You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
description: This course teaches how to govern AI‑ready infrastructure with Microsoft Foundry by enforcing policies, secure access, managing costs, regulating model behavior, and monitor compliance through practical, real‑world governance scenarios.
6
+
ms.date: 02/11/2026
7
+
author: wwlpublish
8
+
ms.author: bradj
9
+
ms.topic: learning-path
10
+
title: Govern AI-ready infrastructure
11
+
prerequisites: |
12
+
- Familiarity with Azure fundamentals, including subscriptions, resource groups, and basic resource management concepts.
13
+
- A foundational understanding of AI and machine learning workloads, such as Azure OpenAI and model deployments.
14
+
- Experience using the Azure portal or Azure CLI to deploy and configure resources.
15
+
- Basic knowledge of identity, access, and security concepts in Azure, such as RBAC and Microsoft Entra ID.
16
+
summary: |
17
+
This course teaches how to govern AI‑ready infrastructure with Microsoft Foundry by enforcing policies, secure access, managing costs, regulating model behavior, and monitor compliance through practical, real‑world governance scenarios.
description: Learn to manage AI infrastructure by planning compute capacity, enforcing governance, configuring monitoring, and optimizing costs to support scalable, compliant, and high-performing AI workloads without budget overruns or operational risks.
6
+
ms.date: 02/11/2026
7
+
author: wwlpublish
8
+
ms.author: bradj
9
+
ms.topic: learning-path
10
+
title: Manage AI-ready infrastructure
11
+
prerequisites: |
12
+
- Familiarity with Azure infrastructure fundamentals including virtual machines, storage accounts, and resource groups
13
+
- Basic understanding of AI and machine learning workloads such as model training and inference
14
+
- Experience navigating the Azure portal or executing Azure CLI commands
15
+
summary: |
16
+
Learn to manage AI infrastructure by planning compute capacity, enforcing governance, configuring monitoring, and optimizing costs to support scalable, compliant, and high-performing AI workloads.
title: "Introduction: Secure infrastructure for AI workloads"
4
+
metadata:
5
+
title: "Introduction: Secure Infrastructure for AI Workloads"
6
+
description: "Learn how to secure AI infrastructure with Azure. Configure identity, governance scopes, and policies to ensure compliance and prevent risks."
title: "Configure Microsoft Entra ID security principals"
4
+
metadata:
5
+
title: "Configure Microsoft Entra ID Security Principals"
6
+
description: "Learn how to configure Microsoft Entra ID security principals to manage access for users, groups, and services in Azure AI environments."
title: "Implement Azure governance scopes for AI resources"
4
+
metadata:
5
+
title: "Implement Azure Governance Scopes for AI Resources"
6
+
description: "Learn how to use Azure's scope hierarchy to organize AI resources, enforce policies, and streamline cost management for your infrastructure."
title: "Apply Azure Policy as the primary governance mechanism"
4
+
metadata:
5
+
title: "Apply Azure Policy as the Primary Governance Mechanism"
6
+
description: "Learn how to use Azure Policy to enforce governance requirements, automate compliance, and streamline resource management for AI workloads."
title: "Exercise: Configure secure AI infrastructure in Azure"
4
+
metadata:
5
+
title: "Exercise: Configure Secure AI Infrastructure in Azure"
6
+
description: "Learn how to configure secure AI infrastructure in Azure using role-based access control and Azure Policy for enhanced governance and security."
description: "Test your understanding of Azure AI infrastructure security with this knowledge check. Learn about managed identities, governance scopes, and Azure Policy."
7
+
ms.date: 02/09/2026
8
+
author: wwlpublish
9
+
ms.author: bradj
10
+
ms.topic: unit
11
+
durationInMinutes: 6
12
+
content: "Choose the best response for each of the following questions."
13
+
quiz:
14
+
questions:
15
+
- content: "Your Azure Machine Learning workspace needs to access training data stored in an Azure Storage account. The workspace runs automated training pipelines that execute without human intervention. Your security team requires that no credentials be stored in code or configuration files. Which Microsoft Entra ID principal type should you configure for this scenario?"
