: "Deploy Azure Cosmos DB for NoSQL as an agent conversation store."
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 12
+content: |
+  [!include[](includes/4-deploy-azure-cosmos-agent.md)]

learn-pr/wwl-azure/manage-secure-ai-ready-infrastructure/5-exercise-configure-secure-infrastructure-azure.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.manage-secure-ai-ready-infrastructure.exercise-configure-secure-infrastructure-azure
+title: "Configure secure infrastructure Azure"
+metadata:
+  title: "Configure secure infrastructure Azure"
+  description: "Configure Secure Infrastructure Azure."
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 50
+content: |
+  [!include[](includes/5-exercise-configure-secure-infrastructure-azure.md)]

learn-pr/wwl-azure/manage-secure-ai-ready-infrastructure/6-knowledge-check.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.manage-secure-ai-ready-infrastructure.summary
+title: "Summary"
+metadata:
+  title: "Summary"
+  description: "Summary."
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 5
+content: |
+  [!include[](includes/7-summary.md)]

learn-pr/wwl-azure/manage-secure-ai-ready-infrastructure/7-summary.yml

@@ -0,0 +1,15 @@
+## Learning objectives
+
+- Configure Azure RBAC role assignments to enforce least-privilege access for AI infrastructure components
+- Implement system-assigned managed identities to enable keyless authentication between Azure services
+- Deploy and configure Azure Cosmos DB for NoSQL as a conversation and metadata store for AI agents
+- Evaluate security and governance considerations for production AI workloads on Azure
+
+
+In this module, you configure the secure infrastructure that Contoso's AI agents require. You assign RBAC roles to grant specific permissions without over-provisioning access, enable managed identities to eliminate connection string management, and deploy Cosmos DB as a scalable conversation store with optimized partition keys and time-to-live policies. By the end of this module, you have hands-on experience building production-ready AI infrastructure that satisfies security auditors and supports global-scale deployments.
+
+## More resources
+
+- [What is Azure Role-Based Access Control (Azure RBAC)?](/azure/role-based-access-control/overview) - Comprehensive overview of RBAC concepts, scope hierarchy, and built-in roles
+- [What are managed identities for Azure resources?](/entra/identity/managed-identities-azure-resources/overview) - Introduction to system-assigned and user-assigned managed identities with use case examples
+- [Welcome to Azure Cosmos DB](/azure/cosmos-db/introduction) - Overview of Cosmos DB capabilities, consistency levels, and global distribution features

learn-pr/wwl-azure/manage-secure-ai-ready-infrastructure/includes/1-introduction.md

