You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
description: "Learn how to implement identity-based security for Azure Machine Learning using Microsoft Entra ID to secure AI infrastructure effectively."
title: "Configure Microsoft Entra security groups for AI teams"
4
+
metadata:
5
+
title: "Configure Microsoft Entra Security Groups"
6
+
description: "Learn how to configure Microsoft Entra security groups to manage Azure Machine Learning roles, automate user provisioning, and enhance team collaboration."
title: "Implement Conditional Access policies for Azure Machine Learning"
4
+
metadata:
5
+
title: "Implement Conditional Access Policies for Azure Machine Learning"
6
+
description: "Learn how to secure Azure Machine Learning workspaces with Conditional Access policies. Enforce MFA, device compliance, and location-based controls."
title: "Integrate enterprise applications with Azure Machine Learning"
4
+
metadata:
5
+
title: "Integrate Enterprise Applications with Azure Machine Learning"
6
+
description: "Learn how to integrate enterprise applications with Azure Machine Learning using service principals and managed identities for secure automation."
title: "Configure secure access to Azure Machine Learning"
4
+
metadata:
5
+
title: "Configure Secure Access to Azure Machine Learning"
6
+
description: "Learn how to configure secure access to Azure Machine Learning using Microsoft Entra Conditional Access policies for identity-driven control."
content: "Choose the best response for each of the following questions."
14
+
quiz:
15
+
questions:
16
+
- content: "Your data science team includes 15 full-time employees and 8 contractors from a partner firm. The contractors need temporary access to a development Azure Machine Learning workspace for a 3-month project, but they should automatically lose access when the project ends. Security policy prohibits contractors from accessing production workspaces. Which approach best implements these requirements with minimal ongoing administration?"
17
+
choices:
18
+
- content: "Create a security group named Project-Contractors with dynamic membership rules based on employeeType and department attributes, assign it Reader role on the dev workspace only, and set the group's expiration policy to 90 days"
19
+
isCorrect: true
20
+
explanation: "Dynamic group membership with employeeType filtering and automatic expiration provides the required temporary access with zero manual intervention when the project ends. This approach also ensures contractors can't access production by limiting role assignment scope to dev workspace only. The second option requires manual tracking and removal, which introduces operational risk and doesn't prevent production access. The third option uses service principals incorrectly—these are for applications, not human users—and grants excessive permissions (Contributor instead of Reader) while complicating authentication unnecessarily."
21
+
- content: "Add all contractors individually to the existing Data Scientists group with Reader role on both dev and production workspaces, then schedule a calendar reminder to manually remove them after three months"
22
+
isCorrect: false
23
+
explanation: "This option requires manual tracking and removal, which introduces operational risk and doesn't prevent production access."
24
+
- content: "Create service principals for each contractor with certificate-based authentication and Contributor role on all workspaces, storing certificates in Azure Key Vault with 90-day expiration"
25
+
isCorrect: false
26
+
explanation: "This option uses service principals incorrectly—these are for applications, not human users—and grants excessive permissions (Contributor instead of Reader) while complicating authentication unnecessarily."
27
+
- content: "Your security team reports suspicious activity: a data scientist's account authenticated to Azure Machine Learning studio from three different countries within 2 hours, which is physically impossible. The affected user confirms their password hasn't been shared. You need to prevent this type of attack while minimizing impact on legitimate users who travel frequently for conferences. Which Conditional Access policy configuration best addresses this threat?"
28
+
choices:
29
+
- content: "Create a policy requiring compliant device plus MFA for all Azure Machine Learning access from any location, with session sign-in frequency set to 1 hour to force frequent reauthentication"
30
+
isCorrect: false
31
+
explanation: "This option creates excessive friction—hourly reauthentication disrupts long-running training jobs and doesn't specifically address the geographic impossibility threat."
32
+
- content: "Block all Azure Machine Learning access from locations outside your company's home country, with no exceptions, and require VPN connectivity for international travelers"
33
+
isCorrect: false
34
+
explanation: "This option completely prevents legitimate international collaboration and conference attendance, contradicting business requirements while creating VPN performance bottlenecks."
35
+
- content: "Implement risk-based sign-in policy that requires MFA for medium and high-risk authentications, combined with Impossible Travel anomaly detection that automatically blocks suspicious sign-ins pending security review"
36
+
isCorrect: true
37
+
explanation: "Risk-based Conditional Access uses Azure's machine learning to detect anomalous sign-in patterns like Impossible Travel (same account from geographically distant locations in short timeframes) and applies controls dynamically. Legitimate users traveling normally complete standard MFA, while suspicious patterns trigger automatic blocks and security team alerts."
38
+
- content: "Your ML engineering team built an automated training pipeline that runs nightly to retrain models with updated data. The pipeline needs to authenticate to Azure Machine Learning, read training data from Azure Data Lake, write models to the model registry, and log metrics to Azure Monitor. The team initially used a service principal with client secret, but your security audit flagged this as noncompliant due to static credential storage in the CI/CD tool. Which authentication approach best meets compliance requirements while maintaining automation reliability?"
39
+
choices:
40
+
- content: "Enable system-assigned managed identity on the Azure Machine Learning compute cluster running the pipeline, then assign it custom RBAC roles with read permissions on Data Lake, write permissions on model registry, and metrics contributor permissions on Monitor workspace"
41
+
isCorrect: true
42
+
explanation: "System-assigned managed identity eliminates credential storage entirely—Azure handles authentication transparently for resources running on that compute cluster. Custom RBAC roles implement least-privilege by granting only the specific permissions each pipeline task requires, reducing attack surface if the identity is compromised."
43
+
- content: "Generate an X.509 certificate for the existing service principal, store it in Azure Key Vault with restrictive access policies, and modify pipeline code to retrieve the certificate at runtime for authentication"
44
+
isCorrect: false
45
+
explanation: "This option improves on client secrets through certificate authentication but still requires credential storage and retrieval code, adding complexity without achieving credential-free authentication available through managed identity."
46
+
- content: "Create user-assigned managed identity with Owner role on the entire Azure subscription to ensure it has permissions for all current and future pipeline requirements"
47
+
isCorrect: false
48
+
explanation: "This option violates least-privilege by granting excessive Owner permissions at subscription scope—the pipeline doesn't need ability to delete resources or modify security settings, and user-assigned identity adds management overhead compared to system-assigned for single-resource scenarios."
Modern AI development requires balancing two competing priorities: enabling data scientists to iterate quickly while maintaining strict security controls. Traditional approaches force teams to choose between productivity and protection. Microsoft Entra ID integration with Azure Machine Learning eliminates this trade-off by providing identity-based security controls that adapt to your team's workflow. With properly configured security groups, Conditional Access policies, and enterprise application integrations, you can prove to auditors that only authorized users access AI resources—without slowing down model development.
3
+
4
+
This module guides you through implementing identity-based security for Azure Machine Learning workspaces using Microsoft Entra ID. You configure security groups that organize AI team members by role, create Conditional Access policies that enforce multifactor authentication and device compliance, integrate service principals for automated pipelines, and monitor access patterns through audit logs. By the end, you have the skills to secure AI infrastructure while maintaining the agility your data science teams need.
5
+
6
+
## Learning objectives
7
+
8
+
By the end of this module, you're able to:
9
+
10
+
- Configure Microsoft Entra security groups to organize AI team members and enforce least-privilege access
0 commit comments