16
+
choices:
17
+
- content: "Create a service principal with a client secret, store the secret in Azure Key Vault, and configure the ML workspace to retrieve the secret during pipeline execution."
18
+
isCorrect: false
19
+
explanation: "System-assigned managed identity is correct because it eliminates credential management entirely—Azure automatically handles authentication between the workspace and storage account without requiring secrets. The managed identity lifecycle is tied to the workspace, providing automatic cleanup. Service principals with secrets (option 1) introduce credential rotation requirements and risk accidental exposure, violating the no-stored-credentials requirement. User-assigned managed identity with Contributor at subscription level (option 3) violates least-privilege principles by granting excessive permissions across resources unrelated to this specific training pipeline scenario."
20
+
- content: "Enable system-assigned managed identity on the ML workspace and grant it Storage Blob Data Reader role on the storage account."
21
+
isCorrect: true
22
+
explanation: "System-assigned managed identity is correct because it eliminates credential management entirely—Azure automatically handles authentication between the workspace and storage account without requiring secrets. The managed identity lifecycle is tied to the workspace, providing automatic cleanup. Service principals with secrets (option 1) introduce credential rotation requirements and risk accidental exposure, violating the no-stored-credentials requirement. User-assigned managed identity with Contributor at subscription level (option 3) violates least-privilege principles by granting excessive permissions across resources unrelated to this specific training pipeline scenario."
23
+
- content: "Create a user-assigned managed identity, assign it to multiple ML workspaces across different projects, and grant it Contributor role at the subscription level for maximum flexibility."
24
+
isCorrect: false
25
+
explanation: "System-assigned managed identity is correct because it eliminates credential management entirely—Azure automatically handles authentication between the workspace and storage account without requiring secrets. The managed identity lifecycle is tied to the workspace, providing automatic cleanup. Service principals with secrets (option 1) introduce credential rotation requirements and risk accidental exposure, violating the no-stored-credentials requirement. User-assigned managed identity with Contributor at subscription level (option 3) violates least-privilege principles by granting excessive permissions across resources unrelated to this specific training pipeline scenario."
26
+
- content: "Your organization runs AI workloads across three business units: Healthcare Analytics, Financial Services, and Retail Operations. Each unit requires different compliance controls—Healthcare must meet HIPAA requirements, Financial Services needs PCI-DSS compliance, and Retail has standard corporate policies. All units must follow organization-wide security baselines like mandatory encryption and approved regions. How should you structure Azure governance scopes to meet these requirements?"
27
+
choices:
28
+
- content: "Create a single subscription containing three resource groups (one per business unit), and use Azure Policy exemptions to apply different compliance controls to each resource group based on their specific requirements."
29
+
isCorrect: false
30
+
explanation: "Separate subscriptions under a shared management group are correct because subscriptions provide strong isolation boundaries needed for different compliance regimes (HIPAA, PCI-DSS), while the parent management group enforces common security baselines through policy inheritance. This structure eliminates policy duplication and simplifies audit reporting. Using resource groups with exemptions (option 1) doesn't provide sufficient isolation for compliance boundaries—HIPAA and PCI-DSS auditors typically require subscription-level separation. Creating separate management groups without a shared parent (option 3) forces you to duplicate all security baseline policies manually across three management groups, increasing configuration drift risk and administrative overhead by 3x."
31
+
- content: "Create a management group with organization-wide policies, then create separate subscriptions for each business unit where unit-specific compliance policies apply, with all subscriptions inheriting the management group's security baseline."
32
+
isCorrect: true
33
+
explanation: "Separate subscriptions under a shared management group are correct because subscriptions provide strong isolation boundaries needed for different compliance regimes (HIPAA, PCI-DSS), while the parent management group enforces common security baselines through policy inheritance. This structure eliminates policy duplication and simplifies audit reporting. Using resource groups with exemptions (option 1) doesn't provide sufficient isolation for compliance boundaries—HIPAA and PCI-DSS auditors typically require subscription-level separation. Creating separate management groups without a shared parent (option 3) forces you to duplicate all security baseline policies manually across three management groups, increasing configuration drift risk and administrative overhead by 3x."
