Merge pull request #53352 from wwlpublish/LP156462-1

Feedback bug fix

Author: Stacyrch140

learn-pr/wwl-azure/configure-ai-ready-infrastructure-microsoft-foundry/1-introduction.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.configure-ai-ready-infrastructure-microsoft-foundry.introduction
+title: "Introduction"
+metadata:
+  title: "Introduction"
+  description: "Learn how to configure Microsoft Foundry hubs, optimize AI infrastructure, and establish shared resources for scalable enterprise AI solutions."
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 3
+content: |
+  [!include[](includes/1-introduction.md)]

learn-pr/wwl-azure/configure-ai-ready-infrastructure-microsoft-foundry/2-understand-microsoft-foundry-architecture-components.yml

@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.configure-ai-ready-infrastructure-microsoft-foundry.understand-microsoft-foundry-architecture-components
+title: "Understand Microsoft Foundry architecture components"
+metadata:
+  title: "Understand Microsoft Foundry Architecture Components"
+  description: "Learn how Microsoft Foundry's three-tier architecture balances governance and autonomy for AI projects with shared resources and security policies."
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+  ms.custom: references_regions
+durationInMinutes: 9
+content: |
+  [!include[](includes/2-understand-microsoft-foundry-architecture-components.md)]

learn-pr/wwl-azure/configure-ai-ready-infrastructure-microsoft-foundry/3-configure-hubs-organize-projects.yml

@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.configure-ai-ready-infrastructure-microsoft-foundry.configure-hubs-organize-projects
+title: "Configure hubs and organize projects"
+metadata:
+  title: "Configure Hubs and Organize Projects"
+  description: "Learn how to configure hubs, organize projects, and enforce governance using Azure Policy for scalable AI infrastructure management."
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+  ms.custom: references_regions
+durationInMinutes: 9
+content: |
+  [!include[](includes/3-configure-hubs-organize-projects.md)]

learn-pr/wwl-azure/configure-ai-ready-infrastructure-microsoft-foundry/4-implement-hub-level-shared-connections-azure.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.configure-ai-ready-infrastructure-microsoft-foundry.implement-hub-level-shared-connections-azure
+title: "Implement hub-level shared connections to Azure AI Search"
+metadata:
+  title: "Implement Hub-Level Shared Connections to Azure AI Search"
+  description: "Learn how to implement hub-level shared connections to Azure AI Search for cost efficiency, reduced complexity, and optimized performance."
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 16
+content: |
+  [!include[](includes/4-implement-hub-level-shared-connections-azure.md)]

learn-pr/wwl-azure/configure-ai-ready-infrastructure-microsoft-foundry/5-exercise-provision-microsoft-foundry-infrastructure.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.configure-ai-ready-infrastructure-microsoft-foundry.exercise-provision-microsoft-foundry-infrastructure
+title: "Provision Microsoft Foundry infrastructure"
+metadata:
+  title: "Provision Microsoft Foundry Infrastructure"
+  description: "Learn to provision Microsoft Foundry infrastructure by creating hub-level and project-level service connections for secure Azure integration."
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 9
+content: |
+  [!include[](includes/5-exercise-provision-microsoft-foundry-infrastructure.md)]

learn-pr/wwl-azure/configure-ai-ready-infrastructure-microsoft-foundry/6-knowledge-check.yml

