Merge branch 'main' of https://github.com/MicrosoftDocs/learn-pr into intro-to-adx

Author: spelluru

learn-pr/wwl-azure/govern-ai-ready-workloads-microsoft-foundry/1-introduction.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.govern-ai-ready-workloads-microsoft-foundry.introduction
+title: "Introduction"
+metadata:
+  title: "Introduction"
+  description: "Introduction"
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 3
+content: |
+  [!include[](includes/1-introduction.md)]

learn-pr/wwl-azure/govern-ai-ready-workloads-microsoft-foundry/2-configure-policy-driven-governance.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.govern-ai-ready-workloads-microsoft-foundry.configure-policy-driven-governance
+title: "Configure policy-driven governance with Microsoft Foundry"
+metadata:
+  title: "Configure Policy-driven Governance with Microsoft Foundry"
+  description: "Learn about configure policy-driven governance with Microsoft Foundry."
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 12
+content: |
+  [!include[](includes/2-configure-policy-driven-governance.md)]

learn-pr/wwl-azure/govern-ai-ready-workloads-microsoft-foundry/3-implement-identity-access-management.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.govern-ai-ready-workloads-microsoft-foundry.implement-identity-access-management
+title: "Implement identity and access management for AI workloads"
+metadata:
+  title: "Implement Identity and Access Management for AI Workloads"
+  description: "Learn about implement identity and access management for AI workloads."
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 11
+content: |
+  [!include[](includes/3-implement-identity-access-management.md)]

learn-pr/wwl-azure/govern-ai-ready-workloads-microsoft-foundry/4-establish-monitor-compliance-workflows.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.govern-ai-ready-workloads-microsoft-foundry.establish-monitor-compliance-workflows
+title: "Establish monitoring and compliance workflows"
+metadata:
+  title: "Establish Monitoring and Compliance Workflows"
+  description: "Learn about establish monitoring and compliance workflows."
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 10
+content: |
+  [!include[](includes/4-establish-monitor-compliance-workflows.md)]

learn-pr/wwl-azure/govern-ai-ready-workloads-microsoft-foundry/5-exercise-configure-governance-controls.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.govern-ai-ready-workloads-microsoft-foundry.exercise-configure-governance-controls
+title: "Apply governance controls to AI model lifecycle and resource consumption"
+metadata:
+  title: "Apply Governance Controls to AI Model Lifecycle and Resource Consumption"
+  description: "Learn about apply governance controls to AI Model Lifecycle and Resource Consumption."
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 45
+content: |
+  [!include[](includes/5-exercise-configure-governance-controls.md)]

learn-pr/wwl-azure/govern-ai-ready-workloads-microsoft-foundry/6-knowledge-check.yml

