Note
The information provided in this article is specific to a hub-based project and doesn't apply to an Azure AI Foundry project. For more information, see Types of projects.
An Azure AI Foundry hub defaults to using a shared key to access its default Azure Storage account. With key-based authorization, anyone who has the key and access to the storage account can access data.
To reduce the risk of unauthorized access, disable key-based authorization and instead use Microsoft Entra ID for authorization. This configuration uses a Microsoft Entra ID value to authorize access to the storage account. The identity used to access storage is either the user's identity or a managed identity. The user's identity is used to view data in Azure Machine Learning studio or to run a notebook while authenticated with the user's identity. Machine Learning uses a managed identity to access the storage account - for example, when the managed identity runs a training job.
Use of your hub with a shared-key disabled storage account is currently in preview.
Important
This feature is currently in public preview. This preview version is provided without a service-level agreement, and we don't recommend it for production workloads. Certain features might not be supported or might have constrained capabilities.
For more information, see Supplemental Terms of Use for Microsoft Azure Previews.
Prerequisites
You need an existing storage account with shared-key authorization disabled. For more information about the process and implications of disabling shared-key authorization for your storage account, see Prevent shared-key authorization for an Azure Storage account.
Install the SDK v2.
Important
The steps in this article require the azure-ai-ml Python package, version 1.17.0. To determine the installed package version, use the pip list command from your Python development environment.
Install azure-identity: pip install azure-identity. If you're working in a notebook cell, use %pip install azure-identity.
Provide your subscription details:
# Enter details of your subscription
subscription_id = "<SUBSCRIPTION_ID>"
resource_group = "<RESOURCE_GROUP>"
Get a handle to the subscription. All the Python code in this article uses ml_client.
# get a handle to the subscription
from azure.ai.ml import MLClient
from azure.identity import DefaultAzureCredential
ml_client = MLClient(DefaultAzureCredential(), subscription_id, resource_group)
(Optional) If you have multiple accounts, add the tenant ID of the Microsoft Entra ID that you want to use into DefaultAzureCredential. Find your tenant ID in the Azure portal under Microsoft Entra ID > External Identities.
DefaultAzureCredential(interactive_browser_tenant_id="<TENANT_ID>")
(Optional) If you're working in the Azure Government - US or Azure operated by 21Vianet regions, you must specify the cloud into which you want to authenticate. You can specify these regions in DefaultAzureCredential.
from azure.identity import AzureAuthorityHosts
DefaultAzureCredential(authority=AzureAuthorityHosts.AZURE_GOVERNMENT))
To use the CLI commands in this document, you need the Azure CLI and the Azure Machine Learning extension.
If you use Azure Cloud Shell, the CLI is accessed through the browser and it lives in the cloud.
Important
The steps in this article require the Azure CLI Extension for Machine Learning, version 2.27.0 or later. To determine the version of the extension that you installed, use the az version command from the Azure CLI. In the extensions collection that returns, find the ml extension. This code sample shows an example return value:
{
"azure-cli": "2.61.0",
"azure-cli-core": "2.61.0",
"azure-cli-telemetry": "1.1.0",
"extensions": {
"ml": "2.27.0"
}
}
- An existing Azure Key Vault instance.
- The Azure Resource Manager ID for both the storage account and the key vault to be used with the hub.
Create a new hub
When you create a new hub, the creation process can automatically disable shared-key access. You can also create a storage account, disable shared-key access, and use it during hub creation.
This section shows you how to create a hub with identity-based access to the storage account.
In the Azure portal, search for Azure AI Foundry. On the left menu, select AI Hubs, and select + Create > Hub.
On the Basics tab, enter the hub details, and select the Storage tab. Select the storage account that you previously created.
On the Identity tab, set Storage account access to Identity-based access. Enable Disable shared key access.
Continue the hub creation process. As the hub is created, the managed identity is automatically assigned the permissions it needs to access the storage account.
