Merge pull request #53351 from wwlpublish/LP158678-3

Feedback bug fixes for M3_run-governed-ai-workloads-microsoft-foundry

Author: Stacyrch140

learn-pr/wwl-azure/run-governed-ai-workloads-microsoft-foundry/1-introduction.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.run-governed-ai-workloads-microsoft-foundry.introduction
+title: "Introduction"
+metadata:
+  title: "Introduction"
+  description: "Introduction."
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 3
+content: |
+  [!include[](includes/1-introduction.md)]

learn-pr/wwl-azure/run-governed-ai-workloads-microsoft-foundry/2-understand-microsoft-foundry-governance-framework.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.run-governed-ai-workloads-microsoft-foundry.understand-microsoft-foundry-governance-framework
+title: "Understand Microsoft Foundry governance framework"
+metadata:
+  title: "Understand Microsoft Foundry Governance Framework"
+  description: "Learn and understand Microsoft Foundry governance framework."
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 12
+content: |
+  [!include[](includes/2-understand-microsoft-foundry-governance-framework.md)]

learn-pr/wwl-azure/run-governed-ai-workloads-microsoft-foundry/3-configure-governance-policies-controls.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.run-governed-ai-workloads-microsoft-foundry.configure-governance-policies-controls
+title: "Configure governance policies and controls"
+metadata:
+  title: "Configure Governance Policies and Controls"
+  description: "Learn how to configure governance policies and controls."
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 13
+content: |
+  [!include[](includes/3-configure-governance-policies-controls.md)]

learn-pr/wwl-azure/run-governed-ai-workloads-microsoft-foundry/4-exercise-implement-governance-policies.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.run-governed-ai-workloads-microsoft-foundry.exercise-implement-governance-policies
+title: "Exercise: Configure quotas and rate limits for Microsoft Foundry model deployments"
+metadata:
+  title: "Exercise: Configure Quotas and Rate Limits for Microsoft Foundry Model Deployments"
+  description: "Learn how to configure Quotas and Rate Limits for Microsoft Foundry Model Deployments."
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 13
+content: |
+  [!include[](includes/4-exercise-implement-governance-policies.md)]

learn-pr/wwl-azure/run-governed-ai-workloads-microsoft-foundry/5-knowledge-check.yml