@@ -0,0 +1,48 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.govern-ai-ready-workloads-microsoft-foundry.knowledge-check
+title: "Module assessment"
+metadata:
+  title: "Knowledge check"
+  description: "Knowledge check"
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+  module_assessment: true
+durationInMinutes: 3
+content: "Choose the best response for each of the following questions."
+quiz:
+  questions:
+  - content: "Your organization operates in both the United States and European Union, with separate compliance requirements for each region. Data scientists in the EU must deploy Azure OpenAI resources only in West Europe, while US teams require access to East US and West US regions. Which policy assignment strategy best enforces these geographic restrictions?"
+    choices:
+    - content: "Create a single policy at the management group level that allows all three regions, then rely on teams to self-govern their deployment choices."
+      isCorrect: false
+      explanation: "Assigning separate policies to each subscription provides the strongest enforcement by preventing noncompliant deployments at the Azure Resource Manager level. A single management group policy allowing all three regions defeats the purpose of geographic separation because any team could deploy to any region. Conditional access policies control user authentication locations, not Azure resource deployment regions, making them ineffective for data residency compliance. Subscription-scoped policies automatically evaluate every deployment attempt and block resources that violate location restrictions without requiring manual oversight."
+    - content: "Assign separate location restriction policies to each region's subscription, specifying only the approved regions for that geography."
+      isCorrect: true
+      explanation: "Assigning separate policies to each subscription provides the strongest enforcement by preventing noncompliant deployments at the Azure Resource Manager level. A single management group policy allowing all three regions defeats the purpose of geographic separation because any team could deploy to any region. Conditional access policies control user authentication locations, not Azure resource deployment regions, making them ineffective for data residency compliance. Subscription-scoped policies automatically evaluate every deployment attempt and block resources that violate location restrictions without requiring manual oversight."
+    - content: "Configure conditional access policies in Microsoft Entra ID that block authentication from unapproved Azure regions."
+      isCorrect: false
+      explanation: "Assigning separate policies to each subscription provides the strongest enforcement by preventing noncompliant deployments at the Azure Resource Manager level. A single management group policy allowing all three regions defeats the purpose of geographic separation because any team could deploy to any region. Conditional access policies control user authentication locations, not Azure resource deployment regions, making them ineffective for data residency compliance. Subscription-scoped policies automatically evaluate every deployment attempt and block resources that violate location restrictions without requiring manual oversight."
+  - content: "A development team needs to run inference queries against predeployed Azure OpenAI models but shouldn't be able to deploy new models, modify existing configurations, or access training data. Which role assignment meets these requirements with the least privilege?"
+    choices:
+    - content: "Assign the Cognitive Services User role at the resource group scope containing the deployed models."
+      isCorrect: true
+      explanation: "The Cognitive Services User built-in role grants exactly the permissions needed for inference operations while explicitly excluding deployment and configuration capabilities, following the principle of least privilege. A custom role with wildcard permissions at the subscription level violates least privilege by granting broader access than required and increases the blast radius if credentials are compromised. Using Contributor with deny policies creates unnecessary complexity and administrative overhead because you must maintain policy definitions to restrict a role that already grants excessive permissions. The User role provides read and inference permissions only, preventing the team from modifying infrastructure while enabling their core job function."
+    - content: "Create a custom role with Microsoft.CognitiveServices/* permissions and assign it at the subscription level."
+      isCorrect: false
+      explanation: "The Cognitive Services User built-in role grants exactly the permissions needed for inference operations while explicitly excluding deployment and configuration capabilities, following the principle of least privilege. A custom role with wildcard permissions at the subscription level violates least privilege by granting broader access than required and increases the blast radius if credentials are compromised. Using Contributor with deny policies creates unnecessary complexity and administrative overhead because you must maintain policy definitions to restrict a role that already grants excessive permissions. The User role provides read and inference permissions only, preventing the team from modifying infrastructure while enabling their core job function."
+    - content: "Assign the Contributor role at the resource group scope but use Azure Policy to deny deployment operations."
+      isCorrect: false
+      explanation: "The Cognitive Services User built-in role grants exactly the permissions needed for inference operations while explicitly excluding deployment and configuration capabilities, following the principle of least privilege. A custom role with wildcard permissions at the subscription level violates least privilege by granting broader access than required and increases the blast radius if credentials are compromised. Using Contributor with deny policies creates unnecessary complexity and administrative overhead because you must maintain policy definitions to restrict a role that already grants excessive permissions. The User role provides read and inference permissions only, preventing the team from modifying infrastructure while enabling their core job function."
+  - content: "Your monitoring dashboard shows that Azure OpenAI token consumption increased 300% over the past week, but usage patterns appear normal and no policy violations were detected. Investigation reveals that a marketing campaign generated higher-than-expected traffic. What governance action should you take to prevent future budget overruns while maintaining service availability?"
+    choices:
+    - content: "Configure an Azure Monitor alert rule that triggers when token consumption exceeds 150% of the monthly baseline and automatically scales up capacity."
+      isCorrect: false
+      explanation: "Cost management budget alerts with approval workflows balance governance control with operational flexibility by warning stakeholders before overages occur while allowing justified increases through approval processes. Automatically scaling capacity addresses availability but bypasses financial oversight, potentially allowing uncontrolled spending that finance teams discover only at month-end. Denying all deployments with a blanket policy creates operational disruption and blocks legitimate business needs while the approval process completes. Budget alerts at 80% thresholds provide sufficient warning time for stakeholders to evaluate whether increased spending aligns with business value, request more budgets, or implement usage controls before actual overages occur."
+    - content: "Implement an Azure Policy that denies all Azure OpenAI deployments until finance approves a revised budget allocation."
+      isCorrect: false
+      explanation: "Cost management budget alerts with approval workflows balance governance control with operational flexibility by warning stakeholders before overages occur while allowing justified increases through approval processes. Automatically scaling capacity addresses availability but bypasses financial oversight, potentially allowing uncontrolled spending that finance teams discover only at month-end. Denying all deployments with a blanket policy creates operational disruption and blocks legitimate business needs while the approval process completes. Budget alerts at 80% thresholds provide sufficient warning time for stakeholders to evaluate whether increased spending aligns with business value, request more budgets, or implement usage controls before actual overages occur."
+    - content: "Create a cost management budget alert that notifies stakeholders when spending reaches 80% of the allocated amount and requires approval for overages."
+      isCorrect: true
+      explanation: "Cost management budget alerts with approval workflows balance governance control with operational flexibility by warning stakeholders before overages occur while allowing justified increases through approval processes. Automatically scaling capacity addresses availability but bypasses financial oversight, potentially allowing uncontrolled spending that finance teams discover only at month-end. Denying all deployments with a blanket policy creates operational disruption and blocks legitimate business needs while the approval process completes. Budget alerts at 80% thresholds provide sufficient warning time for stakeholders to evaluate whether increased spending aligns with business value, request more budgets, or implement usage controls before actual overages occur."

learn-pr/wwl-azure/govern-ai-ready-workloads-microsoft-foundry/7-summary.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.govern-ai-ready-workloads-microsoft-foundry.summary
+title: "Summary"
+metadata:
+  title: "Summary"
+  description: "Summary"
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 3
+content: |
+  [!include[](includes/7-summary.md)]

learn-pr/wwl-azure/govern-ai-ready-workloads-microsoft-foundry/includes/1-introduction.md

