Skip to content

Commit

Permalink
Merge pull request #94 from MicrosoftDocs/main
Browse files Browse the repository at this point in the history
9/3/2024 AM Publish
  • Loading branch information
Taojunshen authored Sep 3, 2024
2 parents e11e56a + f49710b commit 7aa6b87
Show file tree
Hide file tree
Showing 11 changed files with 491 additions and 65 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -244,6 +244,8 @@ The following table describes the usage of the `<lang xml:lang>` element's attri

> [!NOTE]
> The `<lang xml:lang>` element is incompatible with the `prosody` and `break` elements. You can't adjust pause and prosody like pitch, contour, rate, or volume in this element.
>
> Non-multilingual voices don't support the `<lang xml:lang>` element by design.
### Multilingual voices with the lang element

Expand Down
219 changes: 216 additions & 3 deletions articles/ai-studio/how-to/deploy-models-phi-3-5-vision.md

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion articles/ai-studio/how-to/model-catalog-overview.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ Llama family models | Llama-2-7b <br> Llama-2-7b-chat <br> Llama-2-13b <br> Llam
Mistral family models | mistralai-Mixtral-8x22B-v0-1 <br> mistralai-Mixtral-8x22B-Instruct-v0-1 <br> mistral-community-Mixtral-8x22B-v0-1 <br> mistralai-Mixtral-8x7B-v01 <br> mistralai-Mistral-7B-Instruct-v0-2 <br> mistralai-Mistral-7B-v01 <br> mistralai-Mixtral-8x7B-Instruct-v01 <br> mistralai-Mistral-7B-Instruct-v01 | Mistral-large (2402) <br> Mistral-large (2407) <br> Mistral-small <br> Mistral-NeMo
Cohere family models | Not available | Cohere-command-r-plus <br> Cohere-command-r <br> Cohere-embed-v3-english <br> Cohere-embed-v3-multilingual <br> Cohere-rerank-v3-english <br> Cohere-rerank-v3-multilingual
JAIS | Not available | jais-30b-chat
Phi-3 family models | Phi-3-mini-4k-Instruct <br> Phi-3-mini-128k-Instruct <br> Phi-3-small-8k-Instruct <br> Phi-3-small-128k-Instruct <br> Phi-3-medium-4k-instruct <br> Phi-3-medium-128k-instruct <br> Phi-3-vision-128k-Instruct <br> Phi-3.5-mini-Instruct <br> Phi-3.5-vision-Instruct <br> Phi-3.5-MoE-Instruct | Phi-3-mini-4k-Instruct <br> Phi-3-mini-128k-Instruct <br> Phi-3-small-8k-Instruct <br> Phi-3-small-128k-Instruct <br> Phi-3-medium-4k-instruct <br> Phi-3-medium-128k-instruct <br> <br> Phi-3.5-mini-Instruct
Phi-3 family models | Phi-3-mini-4k-Instruct <br> Phi-3-mini-128k-Instruct <br> Phi-3-small-8k-Instruct <br> Phi-3-small-128k-Instruct <br> Phi-3-medium-4k-instruct <br> Phi-3-medium-128k-instruct <br> Phi-3-vision-128k-Instruct <br> Phi-3.5-mini-Instruct <br> Phi-3.5-vision-Instruct <br> Phi-3.5-MoE-Instruct | Phi-3-mini-4k-Instruct <br> Phi-3-mini-128k-Instruct <br> Phi-3-small-8k-Instruct <br> Phi-3-small-128k-Instruct <br> Phi-3-medium-4k-instruct <br> Phi-3-medium-128k-instruct <br> <br> Phi-3.5-mini-Instruct <br> Phi-3.5-vision-Instruct
Nixtla | Not available | TimeGEN-1
Other models | Available | Not available