@@ -0,0 +1,49 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.run-governed-ai-workloads-microsoft-foundry.knowledge-check
+title: "Module assessment"
+metadata:
+  title: "Knowledge check"
+  description: "Knowledge check"
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+  module_assessment: true
+durationInMinutes: 3
+content: "Choose the best response for each of the following questions."
+quiz:
+  questions:
+  - content: "Your organization operates in both the United States and European Union, each with distinct data residency requirements. The US division requires all AI workloads to deploy in US regions, while the EU division requires deployment in EU regions only. Both divisions share the same base security policy requiring managed identities and encryption. How should you structure Microsoft Foundry policies to enforce these requirements?"
+    choices:
+    - content: "Create separate base security policies for US and EU divisions, each including both security controls and region restrictions specific to their geography."
+      isCorrect: false
+      explanation: "Business unit policies that add region restrictions to inherited base security controls provide the correct hierarchical approach. This structure ensures universal security requirements apply everywhere while allowing geographic-specific policies at lower levels. Creating separate base policies (option 1) duplicates security rules and creates maintenance overhead when updating encryption standards. Relying on catalog templates (option 3) doesn't enforce governance—developers could modify templates or create resources outside the catalog. The correct pattern uses policy inheritance: base security policy → business unit geography policy → environment-specific policies."
+    - content: "Define one organization-wide base security policy with managed identity and encryption requirements, then create business unit policies for US and EU divisions that add region restrictions specific to each geography."
+      isCorrect: true
+      explanation: "Business unit policies that add region restrictions to inherited base security controls provide the correct hierarchical approach. This structure ensures universal security requirements apply everywhere while allowing geographic-specific policies at lower levels. Creating separate base policies (option 1) duplicates security rules and creates maintenance overhead when updating encryption standards. Relying on catalog templates (option 3) doesn't enforce governance—developers could modify templates or create resources outside the catalog. The correct pattern uses policy inheritance: base security policy → business unit geography policy → environment-specific policies."
+    - content: "Configure region restrictions in the resource catalog templates rather than policies, allowing developers to select geography-appropriate templates when provisioning."
+      isCorrect: false
+      explanation: "Business unit policies that add region restrictions to inherited base security controls provide the correct hierarchical approach. This structure ensures universal security requirements apply everywhere while allowing geographic-specific policies at lower levels. Creating separate base policies (option 1) duplicates security rules and creates maintenance overhead when updating encryption standards. Relying on catalog templates (option 3) doesn't enforce governance—developers could modify templates or create resources outside the catalog. The correct pattern uses policy inheritance: base security policy → business unit geography policy → environment-specific policies."
+  - content: "Your compliance scanner reports that 15 Azure OpenAI endpoints in the production environment have diagnostic logging disabled, violating the base security policy that requires logging to a centralized workspace. The resources were provisioned through Microsoft Foundry three weeks ago with logging enabled. What is the most likely cause of this policy drift, and how should you address it?"
+    choices:
+    - content: "Developers manually disabled logging after provisioning to reduce costs; implement autoremediation in the compliance scanner to re-enable logging when drift is detected."
+      isCorrect: true
+      explanation: "Manual post-deployment changes causing drift is the most common cause, and autoremediation directly addresses it by automatically restoring compliant configurations. Changing policy enforcement mode to 'Deny' (option 2) prevents future violations but doesn't remediate existing drift—the 15 endpoints would remain noncompliant. Creating manual incident tickets (option 3) is reactive and doesn't prevent recurrence. The compliance scanner's autoremediation feature detects drift and automatically reapplies policy requirements, eliminating administrative overhead and closing the compliance gap within minutes rather than waiting for manual intervention."
+    - content: "The base security policy wasn't properly configured with enforcement mode; update the policy to 'Deny' rather than 'Audit' to prevent future logging changes."
+      isCorrect: false
+      explanation: "Manual post-deployment changes causing drift is the most common cause, and autoremediation directly addresses it by automatically restoring compliant configurations. Changing policy enforcement mode to 'Deny' (option 2) prevents future violations but doesn't remediate existing drift—the 15 endpoints would remain noncompliant. Creating manual incident tickets (option 3) is reactive and doesn't prevent recurrence. The compliance scanner's autoremediation feature detects drift and automatically reapplies policy requirements, eliminating administrative overhead and closing the compliance gap within minutes rather than waiting for manual intervention."
+    - content: "Azure service updates changed default logging behavior; create an incident ticket for developers to manually restore logging on affected endpoints."
+      isCorrect: false
+      explanation: "Manual post-deployment changes causing drift is the most common cause, and autoremediation directly addresses it by automatically restoring compliant configurations. Changing policy enforcement mode to 'Deny' (option 2) prevents future violations but doesn't remediate existing drift—the 15 endpoints would remain noncompliant. Creating manual incident tickets (option 3) is reactive and doesn't prevent recurrence. The compliance scanner's autoremediation feature detects drift and automatically reapplies policy requirements, eliminating administrative overhead and closing the compliance gap within minutes rather than waiting for manual intervention."
+  - content: "Your development teams complain that approval workflows for experimental AI deployments take 2-3 days, slowing innovation velocity. Current policies routes all Azure OpenAI requests greater than **$500** monthly cost to VP approval. Development deployments rarely exceed **$1,000** monthly and have separate budget allocation from production. How should you optimize governance policies to enable faster development cycles without compromising production controls?"
+    choices:
+    - content: "Increase the autoapproval threshold to **$5,000** for all environments so both development and production teams can provision faster."
+      isCorrect: false
+      explanation: "Environment-specific approval thresholds balance innovation velocity with production risk management. Development environments need experimentation freedom with appropriate budget guardrails, while production requires stricter governance due to customer impact and compliance requirements. Raising thresholds universally (option 1) weakens production controls where VP oversight is necessary for risk management. Removing workflows entirely (option 2) eliminates governance visibility and creates audit gaps even with budget enforcement. The correct approach uses environment tags to apply different approval rules: development gets auto-approval under **$2,000** (covering most experiments), production maintains VP approval, and budget enforcement prevents runaway costs in both environments."
+    - content: "Remove approval workflows entirely for development environments and rely on budget enforcement policies to prevent overspending."
+      isCorrect: false
+      explanation: "Environment-specific approval thresholds balance innovation velocity with production risk management. Development environments need experimentation freedom with appropriate budget guardrails, while production requires stricter governance due to customer impact and compliance requirements. Raising thresholds universally (option 1) weakens production controls where VP oversight is necessary for risk management. Removing workflows entirely (option 2) eliminates governance visibility and creates audit gaps even with budget enforcement. The correct approach uses environment tags to apply different approval rules: development gets auto-approval under **$2,000** (covering most experiments), production maintains VP approval, and budget enforcement prevents runaway costs in both environments."
+    - content: "Create environment-specific policies where development environments autoapprove requests under **$2,000** monthly cost while production maintains VP approval for all deployments."
+      isCorrect: true
+      explanation: "Environment-specific approval thresholds balance innovation velocity with production risk management. Development environments need experimentation freedom with appropriate budget guardrails, while production requires stricter governance due to customer impact and compliance requirements. Raising thresholds universally (option 1) weakens production controls where VP oversight is necessary for risk management. Removing workflows entirely (option 2) eliminates governance visibility and creates audit gaps even with budget enforcement. The correct approach uses environment tags to apply different approval rules: development gets auto-approval under **$2,000** (covering most experiments), production maintains VP approval, and budget enforcement prevents runaway costs in both environments."
+