@@ -0,0 +1,38 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.configure-ai-ready-infrastructure-microsoft-foundry.knowledge-check
+title: "Module assessment"
+metadata:
+  title: "Knowledge check"
+  description: "Test your understanding of Microsoft Foundry infrastructure configuration by applying concepts to realistic scenarios. These questions assess your ability to make architectural decisions about hub design, connection strategies, and RBAC assignments rather than memorizing portal navigation steps. Consider the organizational context, compliance requirements, and cost implications when selecting your answers."
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+  ms.custom: references_regions
+  module_assessment: false
+durationInMinutes: 7
+content: "Choose the best response for each of the following questions."
+quiz:
+  questions:
+  - content: "Your organization runs 12 AI projects across three departments: Sales (4 projects), Marketing (5 projects), and Support (3 projects). The CFO requires monthly cost reports showing AI spending per department for chargeback purposes. Projects within each department share common Azure AI Search indexes but need isolated Azure OpenAI deployments due to different prompt engineering approaches. What connection strategy optimizes costs while enabling accurate department-level cost tracking?"
+    choices:
+    - content: "Create department-specific hubs (Sales Hub, Marketing Hub, Support Hub), establish hub-level Azure AI Search connections for shared indexes, and use project-level Azure OpenAI connections tagged with department cost centers"
+      isCorrect: true
+      explanation: "Department-specific hubs with mixed connection levels provide the optimal balance. Option A correctly establishes hub boundaries aligned with cost allocation requirements (departments) while using hub-level connections for shared services (search) and project-level connections for isolated services (OpenAI). Each department's hub aggregates costs for shared infrastructure, while project-level tags enable fine-grained tracking of dedicated resources. Microsoft Cost Management automatically groups spending by hub (department-level) and by project tags (application-level)."
+    - content: "Create environment-based hubs (Production Hub, Development Hub), establish all connections at hub level including both Azure AI Search and Azure OpenAI, then use Azure tags on projects to track department spending"
+      isCorrect: false
+      explanation: "Option B fails because environment-based hubs don't align with the CFO's requirement for department-level reporting—all production projects across departments would aggregate into one cost bucket."
+    - content: "Create one enterprise hub with all connections at hub level, rely on Microsoft Cost Management's resource-level spending reports to manually allocate costs per department each month"
+      isCorrect: false
+      explanation: "Option C requires manual cost allocation effort every month and risks errors when teams deploy resources outside the standard pattern."
+  - content: "A junior team member attempts to connect to a hub's shared Azure AI Search service from a new project and receives error 'AuthorizationFailed: The client does not have authorization to perform action 'Microsoft.Search/searchServices/read''. The hub's managed identity has Search Index Data Reader role on the search service, and the team member holds Cognitive Services Contributor role on the hub. What is the most likely cause and appropriate solution?"
+    choices:
+    - content: "The team member needs the Search Service Contributor role assigned directly on the Azure AI Search service; add this role assignment to resolve access issues"
+      isCorrect: false
+      explanation: "The first option is incorrect because individual users don't need direct RBAC roles on the search service—they access it through the hub's inherited connection using the hub's managed identity."
+    - content: "The project was created before the hub-level search connection was established, so it didn't inherit the connection; recreate the project to reinitialize connection inheritance"
+      isCorrect: true
+      explanation: "Connection inheritance only occurs at project creation time—projects don't automatically discover connections added to the hub after they already exist. Option B correctly identifies that the project needs to be recreated to inherit the new hub-level connection. When you create a project in a hub, Microsoft Foundry copies the hub's connection metadata into the project's configuration. Connections added later don't automatically propagate to existing projects."
+    - content: "The hub's managed identity role assignment hasn't propagated yet; wait 10-15 minutes for Azure RBAC replication, then retry the search operation"
+      isCorrect: false
+      explanation: "The third option misdiagnoses the problem: the error message indicates missing authorization at the search service level, not RBAC propagation delays which would show different error patterns."

learn-pr/wwl-azure/configure-ai-ready-infrastructure-microsoft-foundry/7-summary.yml

@@ -0,0 +1,13 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.configure-ai-ready-infrastructure-microsoft-foundry.summary
+title: "Summary"
+metadata:
+  title: "Summary"
+  description: "Learn how Azure Microsoft Foundry's hub-and-project model simplifies governance, enhances security, and optimizes AI infrastructure management."
+  ms.date: 02/02/2026
+  author: wwlpublish
+  ms.author: bradj
+  ms.topic: unit
+durationInMinutes: 3
+content: |
+  [!include[](includes/7-summary.md)]

learn-pr/wwl-azure/configure-ai-ready-infrastructure-microsoft-foundry/includes/1-introduction.md