Expand Down
1 change: 1 addition & 0 deletions articles/ai-studio/includes/region-availability-maas.md
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ Llama 3.1 405B Instruct | [Microsoft Managed Countries](/partner-center/marketp

|Model |Offer Availability Region | Hub/Project Region for Deployment | Hub/Project Region for Fine tuning |
|---------|---------|---------|---------|
Phi-3.5-vision-Instruct | Not applicable | East US 2 <br> Sweden Central | Not available |
Phi-3.5-Mini-Instruct | Not applicable | East US 2 <br> Sweden Central | Not available |
Phi-3-Mini-4k-Instruct <br> Phi-3-Mini-128K-Instruct | Not applicable | East US 2 <br> Sweden Central | East US 2 |
Phi-3-Small-8K-Instruct <br> Phi-3-Small-128K-Instruct | Not applicable | East US 2 <br> Sweden Central | Not available |
Expand Down
7 changes: 0 additions & 7 deletions articles/machine-learning/breadcrumb/toc.yml
Original file line number Diff line number Diff line change
Expand Up @@ -73,10 +73,3 @@
tocHref: /azure/devops/pipelines/languages/
topicHref: /azure/devops/pipelines/index

- name: Azure
tocHref: /azure/
topicHref: /azure/index
items:
- name: Machine Learning
tocHref: /power-bi/connect-data/
topicHref: /azure/machine-learning/v1/introduction
2 changes: 1 addition & 1 deletion articles/machine-learning/concept-model-catalog.md
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ Llama family models | Llama-2-7b <br> Llama-2-7b-chat <br> Llama-2-13b <br> Lla
Mistral family models | mistralai-Mixtral-8x22B-v0-1 <br> mistralai-Mixtral-8x22B-Instruct-v0-1 <br> mistral-community-Mixtral-8x22B-v0-1 <br> mistralai-Mixtral-8x7B-v01 <br> mistralai-Mistral-7B-Instruct-v0-2 <br> mistralai-Mistral-7B-v01 <br> mistralai-Mixtral-8x7B-Instruct-v01 <br> mistralai-Mistral-7B-Instruct-v01 | Mistral-large (2402) <br> Mistral-large (2407) <br> Mistral-small <br> Mistral-Nemo
Cohere family models | Not available | Cohere-command-r-plus <br> Cohere-command-r <br> Cohere-embed-v3-english <br> Cohere-embed-v3-multilingual <br> Cohere-rerank-3-english <br> Cohere-rerank-3-multilingual
JAIS | Not available | jais-30b-chat
Phi-3 family models | Phi-3-mini-4k-Instruct <br> Phi-3-mini-128k-Instruct <br> Phi-3-small-8k-Instruct <br> Phi-3-small-128k-Instruct <br> Phi-3-medium-4k-instruct <br> Phi-3-medium-128k-instruct <br> Phi-3-vision-128k-Instruct <br> Phi-3.5-mini-Instruct <br> Phi-3.5-vision-Instruct <br> Phi-3.5-MoE-Instruct | Phi-3-mini-4k-Instruct <br> Phi-3-mini-128k-Instruct <br> Phi-3-small-8k-Instruct <br> Phi-3-small-128k-Instruct <br> Phi-3-medium-4k-instruct <br> Phi-3-medium-128k-instruct <br> <br> Phi-3.5-mini-Instruct
Phi-3 family models | Phi-3-mini-4k-Instruct <br> Phi-3-mini-128k-Instruct <br> Phi-3-small-8k-Instruct <br> Phi-3-small-128k-Instruct <br> Phi-3-medium-4k-instruct <br> Phi-3-medium-128k-instruct <br> Phi-3-vision-128k-Instruct <br> Phi-3.5-mini-Instruct <br> Phi-3.5-vision-Instruct <br> Phi-3.5-MoE-Instruct | Phi-3-mini-4k-Instruct <br> Phi-3-mini-128k-Instruct <br> Phi-3-small-8k-Instruct <br> Phi-3-small-128k-Instruct <br> Phi-3-medium-4k-instruct <br> Phi-3-medium-128k-instruct <br> <br> Phi-3.5-mini-Instruct <br> Phi-3.5-vision-Instruct
Nixtla | Not available | TimeGEN-1
Other models | Available | Not available

Expand Down
39 changes: 20 additions & 19 deletions articles/machine-learning/how-to-assign-roles.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,10 @@ ms.topic: how-to
ms.reviewer: None
ms.author: larryfr
author: Blackmist
ms.date: 03/11/2024
ms.custom: how-to, devx-track-azurecli, devx-track-arm-template
ms.date: 09/03/2024
ms.custom: how-to, devx-track-azurecli, devx-track-arm-template, FY25Q1-Linter
monikerRange: 'azureml-api-1 || azureml-api-2'
# Customer Intent: As an admin, I want to understand what permissions I need to assign resources so my users can accomplish their tasks.
---