learn-pr/wwl-azure/run-governed-ai-workloads-microsoft-foundry/6-summary.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.run-governed-ai-workloads-microsoft-foundry.summary
+title: "Summary"
+metadata:
+  title: "Summary"
+  description: "Summary"
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 3
+content: |
+  [!include[](includes/6-summary.md)]

learn-pr/wwl-azure/run-governed-ai-workloads-microsoft-foundry/includes/1-introduction.md

@@ -0,0 +1,23 @@
+Your organization just approved 15 new AI projects across five business units. Each team wants to experiment with Azure OpenAI, deploy custom models, and spin up GPU clusters—all while your IT governance team scrambles to answer urgent questions: How do we prevent runaway costs? Who approved that production deployment without security review? Are we violating data residency requirements?
+
+Microsoft Foundry addresses these challenges by providing a unified governance platform that enables rapid AI experimentation while maintaining enterprise controls. Instead of forcing teams to submit tickets and wait days for approvals, Foundry automates policy enforcement at the point of resource provisioning. Your developers get self-service access to preapproved AI services, while your governance team gains real-time visibility into compliance status and spending patterns across all AI workloads.
+
+This module walks you through implementing Microsoft Foundry's governance framework in a realistic enterprise scenario. You configure policies that balance innovation velocity with security requirements, establish approval workflows that route high-risk requests to appropriate stakeholders, and build compliance dashboards that demonstrate regulatory adherence to auditors. By the end of this module, you have hands-on experience implementing the governance controls that Fortune 500 companies use to scale AI adoption responsibly.
+
+## Learning objectives
+
+By the end of this module, you're able to:
+
+- Configure Microsoft Foundry governance policies for AI resource provisioning
+- Implement compliance monitoring and reporting for AI infrastructure
+- Establish secure access controls and identity management for AI workloads
+- Evaluate governance metrics and optimize policy effectiveness
+
+## Prerequisites
+
+Before starting this module, you should have:
+
+- Familiarity with Azure Policy and Azure Resource Manager concepts
+- Basic understanding of identity and access management with Microsoft Entra ID
+
+- Experience with cloud governance principles and compliance requirements

learn-pr/wwl-azure/run-governed-ai-workloads-microsoft-foundry/includes/2-understand-microsoft-foundry-governance-framework.md