@@ -0,0 +1,20 @@
+Your organization deployed its first Azure OpenAI models across three development teams. Within weeks, the security team discovered unauthorized access attempts, the compliance officer flagged data residency violations, and finance raised concerns about untracked resource consumption. This scenario plays out in enterprises worldwide as AI adoption accelerates faster than governance frameworks can adapt.
+
+Microsoft Foundry addresses these challenges by providing integrated governance capabilities that enforce policies, manage access, and maintain compliance across AI infrastructure. Rather than bolting governance onto existing deployments, Foundry embeds controls at the platform level—ensuring every AI workload inherits organizational standards from day one. This approach reduces administrative overhead by 40% compared to manual governance workflows while closing security gaps that traditional perimeter-based controls miss.
+
+In this module, you configure policy-driven governance to enforce resource standards, implement identity and access management strategies that protect sensitive AI operations, and establish monitoring workflows that support regulatory reporting requirements. By the end, you'll have deployed a comprehensive governance framework that scales across your AI infrastructure without blocking innovation.
+
+## Learning objectives
+
+By the end of this module, you're able to:
+
+- Configure policy-driven governance controls for AI infrastructure using Microsoft Foundry
+- Implement identity and access management strategies for AI workloads
+- Establish monitoring and compliance workflows for responsible AI operations
+- Evaluate governance patterns that align with enterprise security requirements
+
+## Prerequisites
+
+- Familiarity with Azure fundamentals and resource management
+- Basic understanding of AI and machine learning concepts
+- Experience with identity and access management in Azure

learn-pr/wwl-azure/govern-ai-ready-workloads-microsoft-foundry/includes/2-configure-policy-driven-governance.md

@@ -0,0 +1,29 @@
+## Policy-driven governance fundamentals
+
+When you deploy AI resources without governance controls, each team makes independent decisions about encryption, region selection, and naming conventions. This fragmentation creates security vulnerabilities and makes audit trails nearly impossible to reconstruct. Microsoft Foundry solves this problem by integrating with Azure Policy to enforce organizational standards before resources reach production.
+
+At its core, policy-driven governance defines rules that Azure evaluates during resource deployment. If a team tries to create an Azure OpenAI instance in a restricted region, the deployment fails immediately with a clear explanation. This prevents violations rather than detecting them after the fact. With this approach, your compliance posture improves by 60% compared to reactive monitoring alone, because noncompliant resources never enter your environment.
+
+## Policy assignment hierarchy
+
+Microsoft Foundry organizes policies across three levels that mirror your organizational structure. Management groups enforce enterprise-wide requirements like encryption at rest for all AI workloads. Subscriptions apply environment-specific controls—for example, production subscriptions might restrict AI model deployment to approved regions while development subscriptions allow broader experimentation. Resource groups implement project-level constraints such as naming conventions that help finance teams track costs by business unit.
+
+This hierarchy becomes powerful when combined with policy inheritance. Assign a data residency policy at the management group level, and every subscription and resource group beneath it automatically inherits that rule. Teams can't override inherited policies without explicit exemptions that trigger approval workflows. Building on this foundation, you can start with broad organizational policies and layer on increasingly specific controls as you move down the hierarchy.
+
+## Policy evaluation and enforcement
+
+Azure evaluates policies at two critical points in the resource lifecycle. During deployment, the platform checks each resource configuration against assigned policies before provisioning begins. If a policy violation occurs, the deployment stops and returns a detailed error message explaining which policy blocked the action. This immediate feedback loop helps developers correct configuration issues in minutes rather than hours.
+
+After deployment, Microsoft Foundry continuously scans existing resources every 24 hours to detect configuration drift. When an administrator manually changes a setting that violates policy, the compliance dashboard flags the resource and triggers remediation workflows. You can configure automatic remediation for low-risk violations—like reapplying required tags—while routing high-risk issues like encryption changes to security team review queues. This combination of preventive and detective controls ensures your governance posture remains consistent as your AI infrastructure scales.
+
+## Common policy patterns for AI workloads
+
+AI infrastructure introduces governance challenges that traditional policies don't address. Data residency requirements become critical when training models on customer information—a policy violation could expose your organization to regional penalties exceeding 4% of annual revenue. Microsoft Foundry provides prebuilt policy definitions specifically for AI scenarios, including rules that restrict Azure OpenAI deployments to regions with data residency certifications.
+
+Another essential pattern involves model access controls. You might define a policy requiring multifactor authentication for any identity accessing GPT-4 models, while allowing simpler authentication for nongenerative AI services. Cost management policies complement these security controls by capping token consumption per resource group, preventing runaway inference costs that can exceed $10,000 per day in misconfigured environments. By combining these patterns, you create a governance framework that balances innovation velocity with organizational risk tolerance.
+
+:::image type="content" source="../media/microsoft-foundry-policy-enforcement.png" alt-text="Diagram showing the policy governance lifecycle and policy definitions assigned to scopes.":::
+
+*Microsoft Foundry policy enforcement workflow showing how policies are evaluated during resource deployment and through continuous scanning, triggering remediation when violations occur*
+
+