@@ -0,0 +1,20 @@
+Your retail organization plans to deploy three AI applications this quarter: a customer support chatbot, a product recommendation engine, and an inventory forecasting model. The team currently provisions separate Azure AI resources—duplicating Azure OpenAI deployments, creating isolated storage accounts, and deploying dedicated search services. This scattered approach creates four critical problems: security teams struggle to audit 15+ separate services, finance lacks visibility into AI spending across departments, developers waste time configuring the same network rules repeatedly, and your organization pays for underutilized search capacity that could be shared.
+
+Microsoft Foundry solves these infrastructure challenges through a hub-and-project architecture. Hubs establish shared governance boundaries where you configure networking, managed identities, and policy enforcement once. Projects within each hub inherit those settings while providing isolated workspaces where teams build AI solutions independently. Hub-level connections to services like Azure AI Search enable multiple projects to share infrastructure, reducing your search costs by 50-70% compared to provisioning dedicated instances per team.
+
+In this module, you configure a hub that enforces consistent security policies across all AI projects, establish a hub-level connection to Azure AI Search that eliminates resource duplication, create projects that inherit governance settings while maintaining team autonomy, and validate that your infrastructure supports enterprise-scale AI deployments. By the end, you have the architectural knowledge to provision scalable AI infrastructure that satisfies security, finance, and development stakeholders simultaneously.
+
+## Learning objectives
+
+By the end of this module, you're able to:
+
+- Configure Microsoft Foundry hubs with appropriate governance and security settings
+- Create and organize AI projects within hubs to support team collaboration
+- Establish connected resources including Azure AI Search for shared infrastructure
+- Implement hub-level shared connections to optimize resource utilization across projects
+
+## Prerequisites
+
+- Familiarity with Azure portal navigation and resource management
+- Basic understanding of AI and machine learning concepts
+- Experience with Azure resource groups and role-based access control (RBAC)

learn-pr/wwl-azure/configure-ai-ready-infrastructure-microsoft-foundry/includes/2-understand-microsoft-foundry-architecture-components.md