@@ -0,0 +1,37 @@
+When your data science team requests an Azure OpenAI deployment, Microsoft Foundry orchestrates a series of governance checks before provisioning any resources. This orchestration happens through four integrated components that work together to enforce enterprise policies while maintaining developer productivity.
+
+## Resource catalog: Preapproved AI infrastructure templates
+
+The resource catalog acts as your organization's AI service storefront. Instead of developers creating resources from scratch and potentially misconfiguring security settings, they select from preapproved templates that already embed your security baselines. With this approach, a developer requesting GPU compute automatically gets managed identities enabled, diagnostic logging configured, and network isolation applied—all without understanding the underlying policy requirements. The catalog integrates with Azure Resource Manager and uses Bicep templates to ensure consistent deployments across all environments.
+
+Building on this foundation, the policy engine evaluates each request against your governance rules before any provisioning occurs.
+
+## Policy engine: Automated rule evaluation
+
+The policy engine connects to both Azure Policy for platform-level controls and custom Foundry policies for AI-specific requirements. When a developer selects an Azure OpenAI template from the catalog, the engine validates the request against rules like budget thresholds, approved model versions, and data residency requirements. Unlike traditional governance approaches that rely on manual reviews, this automated evaluation happens in seconds and provides immediate feedback to the requester. The engine evaluates security policies (such as requiring private endpoints), cost policies (such as monthly spending caps per business unit), and compliance policies (such as restricting customer data to specific Azure regions) simultaneously.
+
+This becomes especially important when requests exceed standard approval thresholds and require stakeholder review.
+
+## Approval workflows: Intelligent request routing
+
+Approval workflows integrate with Microsoft Entra ID to route high-value or high-risk requests to appropriate decision makers. For example, requests under $1,000 monthly cost might autoapprove, while production deployments requiring GPT-4 models trigger a workflow involving the AI governance board, security team, and budget owner. The workflow engine tracks approval history, enforces timeout policies, and escalates stalled requests automatically. With Power Automate integration, you can customize routing logic based on your organizational hierarchy and risk appetite.
+:::image type="content" source="../media/approval-workflows-integrate-compliant-lifecycle.png" alt-text="Diagram that illustrates continuous monitoring for approved resources are compliant throughout their lifecycle.":::
+At the same time, continuous monitoring ensures that approved resources remain compliant throughout their lifecycle.
+
+## Compliance scanner: Continuous assessment
+
+The compliance scanner continuously evaluates deployed AI resources against your governance policies, detecting configuration drift and unauthorized changes. This scanner integrates with Azure Monitor and Microsoft Defender for Cloud to correlate security alerts with policy violations. Consider what happens when a developer manually disables diagnostic logging on an Azure OpenAI endpoint: the scanner detects the drift within minutes, creates an incident ticket, and optionally autoremediates by re-enabling logging. These compliance results feed governance reports that demonstrate adherence to regulatory frameworks like SOC 2, ISO 27001, or industry-specific requirements.
+
+Now that you understand how these components work together, let's examine the specific integration points that connect Foundry to your existing Azure environment. The following diagram shows how a resource request flows through each governance component:
+
+## Integration architecture
+
+Microsoft Foundry doesn't operate in isolation—it extends and orchestrates your existing Azure governance tools. The policy engine uses Azure Policy definitions you created, enriching them with AI-specific rules. Microsoft Entra ID provides the identity foundation for both approval workflows and resource access controls, eliminating duplicate identity management. Azure Monitor streams telemetry from provisioned resources back to the compliance scanner, creating a closed-loop governance system. This integration approach means you're enhancing your current governance investments rather than replacing them.
+
+With this architectural understanding in place, you can now compare how each component contributes to different governance scenarios. The following table maps governance requirements to the Foundry components that address them:
+
+:::image type="content" source="../media/microsoft-foundry-governance-architecture.png" alt-text="Diagram showing an AI developer requesting resources through a catalog.":::
+
+*Microsoft Foundry governance architecture showing request flow from developer to provisioned resources with policy checkpoints*
+
+