You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: learn-pr/wwl-azure/implement-identity-based-security-azure-machine-learning/includes/3-implement-conditional-access-policies-azure.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,21 +2,21 @@ Security groups control who can access your Azure Machine Learning workspace, bu
2
2
3
3
## Evaluate sign-in context with Conditional Access
4
4
5
-
Conditional Access acts as a policy enforcement checkpoint between users and your Azure ML workspace. When a data scientist attempts to sign in, the policy engine evaluates multiple signals simultaneously. It checks whether the user is connecting from a trusted network or an unfamiliar location. It verifies whether their device meets your organization's security standards—is antivirus software up to date, is the disk encrypted, are operating system patches current? It examines authentication strength—did the user provide just a password, or did they complete multi-factor authentication? Based on these signals, the policy grants access, requires additional verification, or blocks the connection entirely.
5
+
Conditional Access acts as a policy enforcement checkpoint between users and your Azure ML workspace. When a data scientist attempts to sign in, the policy engine evaluates multiple signals simultaneously. It checks whether the user is connecting from a trusted network or an unfamiliar location. It verifies whether their device meets your organization's security standards—is antivirus software up to date, is the disk encrypted, are operating system patches current? It examines authentication strength—did the user provide just a password, or did they complete multifactor authentication? Based on these signals, the policy grants access, requires additional verification, or blocks the connection entirely.
6
6
7
7
:::image type="content" source="../media/conditional-access-policy-enforcement-checkpoint.png" alt-text="Diagram showing how Conditional Access acts as a policy enforcement checkpoint between users and an Azure ML workspace.":::
8
8
9
9
Unlike static security groups, Conditional Access adapts to changing conditions. A data scientist signing in from your corporate office on a managed laptop requires minimal verification. The same user connecting from a coffee shop on a personal device triggers stricter controls. This dynamic approach maintains security without creating friction for legitimate users in low-risk scenarios. At the same time, it raises barriers when risk indicators suggest potential compromise—for example, simultaneous sign-in attempts from geographically distant locations within minutes.
10
10
11
-
## Enforce multi-factor authentication for workspace access
11
+
## Enforce Multifactor authentication for workspace access
12
12
13
-
Password-based authentication provides weak protection for AI infrastructure containing sensitive training data and proprietary models. Multi-factor authentication (MFA) adds a second verification factor that attackers can't easily steal or replicate. Even if a phishing attack captures a user's password, the attacker still can't access your workspace without the victim's phone or security key. Conditional Access policies let you require MFA selectively based on risk—enforce it for all workspace access, or limit the requirement to high-risk scenarios like connections from unfamiliar locations.
13
+
Password-based authentication provides weak protection for AI infrastructure containing sensitive training data and proprietary models. Multifactor authentication (MFA) adds a second verification factor that attackers can't easily steal or replicate. Even if a phishing attack captures a user's password, the attacker still can't access your workspace without the victim's phone or security key. Conditional Access policies let you require MFA selectively based on risk—enforce it for all workspace access, or limit the requirement to high-risk scenarios like connections from unfamiliar locations.
14
14
15
-
Implementing MFA through Conditional Access requires creating a policy that targets your Azure Machine Learning workspace. Start by selecting the Azure Machine Learning application as the target resource. Choose which users or security groups the policy applies to—you might enforce MFA for the ML Engineers group while exempting read-only analysts in low-risk scenarios. Under access controls, select "Require multi-factor authentication" as a grant condition. This configuration prompts users for a second factor during sign-in, with the verification persisting for a configurable session duration. Most organizations set this to eight hours, balancing security with usability—users authenticate once per workday rather than with every experiment submission.
15
+
Implementing MFA through Conditional Access requires creating a policy that targets your Azure Machine Learning workspace. Start by selecting the Azure Machine Learning application as the target resource. Choose which users or security groups the policy applies to—you might enforce MFA for the ML Engineers group while exempting read-only analysts in low-risk scenarios. Under access controls, select "Require multifactor authentication" as a grant condition. This configuration prompts users for a second factor during sign-in, with the verification persisting for a configurable session duration. Most organizations set this to eight hours, balancing security with usability—users authenticate once per workday rather than with every experiment submission.
16
16
17
17
## Require compliant devices for data protection
18
18
19
-
Multi-factor authentication protects credentials, but it doesn't prevent data exfiltration from compromised devices. A data scientist's laptop infected with malware can steal training data or model weights even after successful MFA. Device compliance requirements address this gap by verifying that endpoints meet your security baseline before granting workspace access. Microsoft Intune policies define compliance criteria: devices must run supported operating systems, have encryption enabled, maintain current patches, and run approved endpoint protection software.
19
+
Multifactor authentication protects credentials, but it doesn't prevent data exfiltration from compromised devices. A data scientist's laptop infected with malware can steal training data or model weights even after successful MFA. Device compliance requirements address this gap by verifying that endpoints meet your security baseline before granting workspace access. Microsoft Intune policies define compliance criteria: devices must run supported operating systems, have encryption enabled, maintain current patches, and run approved endpoint protection software.
20
20
21
21
:::image type="content" source="../media/multi-factor-authentication-protects-credentials.png" alt-text="Diagram showing how Microsoft Intune policies define compliance criteria.":::
22
22
@@ -44,4 +44,4 @@ Configure session controls based on risk and resource sensitivity. For high-risk
44
44
45
45
-[What is Conditional Access?](/entra/identity/conditional-access/overview) - Overview of Conditional Access capabilities and architecture
46
46
-[Conditional Access for Azure Machine Learning](/azure/machine-learning/how-to-setup-authentication#conditional-access) - Service-specific implementation guidance
47
-
-[Plan a Conditional Access deployment](/entra/identity/conditional-access/plan-conditional-access) - Best practices for policy design and rollout
47
+
-[Plan a Conditional Access deployment](/entra/identity/conditional-access/plan-conditional-access) - Best practices for policy design and rollout
0 commit comments