You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
title: "Introduction: Secure infrastructure for AI workloads"
4
+
metadata:
5
+
title: "Introduction: Secure Infrastructure for AI Workloads"
6
+
description: "Learn how to secure AI infrastructure with Azure. Configure identity, governance scopes, and policies to ensure compliance and prevent risks."
title: "Configure Microsoft Entra ID security principals"
4
+
metadata:
5
+
title: "Configure Microsoft Entra ID Security Principals"
6
+
description: "Learn how to configure Microsoft Entra ID security principals to manage access for users, groups, and services in Azure AI environments."
title: "Implement Azure governance scopes for AI resources"
4
+
metadata:
5
+
title: "Implement Azure Governance Scopes for AI Resources"
6
+
description: "Learn how to use Azure's scope hierarchy to organize AI resources, enforce policies, and streamline cost management for your infrastructure."
title: "Apply Azure Policy as the primary governance mechanism"
4
+
metadata:
5
+
title: "Apply Azure Policy as the Primary Governance Mechanism"
6
+
description: "Learn how to use Azure Policy to enforce governance requirements, automate compliance, and streamline resource management for AI workloads."
title: "Exercise: Configure secure AI infrastructure in Azure"
4
+
metadata:
5
+
title: "Exercise: Configure Secure AI Infrastructure in Azure"
6
+
description: "Learn how to configure secure AI infrastructure in Azure using role-based access control and Azure Policy for enhanced governance and security."
description: "Test your understanding of Azure AI infrastructure security with this knowledge check. Learn about managed identities, governance scopes, and Azure Policy."
7
+
ms.date: 02/09/2026
8
+
author: wwlpublish
9
+
ms.author: bradj
10
+
ms.topic: unit
11
+
durationInMinutes: 6
12
+
content: "Choose the best response for each of the following questions."
13
+
quiz:
14
+
questions:
15
+
- content: "Your Azure Machine Learning workspace needs to access training data stored in an Azure Storage account. The workspace runs automated training pipelines that execute without human intervention. Your security team requires that no credentials be stored in code or configuration files. Which Microsoft Entra ID principal type should you configure for this scenario?"
16
+
choices:
17
+
- content: "Create a service principal with a client secret, store the secret in Azure Key Vault, and configure the ML workspace to retrieve the secret during pipeline execution."
18
+
isCorrect: false
19
+
explanation: "System-assigned managed identity is correct because it eliminates credential management entirely—Azure automatically handles authentication between the workspace and storage account without requiring secrets. The managed identity lifecycle is tied to the workspace, providing automatic cleanup. Service principals with secrets (option 1) introduce credential rotation requirements and risk accidental exposure, violating the no-stored-credentials requirement. User-assigned managed identity with Contributor at subscription level (option 3) violates least-privilege principles by granting excessive permissions across resources unrelated to this specific training pipeline scenario."
20
+
- content: "Enable system-assigned managed identity on the ML workspace and grant it Storage Blob Data Reader role on the storage account."
21
+
isCorrect: true
22
+
explanation: "System-assigned managed identity is correct because it eliminates credential management entirely—Azure automatically handles authentication between the workspace and storage account without requiring secrets. The managed identity lifecycle is tied to the workspace, providing automatic cleanup. Service principals with secrets (option 1) introduce credential rotation requirements and risk accidental exposure, violating the no-stored-credentials requirement. User-assigned managed identity with Contributor at subscription level (option 3) violates least-privilege principles by granting excessive permissions across resources unrelated to this specific training pipeline scenario."
23
+
- content: "Create a user-assigned managed identity, assign it to multiple ML workspaces across different projects, and grant it Contributor role at the subscription level for maximum flexibility."
24
+
isCorrect: false
25
+
explanation: "System-assigned managed identity is correct because it eliminates credential management entirely—Azure automatically handles authentication between the workspace and storage account without requiring secrets. The managed identity lifecycle is tied to the workspace, providing automatic cleanup. Service principals with secrets (option 1) introduce credential rotation requirements and risk accidental exposure, violating the no-stored-credentials requirement. User-assigned managed identity with Contributor at subscription level (option 3) violates least-privilege principles by granting excessive permissions across resources unrelated to this specific training pipeline scenario."
26
+
- content: "Your organization runs AI workloads across three business units: Healthcare Analytics, Financial Services, and Retail Operations. Each unit requires different compliance controls—Healthcare must meet HIPAA requirements, Financial Services needs PCI-DSS compliance, and Retail has standard corporate policies. All units must follow organization-wide security baselines like mandatory encryption and approved regions. How should you structure Azure governance scopes to meet these requirements?"
27
+
choices:
28
+
- content: "Create a single subscription containing three resource groups (one per business unit), and use Azure Policy exemptions to apply different compliance controls to each resource group based on their specific requirements."
29
+
isCorrect: false
30
+
explanation: "Separate subscriptions under a shared management group are correct because subscriptions provide strong isolation boundaries needed for different compliance regimes (HIPAA, PCI-DSS), while the parent management group enforces common security baselines through policy inheritance. This structure eliminates policy duplication and simplifies audit reporting. Using resource groups with exemptions (option 1) doesn't provide sufficient isolation for compliance boundaries—HIPAA and PCI-DSS auditors typically require subscription-level separation. Creating separate management groups without a shared parent (option 3) forces you to duplicate all security baseline policies manually across three management groups, increasing configuration drift risk and administrative overhead by 3x."
31
+
- content: "Create a management group with organization-wide policies, then create separate subscriptions for each business unit where unit-specific compliance policies apply, with all subscriptions inheriting the management group's security baseline."