@@ -0,0 +1,30 @@
+When Contoso's development team first deployed their AI agents, they granted every service account Contributor permissions at the subscription level. This approach delivered fast deployment velocity during the prototype phase, but it also gave agents the ability to delete production databases, modify network security rules, and access resources across unrelated projects. Security audits revealed that over-privileged access increased the blast radius of potential breaches by 300%, turning what should have been isolated incidents into organization-wide security events.
+
+Azure Role-Based Access Control (RBAC) solves this problem by letting you assign permissions at precisely the scope required for each job task. With RBAC, you define who can access which resources and what actions they can perform, enforcing the principle of least privilege across your entire infrastructure. The system uses a hierarchy of scopes—subscription, resource group, and individual resource—where permissions assigned at a higher level automatically inherit to child resources. For example, granting Reader access at the resource group level means that identity can view all resources within that group without requiring separate assignments for each database, storage account, or virtual machine.
+
+Building on this hierarchical model, Azure provides built-in roles tailored to common job functions. The Contributor role grants full management permissions for resources within a scope but prevents the assignment of roles to other users—ideal for DevOps engineers who deploy and configure infrastructure but don't manage access policies. In contrast, the Cosmos DB Data Contributor role allows reading and writing data within Cosmos DB containers without granting permissions to modify the database account configuration, networking rules, or billing settings. This separation becomes critical when your AI agents need to persist conversation logs but shouldn't have the ability to delete entire databases or change throughput settings.
+
+:::image type="content" source="../media/hierarchical-model-azure-built-in-roles.png" alt-text="Diagram showing how hierarchical models provide built-in roles tailored to common job functions.":::
+
+At the same time, operations teams need visibility into resource configurations without the risk of accidental modifications. The Reader role provides read-only access across all resource types, enabling security auditors to review configurations, developers to troubleshoot issues by inspecting resource properties, and compliance teams to validate policy adherence. With Reader permissions scoped to specific resource groups, you create safe audit trails without exposing production environments to unauthorized changes.
+
+Consider what happens when you assign roles to managed identities representing AI agent applications. You navigate to the Access Control (IAM) blade of your Cosmos DB account, select **Add role assignment**, choose Cosmos DB Data Contributor from the Role tab, then specify the agent's system-assigned managed identity as the assignee on the Members tab. After confirming the assignment, the agent can immediately write conversation documents and query session history without storing any credentials in configuration files. This pattern eliminates the risk of leaked connection strings—a vulnerability responsible for 40% of cloud data breaches according to Microsoft security telemetry.
+
+:::image type="content" source="../media/pattern-eliminates-risk-leaked-connection-string.png" alt-text="Diagram showing how a pattern can eliminate the risk of leaked connection strings.":::
+
+This becomes especially important when you operate across multiple environments. Traditional approaches require duplicating service accounts and rotating credentials separately in development, staging, and production environments. With RBAC and managed identities, you define role assignments once per environment using infrastructure-as-code templates, and Azure handles credential lifecycle automatically. Your operations team reduces permission management overhead by 70% while simultaneously improving security posture.
+
+Now that you understand how RBAC enforces least-privilege access through built-in roles and scope hierarchy, let's explore how managed identities eliminate the need for credential storage entirely. The next unit demonstrates enabling managed identities on Azure App Service and configuring the token acquisition flow that powers keyless authentication.
+
+:::image type="content" source="../media/role-assignment-subscription-resource-group.png" alt-text="Diagram showing how role assignments across subscription, resource group, and resources scopes.":::
+
+
+*Azure RBAC role assignments across subscription, resource group, and resource scopes for Contoso's AI agent infrastructure*
+
+## More resources
+
+- [Azure built-in roles](/azure/role-based-access-control/built-in-roles) - Complete reference of all Azure built-in roles with detailed permission lists and scope recommendations
+- [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal) - Step-by-step guide for assigning roles through the Access Control (IAM) blade with screenshots
+- [Best practices for Azure RBAC](/azure/role-based-access-control/best-practices) - Recommendations for scope selection, custom role creation, and audit logging strategies
+
+

learn-pr/wwl-azure/manage-secure-ai-ready-infrastructure/includes/2-configure-azure-rbac-infrastructure-components.md