When you create your hub with the SDK, set system_datastores_auth_mode="identity" for the hub. To use a pre-existing storage account, use the storage_account parameter to specify the Resource Manager ID of an existing storage account:
# Creating a unique hub name with current datetime to avoid conflicts
from azure.ai.ml.entities import Hub
import datetime
hub_name = "mlw-hub-prod-" + datetime.datetime.now().strftime(
"%Y%m%d%H%M"
)
ws_hub = Hub(
name=hub_name,
location="eastus",
display_name="Hub-example",
description="This example shows how to create a Hub",
hbi_workspace=False,
tags=dict(purpose="demo"),
storage_account="{existing_storage_account with AllowSharedKeyAccess=false}",
system_datastores_auth_mode="identity",
)
created_hub = ml_client.workspaces.begin_create(ws_hub).result()
print(created_hub)
To create a new hub with Microsoft Entra ID authorization for the storage account, use a YAML configuration file that sets system_datastores_auth_mode to identity. You can also specify the Resource Manager ID of an existing storage account with the storage_account entry.
This example YAML file shows how to set the hub to use a managed identity and an existing storage account:
$schema: https://azuremlschemas.azureedge.net/latest/workspace.schema.json
name: mlw-basicex-prod
location: eastus
display_name: Bring your own dependent resources-example
description: This configuration specifies a workspace configuration with existing dependent resources
storage_account: <your-storage-account-resource-id>
system_datastores_auth_mode: identity
tags:
purpose: demonstration
You can use this YAML file with the az ml workspace create command and the --file parameter:
az ml workspace create -g <resource-group-name> --kind hub --file workspace.yml
In the JSON template example, substitute your own values for the following placeholders:
<workspace-name><workspace-friendly-name><storage-account-arm-resource-id><key-vault-arm-resource-id>
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources":
[
{
"type": "Microsoft.MachineLearningServices/workspaces",
"apiVersion": "2024-04-01",
"name": "<workspace-name>",
"location": "[resourceGroup().location]",
"sku":
{
"name": "Basic",
"tier": "Basic"
},
"kind": "Hub",
"identity":
{
"type": "SystemAssigned"
},
"properties":
{
"friendlyName": "<workspace-friendly-name>",
"storageAccount": "<storage-account-arm-resource-id>",
"keyVault": "<key-vault-arm-resource-id>",
"systemDatastoresAuthMode": "identity",
"managedNetwork":
{
"isolationMode": "Disabled"
},
"publicNetworkAccess": "Enabled"
}
}
]
}
For information about how to deploy an Azure Resource Manager template (ARM template), see the following articles:
After you create the hub, identify all the users who need to use it, such as data scientists. The users must be assigned the Storage Blob Data Contributor and Storage File Data Privileged Contributor roles in Azure role-based access control (RBAC) for the storage account. If the users need only read access, use the Storage Blob Data Reader and Storage File Data Privileged Reader roles instead. For more information, see Role assignments.
Update an existing hub
If you have an existing Azure AI Foundry hub, use the steps in this section to update the hub to use Microsoft Entra ID to authorize access to the storage account. Then disable shared-key access on the storage account.
Go to the Azure portal and select Azure AI Foundry hub.
On the left menu, select Properties. At the bottom of the pane, set Storage account access to Identity-based access. Select Save at the top of the pane to save the configuration.
To update an existing hub, set system_datastores_auth_mode = "identity" for the hub. The following code sample shows an update of a hub named test-ws1:
ml_client = MLClient(DefaultAzureCredential(), subscription_id, resource_group)
ws = ml_client.workspaces.get(name="test-ws1")
ws.system_datastores_auth_mode = "identity"
ws = ml_client.workspaces.begin_update(workspace=ws).result()
To update an existing hub, use the az ml workspace update command and specify --system-datastores-auth-mode identity. The following example shows an update of a hub named myhub:
az ml workspace update --name myhub --system-datastores-auth-mode identity
In the JSON template example, substitute your own values for the following placeholders:
- [workspace name]
- [workspace friendly name]
- [Storage Account ARM resource ID]
- [Key Vault ARM resource ID]
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources":
[
{
"type": "Microsoft.MachineLearningServices/workspaces",
"apiVersion": "2024-04-01",
"name": "[workspace name]",
"location": "[resourceGroup().location]",
"sku":
{
"name": "Basic",
"tier": "Basic"
},
"kind": "Hub",
"identity":
{
"type": "SystemAssigned"
},
"properties":
{
"friendlyName": "[workspace friendly name]",
"storageAccount": "[Storage Account ARM resource ID]",
"keyVault": "[Key Vault ARM resource ID]",
"systemDatastoresAuthMode": "identity",
"managedNetwork":
{
"isolationMode": "Disabled"
},
"publicNetworkAccess": "Enabled"
}
}
]
}
For information about how to deploy an ARM template, see the following articles:
Assign roles to users
After you update the hub, update the storage account to disable shared-key access. For more information, see Prevent shared-key authorization for an Azure Storage account.