34
+
- content: "Create three separate management groups (one per business unit) with no shared parent, configure identical security baseline policies in each management group manually, and create subscriptions under each management group for environment separation."
35
+
isCorrect: false
36
+
explanation: "Separate subscriptions under a shared management group are correct because subscriptions provide strong isolation boundaries needed for different compliance regimes (HIPAA, PCI-DSS), while the parent management group enforces common security baselines through policy inheritance. This structure eliminates policy duplication and simplifies audit reporting. Using resource groups with exemptions (option 1) doesn't provide sufficient isolation for compliance boundaries—HIPAA and PCI-DSS auditors typically require subscription-level separation. Creating separate management groups without a shared parent (option 3) forces you to duplicate all security baseline policies manually across three management groups, increasing configuration drift risk and administrative overhead by 3x."
37
+
- content: "Your security team wants to ensure all new Azure Storage accounts used for AI workloads have diagnostic logging enabled automatically, without requiring manual configuration by data science teams. Existing storage accounts that lack diagnostic settings should be identified for remediation. Which Azure Policy effect combination accomplishes both objectives most efficiently?"
38
+
choices:
39
+
- content: "Assign a policy with Deny effect that blocks creation of storage accounts without diagnostic settings, then manually configure logging on existing noncompliant accounts identified through Azure portal review."
40
+
isCorrect: false
41
+
explanation: "DeployIfNotExists effect alone is correct because it handles both requirements in one policy: automatically deploying diagnostic settings to new storage accounts during creation (prevention) and enabling bulk remediation of existing noncompliant accounts through remediation tasks (fixing). This single-policy approach reduces administrative complexity. Deny effect (option 1) prevents future violations but requires manual remediation of existing resources, increasing operational work and leaving gaps until manual updates complete. Using separate Audit and DeployIfNotExists policies (option 2) is complex—DeployIfNotExists inherently includes audit functionality by identifying noncompliant resources before remediation, making a separate Audit policy redundant and doubling policy evaluation overhead."
42
+
- content: "Assign a policy with Audit effect that generates compliance reports showing storage accounts lacking diagnostic settings, then create a second policy assignment with DeployIfNotExists effect that automatically adds diagnostic configurations to both new and existing storage accounts."
43
+
isCorrect: false
44
+
explanation: "DeployIfNotExists effect alone is correct because it handles both requirements in one policy: automatically deploying diagnostic settings to new storage accounts during creation (prevention) and enabling bulk remediation of existing noncompliant accounts through remediation tasks (fixing). This single-policy approach reduces administrative complexity. Deny effect (option 1) prevents future violations but requires manual remediation of existing resources, increasing operational work and leaving gaps until manual updates complete. Using separate Audit and DeployIfNotExists policies (option 2) is complex—DeployIfNotExists inherently includes audit functionality by identifying noncompliant resources before remediation, making a separate Audit policy redundant and doubling policy evaluation overhead."
45
+
- content: "Assign a policy with DeployIfNotExists effect that automatically deploys diagnostic settings to new storage accounts and creates remediation tasks for existing accounts, providing both prevention and automated fixing in a single policy."
46
+
isCorrect: true
47
+
explanation: "DeployIfNotExists effect alone is correct because it handles both requirements in one policy: automatically deploying diagnostic settings to new storage accounts during creation (prevention) and enabling bulk remediation of existing noncompliant accounts through remediation tasks (fixing). This single-policy approach reduces administrative complexity. Deny effect (option 1) prevents future violations but requires manual remediation of existing resources, increasing operational work and leaving gaps until manual updates complete. Using separate Audit and DeployIfNotExists policies (option 2) is complex—DeployIfNotExists inherently includes audit functionality by identifying noncompliant resources before remediation, making a separate Audit policy redundant and doubling policy evaluation overhead."
description: "Learn how to secure Azure AI infrastructure with managed identities, governance scopes, and Azure Policy for automated compliance and protection."
![learn-build-service-prod[bot]](https://avatars.githubusercontent.com/in/237442?v=4&size=40){kind=avatar}
0 commit comments