@@ -0,0 +1,27 @@
+You've just configured RBAC roles to grant your AI agent precise permissions for reading conversation history from Cosmos DB. However, the agent still needs a way to prove its identity when making API calls—traditionally accomplished by storing a connection string or access key in application configuration. This approach creates immediate security risks: developers accidentally commit secrets to source control repositories, connection strings proliferate across configuration files in multiple environments, and operations teams spend hours rotating credentials quarterly to satisfy compliance audits. Microsoft security research shows that 60% of cloud security incidents involve compromised credentials, with an average breach detection time of 280 days.
+
+Microsoft Entra ID Managed Identities eliminate credential storage entirely by providing your Azure resources with automatically managed identities that can authenticate to any service supporting Entra ID authentication. Unlike traditional service principals that require manual creation and credential management, managed identities have their lifecycle tied directly to the Azure resource that uses them. When you enable a system-assigned managed identity on an App Service, Azure automatically provisions an identity in your Entra ID tenant, manages its credentials behind the scenes, and rotates the underlying certificate every 46 days without any action from your operations team.
+
+With this approach, your AI agent application requests an access token at runtime from the Azure Instance Metadata Service (IMDS), an internal endpoint available to all Azure compute resources. The application makes an HTTP GET request to `http://169.254.169.254/metadata/identity/oauth2/token` specifying the target resource (for example, Cosmos DB), and IMDS validates that the calling resource has a managed identity enabled. After validation, Entra ID issues a short-lived JSON Web Token (JWT) that expires after 24 hours, and the agent includes this token in the Authorization header of subsequent API calls to Cosmos DB. The database validates the token's signature and claims with Entra ID, confirms the identity has appropriate RBAC permissions (remember that Cosmos DB Data Contributor role you assigned), and grants access to the requested data.
+
+:::image type="content" source="../media/database-validate-token-signature-claims.png" alt-text="Diagram showing how a database validates a token signature and claim with Entra ID.":::
+
+This becomes especially important when you compare the two types of managed identities available. System-assigned identities have their lifecycle bound to a single resource—when you delete the App Service, Azure automatically removes its managed identity. This tight coupling simplifies management for scenarios where one application needs access to specific resources, and it's the default choice for 85% of Azure deployments according to Microsoft telemetry. In contrast, user-assigned identities exist as standalone resources independent of any particular compute service, allowing you to assign the same identity to multiple App Services, Virtual Machines, or Azure Functions. This approach suits complex architectures where several services share the same set of permissions, such as a microservices platform where ten different APIs all need identical access to a central Cosmos DB account.
+
+Consider what happens in your production environment after enabling a system-assigned managed identity on the customer support agent's App Service. You navigate to the **Identity** blade in the Azure portal, toggle the system-assigned status to **On**, and save the configuration. Azure immediately provisions an identity with a unique object ID and displays it in the portal. You then assign the Cosmos DB Data Contributor role to this identity using the Access Control (IAM) workflow covered in the previous unit. With this configuration complete, your development team removes all connection strings from application configuration files and updates the agent's code to request tokens from IMDS before calling Cosmos DB APIs.
+
+:::image type="content" source="../media/development-team-removes-connection-strings.png" alt-text="Diagram showing how a development team removes all connection strings from application configuration files.":::
+
+Building on this foundation, your application benefits from automatic credential rotation without code changes or deployment cycles. Traditional connection string rotation requires coordinating updates across multiple configuration files, restarting services during maintenance windows, and verifying connectivity after each change—a process that typically takes 3-4 hours per environment and introduces risk of service disruption. With managed identities, Azure handles rotation transparently, and your application seamlessly acquires new tokens using the same IMDS endpoint. Operations teams report that this automation reduces credential management overhead by 90% while improving security posture by eliminating the most common attack vector for cloud data breaches.
+
+Now that you understand how managed identities provide keyless authentication through automatic token acquisition, you're ready to configure the data store that will persist your AI agent's conversations. The next unit explores deploying Azure Cosmos DB for NoSQL with optimized partition keys, consistency levels, and retention policies that balance performance with compliance requirements.
+
+:::image type="content" source="../media/keyless-authentication-flow-system-assigned.png" alt-text="Diagram showing eight steps in the keyless authentication flow.":::
+
+*Keyless authentication flow using system-assigned managed identity and Azure Instance Metadata Service to write conversation data*
+
+## Additional resources
+
+- [How to use managed identities for App Service and Azure Functions](/azure/app-service/overview-managed-identity) - Detailed guide for enabling and using managed identities in App Service with code samples in multiple languages
+- [Authenticate and authorize with managed identities in Azure Cosmos DB](/azure/cosmos-db/how-to-setup-rbac) - Instructions for configuring role-based access control for Cosmos DB using managed identities instead of connection strings
+- [Azure Instance Metadata Service (IMDS)](/azure/virtual-machines/instance-metadata-service) - Technical reference for the IMDS endpoint including request formats, response schemas, and token acquisition examples