# Manage access to Azure Machine Learning workspaces
Expand All @@ -30,7 +31,7 @@ This article explains how to manage access (authorization) to Azure Machine Lear
## Default roles

Azure Machine Learning workspaces have built-in roles that are available by default. When adding users to a workspace, they can be assigned one of the following roles.
Azure Machine Learning workspaces have built-in roles that are available by default. When you add users to a workspace, they can be assigned one of the following roles.

| Role | Access level |
| --- | --- |
Expand All @@ -40,13 +41,13 @@ Azure Machine Learning workspaces have built-in roles that are available by defa
| **Contributor** | View, create, edit, or delete (where applicable) assets in a workspace. For example, contributors can create an experiment, create or attach a compute cluster, submit a run, and deploy a web service. |
| **Owner** | Full access to the workspace, including the ability to view, create, edit, or delete (where applicable) assets in a workspace. Additionally, you can change role assignments. |

In addition, [Azure Machine Learning registries](how-to-manage-registries.md) have an AzureML Registry User role that can be assigned to a registry resource to grant user-level permissions to data scientists. For administrator-level permissions to create or delete registries, use the Contributor or Owner role.
In addition, [Azure Machine Learning registries](how-to-manage-registries.md) have an Azure Machine Learning Registry User role that can be assigned to a registry resource to grant user-level permissions to data scientists. For administrator-level permissions to create or delete registries, use the Contributor or Owner role.

| Role | Access level |
| --- | --- |
| **AzureML Registry User** | Can get registries, and read, write, and delete assets within them. Can't create new registry resources or delete them. |

You can combine the roles to grant different levels of access. For example, you can grant a workspace user both AzureML Data Scientist and AzureML Compute Operator roles to permit the user to perform experiments while creating computes in a self-service manner.
You can combine the roles to grant different levels of access. For example, you can grant a workspace user both **AzureML Data Scientist** and **AzureML Compute Operator** roles to permit the user to perform experiments while creating computes in a self-service manner.

> [!IMPORTANT]
> Role access can be scoped to multiple levels in Azure. For example, someone with owner access to a workspace may not have owner access to the resource group that contains the workspace. For more information, see [How Azure RBAC works](/azure/role-based-access-control/overview#how-azure-rbac-works).
Expand All @@ -73,13 +74,13 @@ az role assignment create --role "Contributor" --assignee "joe@contoso.com" --re

You can use Microsoft Entra security groups to manage access to workspaces. This approach has following benefits:
* Team or project leaders can manage user access to workspace as security group owners, without needing Owner role on the workspace resource directly.
* You can organize, manage and revoke users' permissions on workspace and other resources as a group, without having to manage permissions on user-by-user basis.
* You can organize, manage, and revoke users' permissions on workspace and other resources as a group, without having to manage permissions on user-by-user basis.
* Using Microsoft Entra groups helps you to avoid reaching the [subscription limit](/azure/role-based-access-control/troubleshoot-limits) on role assignments.

To use Microsoft Entra security groups:
1. [Create a security group](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal).
2. [Add a group owner](/azure/active-directory/fundamentals/how-to-manage-groups#add-or-remove-members-and-owners). This user has permissions to add or remove group members. The group owner isn't required to be group member, or have direct RBAC role on the workspace.
3. Assign the group an RBAC role on the workspace, such as AzureML Data Scientist, Reader, or Contributor.
3. Assign the group an RBAC role on the workspace, such as **AzureML Data Scientist**, **Reader**, or **Contributor**.
4. [Add group members](/azure/active-directory/fundamentals/how-to-manage-groups#add-or-remove-members-and-owners). The members gain access to the workspace.