You must also identify all the users who need access to the default datastores, such as data scientists. The users must be assigned the Storage Blob Data Contributor and Storage File Data Privileged Contributor roles in Azure RBAC for the storage account. If the users need only read access, use the Storage Blob Data Reader and Storage File Data Privileged Reader roles instead. For more information, see the Role assignments section.
Revert to using shared keys
To revert a hub back to using shared keys to access the storage account, use the following information.
Go to Properties and select Credential-based access.
Select Save.
To configure the hub to use a shared key again, set system_datastores_auth_mode = "accesskey" for the hub. This code updates a hub named test-ws1:
ml_client = MLClient(DefaultAzureCredential(), subscription_id, resource_group)
ws = ml_client.workspaces.get(name="test-ws1")
ws.system_datastores_auth_mode = "accesskey"
ws = ml_client.workspaces.begin_update(workspace=ws).result()
To configure the hub to use a shared key again, use the az ml workspace update command and specify --system-datastores-auth-mode accesskey. This example updates a hub named myhub:
az ml workspace update --name myhub --system-datastores-auth-mode accesskey
If you have an existing Azure AI Foundry hub, use the steps in this section to update the hub to use Microsoft Entra ID to authorize access to the storage account. Then, disable shared-key access on the storage account.
In the JSON template example, substitute your own values for the following placeholders:
- [workspace name]
- [workspace friendly name]
- [Storage Account ARM resource ID]
- [Key Vault ARM resource ID]
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources":
[
{
"type": "Microsoft.MachineLearningServices/workspaces",
"apiVersion": "2024-04-01",
"name": "[workspace name]",
"location": "[resourceGroup().location]",
"sku":
{
"name": "Basic",
"tier": "Basic"
},
"kind": "Hub",
"identity":
{
"type": "SystemAssigned"
},
"properties":
{
"friendlyName": "[workspace friendly name]",
"storageAccount": "[Storage Account ARM resource ID]",
"keyVault": "[Key Vault ARM resource ID]",
"systemDatastoresAuthMode": "accesskey",
"managedNetwork":
{
"isolationMode": "Disabled"
},
"publicNetworkAccess": "Enabled"
}
}
]
}
For information on how to deploy an ARM template, see the following articles:
After you create the hub, identify all the users who will use it, such as data scientists. The users must be assigned the Storage Blob Data Contributor and Storage File Data Privileged Contributor roles in Azure RBAC for the storage account. If the users need only read access, use the Storage Blob Data Reader and Storage File Data Privileged Reader roles instead. For more information, see the Role assignments section.
After you revert the hub, update the storage account to enable shared key access. For more information, see Prevent shared-key authorization for an Azure Storage account.
Scenarios for hub storage account role assignments
To work with a storage account with disabled shared-key access, you need to grant more roles to either your users or the managed identity for your hub. Hubs have a system-assigned managed identity by default. Some scenarios require a user-assigned managed identity. This table summarizes the scenarios that require extra role assignments.
| Scenario |
Microsoft Entra ID |
Required roles |
Notes |
| Azure AI Speech |
User's identity |
Storage Blob Data Contributor
Storage File Data Privileged Contributor |
|
| Models as a service |
System-assigned managed identity |
Storage Blob Data Contributor |
The hub's managed identity.
Automatically assigned the role when you provision the hub.
Don't manually change this role assignment. |
| Azure AI Search |
System-assigned managed identity |
Storage Blob Data Contributor |
The hub's managed identity.
Automatically assigned the role when you provision the hub.
Don't manually change this role assignment. |
| Fine-tuning of open-source software models |
User-assigned managed identity |
Storage Blob Data Contributor |
|
| Prompt flow |
User's identity |
Storage Blob Data Contributor
Storage File Data Privileged Contributor |
|
| Add and manage your own data |
User's identity |
Storage Blob Data Contributor |
|
Related content