@@ -0,0 +1,45 @@
+## The three-tier organizational model
+
+When your organization deploys AI at scale, you need infrastructure that balances centralized governance with team autonomy. Microsoft Foundry addresses this challenge through a three-tier hierarchy that mirrors how enterprises actually organize work. At the top, the Microsoft Foundry Portal provides a unified management interface where IT leadership views all AI initiatives across departments. With this single pane of glass, your CTO can monitor spending, track project health, and identify underutilized resources without switching between multiple Azure services.
+
+Beneath the Portal, hubs establish shared governance boundaries—typically aligned with departments, environments, or compliance requirements. Your organization might create a Production Hub for customer-facing applications that enforces strict network isolation and a Development Hub where data scientists experiment with public endpoints. Each hub contains configuration that automatically applies to every project within it: virtual network integration managed identities for authentication, and Azure Policy assignments that prevent teams from deploying noncompliant resources. This inheritance model reduces your operational overhead by 40-60% compared to configuring security settings separately for each AI project.
+
+Projects sit at the bottom tier as isolated workspaces where teams build AI solutions. Think of projects as dedicated folders within a shared drive—each team has full autonomy to train models, manage datasets, and deploy applications while inheriting the hub's network and security settings. The Support Team's chatbot project and the Sales Team's forecasting project both live in the same Production Hub, sharing network rules and managed identities while maintaining separate code, data, and model repositories. This structure answers the common challenge: "How do we let teams move fast without creating security or compliance gaps?"
+
+:::image type="content" source="../media/hub-level-policy-inheritance.png" alt-text="Diagram showing hub-level policy inheritance with three lanes.":::
+
+## Connected resources and the sharing model
+
+Now that you understand the three-tier hierarchy, consider how Azure services integrate with this architecture. Connected resources—like Azure AI Search, Azure OpenAI Service, Azure Storage, and Application Insights—attach at either the hub or project level depending on whether they're shared or dedicated. Hub-level connections make the most impact: when you connect Azure AI Search at the hub level, all projects within that hub can query the same search service without duplicating configuration or incurring separate costs. Your five AI projects share one Standard-tier search instance instead of each provisioning its own Basic tier, cutting your monthly search spend from **$1,250** to **$250**.
+
+With this shared connection in place, project teams maintain logical isolation through separate search indexes. The E-commerce Bot Project queries the Product Catalog index containing 2 million product documents, while the Support Agent Project queries the Knowledge Base index with 500,000 troubleshooting articles. Both indexes live in the same hub-connected search service, yet each project only accesses its authorized data. At the same time, your centralized operations team monitors performance, manages capacity, and reviews audit logs from a single Azure AI Search resource instead of tracking metrics across multiple isolated instances.
+
+Project-level connections serve scenarios requiring dedicated resources. If your healthcare application needs an isolated Azure OpenAI deployment with specific data residency guarantees, you connect that service directly to the Healthcare Project rather than sharing it hub-wide. This flexibility becomes essential when compliance, performance, or cost allocation requirements demand separation. However, most organizations start with hub-level connections for common services like search and storage, then add project-specific connections only when justified by regulatory or technical constraints.
+
+## Identity, networking, and policy inheritance
+
+Building on this foundation of shared and dedicated resources, examine how hubs enforce consistent security across projects. When you provision a hub, Azure creates a system-assigned managed identity that authenticates to connected services without storing credentials. This managed identity rotates automatically, eliminating the security risk of long-lived API keys scattered across project code. Your hub's managed identity receives the Search Index Data Reader role on the connected Azure AI Search service, and every project inheriting that connection uses the same identity—your security team audits one permission assignment instead of 15.
+
+Network configuration follows the same inheritance pattern. Configure the hub with a virtual network integration and private endpoint to your on-premises data center, and all child projects automatically route traffic through that secure path. Developers building the Customer Insights Project never see network configuration options—they inherit the Production Hub's network topology and focus on training models. This becomes especially important when your compliance team requires network traffic logs: Azure Network Watcher captures packets at the hub level, providing unified visibility across all AI workloads instead of requiring per-project monitoring.
+
+Azure Policy assignments applied at the hub scope cascade to projects, preventing teams from accidentally violating organizational standards. Assign a policy requiring specific tags on all resources (CostCenter, DataClassification, Owner), and every storage account or compute instance deployed in any project automatically inherits those requirements. If a developer attempts to create a resource without required tags, Azure blocks the deployment with a clear error message pointing to the policy definition. With this approach, your governance team defines rules once at the hub level and enforces them consistently across dozens of projects without manual audits.
+
+:::image type="content" source="../media/azure-policy-hub-scope-cascade.png" alt-text="Diagram showing Azure Policy assignments applied at the hub scope cascade to projects.":::
+
+## Practical organizational patterns
+
+Consider what happens when your organization scales from three pilot projects to 20 production applications across five business units. Create separate hubs for Production, Staging, and Development environments provide clear promotion paths with appropriate security boundaries. Development hubs use public endpoints and relaxed policies to maximize experimentation velocity, while Production hubs enforce private endpoints, require multifactor authentication for administrative access, and log every API call to Azure Monitor. Projects move through this pipeline: data scientists build prototypes in Development, DevOps engineers validate configurations in Staging, and only approved applications graduate to Production.
+
+Now that you understand how hubs, projects, and connected resources interact, you're ready to configure these components in your Azure subscription. The next unit walks through the specific settings and decisions you'll make when provisioning hubs and organizing projects to support your organization's AI initiatives.
+
+:::image type="content" source="../media/foundry-three-tier-architecture.png" alt-text="Diagram showing the Microsoft Foundry three-tier architecture showing Portal managing multiple hubs.":::
+
+*Microsoft Foundry three-tier architecture showing Portal managing multiple hubs, each hub containing projects with shared connections to Azure AI Search, Azure OpenAI Service, and Azure Storage at the hub level*
+
+
+## More resources
+
+- [Microsoft Foundry documentation](/azure/ai-studio/) - Official architecture overview and service limits
+- [Managed identities for Azure resources](/azure/active-directory/managed-identities-azure-resources/overview) - Authentication and credential rotation patterns
+
+