## Create custom role
Expand Down Expand Up @@ -114,7 +115,7 @@ To create a custom role, first construct a role definition JSON file that specif

> [!TIP]
> You can change the `AssignableScopes` field to set the scope of this custom role at the subscription level, the resource group level, or a specific workspace level.
> The above custom role is just an example, see some suggested [custom roles for the Azure Machine Learning service](#customroles).
> The previous custom role is just an example, see some suggested [custom roles for the Azure Machine Learning service](#customroles).
This custom role can do everything in the workspace except for the following actions:

Expand Down Expand Up @@ -171,7 +172,7 @@ You need to have permissions on the entire scope of your new role definition. Fo
## Use Azure Resource Manager templates for repeatability

If you anticipate that you'll need to recreate complex role assignments, an Azure Resource Manager template can be a significant help. The [machine-learning-dependencies-role-assignment template](https://github.com/Azure/azure-quickstart-templates/tree/master//quickstarts/microsoft.machinelearningservices/machine-learning-dependencies-role-assignment) shows how role assignments can be specified in source code for reuse.
If you anticipate that you need to recreate complex role assignments, an Azure Resource Manager template can be a significant help. The [machine-learning-dependencies-role-assignment template](https://github.com/Azure/azure-quickstart-templates/tree/master//quickstarts/microsoft.machinelearningservices/machine-learning-dependencies-role-assignment) shows how role assignments can be specified in source code for reuse.

## Common scenarios

Expand All @@ -190,7 +191,7 @@ The following table is a summary of Azure Machine Learning activities and the pe
| Submitting any type of run (V2) | Not required | Not required | Owner, contributor, or custom role allowing: `/workspaces/*/read`, `/workspaces/environments/write`, `/workspaces/jobs/*`, `/workspaces/metadata/artifacts/write`, `/workspaces/metadata/codes/*/write`, `/workspaces/environments/build/action`, `/workspaces/environments/readSecrets/action` |
| Publishing pipelines and endpoints (V1) | Not required | Not required | Owner, contributor, or custom role allowing: `/workspaces/endpoints/pipelines/*`, `/workspaces/pipelinedrafts/*`, `/workspaces/modules/*` |
| Publishing pipelines and endpoints (V2) | Not required | Not required | Owner, contributor, or custom role allowing: `/workspaces/endpoints/pipelines/*`, `/workspaces/pipelinedrafts/*`, `/workspaces/components/*` |
| Attach an AKS resource <sub>2</sub> | Not required | Owner or contributor on the resource group that contains AKS |
| Attach an AKS resource <sub>2</sub> | Not required | Owner or contributor on the resource group that contains AKS | |
| Deploying a registered model on an AKS/ACI resource | Not required | Not required | Owner, contributor, or custom role allowing: `/workspaces/services/aks/write`, `/workspaces/services/aci/write` |
| Scoring against a deployed AKS endpoint | Not required | Not required | Owner, contributor, or custom role allowing: `/workspaces/services/aks/score/action`, `/workspaces/services/aks/listkeys/action` (when you don't use Microsoft Entra auth) OR `/workspaces/read` (when you use token auth) |
| Accessing storage using interactive notebooks | Not required | Not required | Owner, contributor, or custom role allowing: `/workspaces/computes/read`, `/workspaces/notebooks/samples/read`, `/workspaces/notebooks/storage/*`, `/workspaces/listStorageAccountKeys/action`, `/workspaces/listNotebookAccessToken/read`|
Expand All @@ -210,7 +211,7 @@ The following table is a summary of Azure Machine Learning activities and the pe

There are certain differences between actions for V1 APIs and V2 APIs.

| Asset | Action path for V1 API | Action path for V2 API
| Asset | Action path for V1 API | Action path for V2 API |
| ----- | ----- | ----- |
| Dataset | Microsoft.MachineLearningServices/workspaces/datasets | Microsoft.MachineLearningServices/workspaces/datasets/versions |
| Experiment runs and jobs | Microsoft.MachineLearningServices/workspaces/experiments | Microsoft.MachineLearningServices/workspaces/jobs |
Expand All @@ -222,7 +223,7 @@ You can make custom roles compatible with both V1 and V2 APIs by including both

### Create a workspace using a customer-managed key

When using a customer-managed key (CMK), an Azure Key Vault is used to store the key. The user or service principal used to create the workspace must have owner or contributor access to the key vault.
When you use a customer-managed key (CMK), an Azure Key Vault is used to store the key. The user or service principal used to create the workspace must have owner or contributor access to the key vault.

