Merge pull request #53580 from staleycyn/patch-2

Add video summary for Azure RBAC concepts

Author: prmerger-automator[bot]

learn-pr/wwl-azure/manage-secure-ai-ready-infrastructure/includes/2-configure-azure-rbac-infrastructure-components.md

@@ -1,3 +1,7 @@
+This video summarizes the key concepts on the page. 
+
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=22a59131-bbfb-495e-9ba8-b6c1a2591d2a]
+
 When Contoso's development team first deployed their AI agents, they granted every service account Contributor permissions at the subscription level. This approach delivered fast deployment velocity during the prototype phase, but it also gave agents the ability to delete production databases, modify network security rules, and access resources across unrelated projects. Security audits revealed that over-privileged access increased the blast radius of potential breaches by 300%, turning what should have been isolated incidents into organization-wide security events.
 
 Azure Role-Based Access Control (RBAC) solves this problem by letting you assign permissions at precisely the scope required for each job task. With RBAC, you define who can access which resources and what actions they can perform, enforcing the principle of least privilege across your entire infrastructure. The system uses a hierarchy of scopes—subscription, resource group, and individual resource—where permissions assigned at a higher level automatically inherit to child resources. For example, granting Reader access at the resource group level means that identity can view all resources within that group without requiring separate assignments for each database, storage account, or virtual machine.

learn-pr/wwl-azure/manage-secure-ai-ready-infrastructure/includes/3-implement-keyless-authentication-microsoft.md

@@ -1,3 +1,7 @@
+The video introduces the key concepts covered on this page. 
+
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=553f19b1-ef39-4351-a334-107927c6decf]
+
 You've just configured RBAC roles to grant your AI agent precise permissions for reading conversation history from Cosmos DB. However, the agent still needs a way to prove its identity when making API calls—traditionally accomplished by storing a connection string or access key in application configuration. This approach creates immediate security risks: developers accidentally commit secrets to source control repositories, connection strings proliferate across configuration files in multiple environments, and operations teams spend hours rotating credentials quarterly to satisfy compliance audits. Microsoft security research shows that 60% of cloud security incidents involve compromised credentials, with an average breach detection time of 280 days.
 
 Microsoft Entra ID Managed Identities eliminate credential storage entirely by providing your Azure resources with automatically managed identities that can authenticate to any service supporting Entra ID authentication. Unlike traditional service principals that require manual creation and credential management, managed identities have their lifecycle tied directly to the Azure resource that uses them. When you enable a system-assigned managed identity on an App Service, Azure automatically provisions an identity in your Entra ID tenant, manages its credentials behind the scenes, and rotates the underlying certificate every 46 days without any action from your operations team.

learn-pr/wwl-azure/manage-secure-ai-ready-infrastructure/includes/4-deploy-azure-cosmos-agent.md

@@ -1,3 +1,7 @@
+The video introduces the key concepts covered on this page. 
+
+> [!VIDEO https://learn-video.azurefd.net/vod/player?id=a5b25f01-eb41-43b2-9660-d00260317614]
+
 Your AI agent now authenticates to Azure services using managed identities without storing any credentials, and RBAC roles enforce least-privilege access to backend resources. However, the agent still needs a durable store for conversation history that supports real-time queries while maintaining regulatory compliance. Traditional relational databases struggle with the unpredictable query patterns and global distribution requirements of AI workloads—chatbot sessions spike during business hours across different time zones, users expect instant access to conversation history from any device, and compliance teams mandate automatic data expiration after 90 days to satisfy regulations.
 
 Azure Cosmos DB for NoSQL addresses these challenges by providing a globally distributed, low-latency database optimized for document storage and flexible querying. Unlike traditional databases that require complex sharding strategies and manual replication configuration, Cosmos DB distributes your data automatically across Azure regions with single-digit millisecond read and write latency at the 99th percentile. This performance becomes critical when your AI agent retrieves conversation context to generate personalized responses—a 500-ms database query delay translates directly to noticeable lag in the chat interface, degrading user experience, and reducing task completion rates by 25% according to Contoso's user research.