32
+
isCorrect: true
33
+
explanation: "Separate subscriptions under a shared management group are correct because subscriptions provide strong isolation boundaries needed for different compliance regimes (HIPAA, PCI-DSS), while the parent management group enforces common security baselines through policy inheritance. This structure eliminates policy duplication and simplifies audit reporting. Using resource groups with exemptions (option 1) doesn't provide sufficient isolation for compliance boundaries—HIPAA and PCI-DSS auditors typically require subscription-level separation. Creating separate management groups without a shared parent (option 3) forces you to duplicate all security baseline policies manually across three management groups, increasing configuration drift risk and administrative overhead by 3x."
34
+
- content: "Create three separate management groups (one per business unit) with no shared parent, configure identical security baseline policies in each management group manually, and create subscriptions under each management group for environment separation."
35
+
isCorrect: false
36
+
explanation: "Separate subscriptions under a shared management group are correct because subscriptions provide strong isolation boundaries needed for different compliance regimes (HIPAA, PCI-DSS), while the parent management group enforces common security baselines through policy inheritance. This structure eliminates policy duplication and simplifies audit reporting. Using resource groups with exemptions (option 1) doesn't provide sufficient isolation for compliance boundaries—HIPAA and PCI-DSS auditors typically require subscription-level separation. Creating separate management groups without a shared parent (option 3) forces you to duplicate all security baseline policies manually across three management groups, increasing configuration drift risk and administrative overhead by 3x."
37
+
- content: "Your security team wants to ensure all new Azure Storage accounts used for AI workloads have diagnostic logging enabled automatically, without requiring manual configuration by data science teams. Existing storage accounts that lack diagnostic settings should be identified for remediation. Which Azure Policy effect combination accomplishes both objectives most efficiently?"
38
+
choices:
39
+
- content: "Assign a policy with Deny effect that blocks creation of storage accounts without diagnostic settings, then manually configure logging on existing noncompliant accounts identified through Azure portal review."
40
+
isCorrect: false
41
+
explanation: "DeployIfNotExists effect alone is correct because it handles both requirements in one policy: automatically deploying diagnostic settings to new storage accounts during creation (prevention) and enabling bulk remediation of existing noncompliant accounts through remediation tasks (fixing). This single-policy approach reduces administrative complexity. Deny effect (option 1) prevents future violations but requires manual remediation of existing resources, increasing operational work and leaving gaps until manual updates complete. Using separate Audit and DeployIfNotExists policies (option 2) is complex—DeployIfNotExists inherently includes audit functionality by identifying noncompliant resources before remediation, making a separate Audit policy redundant and doubling policy evaluation overhead."
42
+
- content: "Assign a policy with Audit effect that generates compliance reports showing storage accounts lacking diagnostic settings, then create a second policy assignment with DeployIfNotExists effect that automatically adds diagnostic configurations to both new and existing storage accounts."
43
+
isCorrect: false
44
+
explanation: "DeployIfNotExists effect alone is correct because it handles both requirements in one policy: automatically deploying diagnostic settings to new storage accounts during creation (prevention) and enabling bulk remediation of existing noncompliant accounts through remediation tasks (fixing). This single-policy approach reduces administrative complexity. Deny effect (option 1) prevents future violations but requires manual remediation of existing resources, increasing operational work and leaving gaps until manual updates complete. Using separate Audit and DeployIfNotExists policies (option 2) is complex—DeployIfNotExists inherently includes audit functionality by identifying noncompliant resources before remediation, making a separate Audit policy redundant and doubling policy evaluation overhead."
45
+
- content: "Assign a policy with DeployIfNotExists effect that automatically deploys diagnostic settings to new storage accounts and creates remediation tasks for existing accounts, providing both prevention and automated fixing in a single policy."
46
+
isCorrect: true
47
+
explanation: "DeployIfNotExists effect alone is correct because it handles both requirements in one policy: automatically deploying diagnostic settings to new storage accounts during creation (prevention) and enabling bulk remediation of existing noncompliant accounts through remediation tasks (fixing). This single-policy approach reduces administrative complexity. Deny effect (option 1) prevents future violations but requires manual remediation of existing resources, increasing operational work and leaving gaps until manual updates complete. Using separate Audit and DeployIfNotExists policies (option 2) is complex—DeployIfNotExists inherently includes audit functionality by identifying noncompliant resources before remediation, making a separate Audit policy redundant and doubling policy evaluation overhead."
description: "Learn how to secure Azure AI infrastructure with managed identities, governance scopes, and Azure Policy for automated compliance and protection."
Securing AI infrastructure requires more than traditional network firewalls. You need layered controls that span identity management, resource organization, and policy enforcement. Without proper governance, your organization risks data breaches when models access sensitive information, compliance violations when resources deploy to restricted regions, and operational chaos when teams lack clear ownership boundaries. A recent industry survey found that 68% of AI project delays stem from security review cycles—time lost because infrastructure controls weren't established before deployment.
2
+
3
+
This module equips you to configure Azure's foundational security controls for AI workloads. You start by configuring Microsoft Entra ID security principals that define *who* and *what* can access your AI resources—from data scientists needing interactive workspace access to managed identities enabling secure service-to-service communication. Next, you implement governance scopes that establish *where* policies apply, organizing resources across subscriptions and resource groups to separate development experimentation from production stability. Finally, you apply Azure Policy as your primary governance mechanism, enforcing organizational standards that *automatically* prevent noncompliant deployments.
4
+
5
+
By the end of this module, you'll have learned how to:
6
+
- Configure Microsoft Entra ID security principals for AI workload access control
7
+
- Implement Azure governance scopes across subscriptions, resource groups, and AI resources
8
+
- Apply Azure Policy as the primary governance mechanism for infrastructure compliance
9
+
- Evaluate security controls for production AI infrastructure deployment
0 commit comments