If your workspace is configured with a **user-assigned managed identity**, the identity must be granted the following roles. These roles allow the managed identity to create the Azure Storage, Azure Cosmos DB, and Azure Search resources used when using a customer-managed key:

Expand All @@ -231,7 +232,7 @@ If your workspace is configured with a **user-assigned managed identity**, the i
- `Microsoft.DocumentDB/databaseAccounts/write`


Within the key vault, the user or service principal must have create, get, delete, and purge access to the key through a key vault access policy. For more information, see [Azure Key Vault security](/azure/key-vault/general/security-features#controlling-access-to-key-vault-data).
Within the key vault, the user or service principal must have **create**, **get**, **delete**, and **purge** access to the key through a key vault access policy. For more information, see [Azure Key Vault security](/azure/key-vault/general/security-features#controlling-access-to-key-vault-data).

### User-assigned managed identity with Azure Machine Learning compute cluster

Expand All @@ -243,8 +244,8 @@ To perform MLflow operations with your Azure Machine Learning workspace, use the

| MLflow operation | Scope |
| --- | --- |
| (V1) List, read, create, update or delete experiments | `Microsoft.MachineLearningServices/workspaces/experiments/*` |
| (V2) List, read, create, update or delete jobs | `Microsoft.MachineLearningServices/workspaces/jobs/*` |
| (V1) List, read, create, update, or delete experiments | `Microsoft.MachineLearningServices/workspaces/experiments/*` |
| (V2) List, read, create, update, or delete jobs | `Microsoft.MachineLearningServices/workspaces/jobs/*` |
| Get registered model by name, fetch a list of all registered models in the registry, search for registered models, latest version models for each requests stage, get a registered model's version, search model versions, get URI where a model version's artifacts are stored, search for runs by experiment IDs | `Microsoft.MachineLearningServices/workspaces/models/*/read` |
| Create a new registered model, update a registered model's name/description, rename existing registered model, create new version of the model, update a model version's description, transition a registered model to one of the stages | `Microsoft.MachineLearningServices/workspaces/models/*/write` |
| Delete a registered model along with all its version, delete specific versions of a registered model | `Microsoft.MachineLearningServices/workspaces/models/*/delete` |
Expand Down Expand Up @@ -447,7 +448,7 @@ Allows you to perform all operations within the scope of a workspace, **except**
* Creating a new workspace
* Assigning subscription or workspace level quotas

The workspace admin also cannot create a new role. It can only assign existing built-in or custom roles within the scope of their workspace:
The workspace admin also can't create a new role. It can only assign existing built-in or custom roles within the scope of their workspace:

*workspace_admin_custom_role.json* :

Expand All @@ -474,15 +475,15 @@ The workspace admin also cannot create a new role. It can only assign existing b

### Data labeling

There is a built-in role for data labeling, scoped only to labeling data. The following custom roles give other levels of access for a data labeling project.
There's a built-in role for data labeling, scoped only to labeling data. The following custom roles give other levels of access for a data labeling project.

[!INCLUDE [custom-role-data-labeling](includes/custom-role-data-labeling.md)]

## Troubleshooting

Here are a few things to be aware of while you use Azure RBAC:

- When you create a resource in Azure, such as a workspace, you're not directly the owner of the resource. Your role is inherited from the highest scope role that you're authorized against in that subscription. As an example if you're a Network Administrator, and have the permissions to create a Machine Learning workspace, you would be assigned the Network Administrator role against that workspace, and not the Owner role.
- When you create a resource in Azure, such as a workspace, you're not directly the owner of the resource. Your role is inherited from the highest scope role that you're authorized against in that subscription. As an example, if you're a Network Administrator and have the permissions to create a Machine Learning workspace, you would be assigned the **Network Administrator** role against that workspace. Not the **Owner** role.

- To perform quota operations in a workspace, you need subscription level permissions. This means setting either subscription level quota or workspace level quota for your managed compute resources can only happen if you have write permissions at the subscription scope.

Expand All @@ -492,7 +493,7 @@ Here are a few things to be aware of while you use Azure RBAC:

- It can sometimes take up to one hour for your new role assignments to take effect over cached permissions across the stack.

## Next steps
## Related content

- [Enterprise security and governance for Azure Machine Learning](concept-enterprise-security.md)
- [Secure Azure Machine Learning workspace resources using virtual networks](how-to-network-security-overview.md)
Expand Down
Loading

0 comments on commit 7aa6b87

Please sign in to comment.