AjayBathini-MSFT
commented
1 year ago @Jessieliu111 Thanks for your feedback! We will investigate and update as appropriate.
Closed Jessieliu111 closed 11 months ago
AjayBathini-MSFT
commented
1 year ago @Jessieliu111 Thanks for your feedback! We will investigate and update as appropriate.
Naveenommi-MSFT
commented
1 year ago @Jessieliu111
Workspace MSI is employed, in accordance with the documentation, if the virtual network setting is "Allow Azure services on the trusted services list to access this storage account". The workspace MSI is used by Azure Machine Learning to create data previews and profiles.
If you choose "Allow Azure services on the trusted services list to access this storage account”, you don't need to add role assignment from AML to storage."
If "allow azure trusted services" is enabled, the statement "AML employing MI with the appropriate read/write RBAC permission on the storage account can access the storage account from a network level." is true. Further network modifications are not necessary. All AML-managed resources are included in this (compute and data preview). Azure is intelligent enough to offer network exceptions based on RBAC. (this was never possible before). Delegated permission is required for user access from AML to storage, and storage cannot be accessed without the proper RBAC and network permissions is real.
Jessieliu111
commented
1 year ago Hi team,
Thanks for your detailed information. Is it possible to add AML in the trusted service list in below? The doc structure is not clear on if AML is a trusted service. Please kindly correct me if I'm wrong. Thanks. @.***
Best regards, Jessie Liu Support Engineer | Azure IoT&AI Support Team Phone: (0510) 6665 8360 Mon-Fri 9:00-17:30/7:00-4:00 (UTC+8) No.111, Linghu Road, Xin Wu District, Wuxi, Jiangsu, China @.*** Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you.
From: Naveenommi-MSFT @.> Sent: Friday, March 3, 2023 6:15 PM To: MicrosoftDocs/azure-docs @.> Cc: Jessie Liu @.>; Mention @.> Subject: Re: [MicrosoftDocs/azure-docs] Please clarify on storage firewall (Issue #105880)
Workspace MSI is employed, in accordance with the documentation, if the virtual network setting is "Allow Azure services on the trusted services list to access this storage account". The workspace MSI is used by Azure Machine Learning to create data previews and profiles.
If you choose "Allow Azure services on the trusted services list to access this storage account", you don't need to add role assignment from AML to storage."
If "allow azure trusted services" is enabled, the statement "AML employing MI with the appropriate read/write RBAC permission on the storage account can access the storage account from a network level." is true. Further network modifications are not necessary. All AML-managed resources are included in this (compute and data preview). Azure is intelligent enough to offer network exceptions based on RBAC. (this was never possible before). Delegated permission is required for user access from AML to storage, and storage cannot be accessed without the proper RBAC and network permissions is real.
- Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fissues%2F105880%23issuecomment-1453288937&data=05%7C01%7Cjiaxinliu%40microsoft.com%7C7c6a71777c9f45333dde08db1bd0159e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638134352805093987%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=JlBwN0X5js2STYkZHrnI0aZ%2Fd7D9xAT7JstNmBymBXU%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAVSBUJSMRMGI53W53FWJ24TW2HAARANCNFSM6AAAAAAVKEYDGU&data=05%7C01%7Cjiaxinliu%40microsoft.com%7C7c6a71777c9f45333dde08db1bd0159e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638134352805093987%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=o98FpnUStEVGI6Cg%2Fvrkc1fNXBbelWdDh86t%2BOlFQr8%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.**@.>>
Jessieliu111
commented
1 year ago Hi team,
Would you please share if we have plan to add AML service in below list? Thanks!
Best regards, Jessie Liu Support Engineer | Azure IoT&AI Support Team Phone: (0510) 6665 8360 Mon-Fri 9:00-17:30/7:00-4:00 (UTC+8) No.111, Linghu Road, Xin Wu District, Wuxi, Jiangsu, China @.*** Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you.
From: Jessie Liu Sent: Monday, March 6, 2023 1:15 PM To: MicrosoftDocs/azure-docs @.>; MicrosoftDocs/azure-docs @.> Cc: Mention @.***> Subject: RE: [MicrosoftDocs/azure-docs] Please clarify on storage firewall (Issue #105880)
Hi team,
Thanks for your detailed information. Is it possible to add AML in the trusted service list in below? The doc structure is not clear on if AML is a trusted service. Please kindly correct me if I'm wrong. Thanks. @.***
Best regards, Jessie Liu Support Engineer | Azure IoT&AI Support Team Phone: (0510) 6665 8360 Mon-Fri 9:00-17:30/7:00-4:00 (UTC+8) No.111, Linghu Road, Xin Wu District, Wuxi, Jiangsu, China @.*** Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you.
From: Naveenommi-MSFT @.**@.>> Sent: Friday, March 3, 2023 6:15 PM To: MicrosoftDocs/azure-docs @.**@.>> Cc: Jessie Liu @.**@.>>; Mention @.**@.>> Subject: Re: [MicrosoftDocs/azure-docs] Please clarify on storage firewall (Issue #105880)
Workspace MSI is employed, in accordance with the documentation, if the virtual network setting is "Allow Azure services on the trusted services list to access this storage account". The workspace MSI is used by Azure Machine Learning to create data previews and profiles.
If you choose "Allow Azure services on the trusted services list to access this storage account", you don't need to add role assignment from AML to storage."
If "allow azure trusted services" is enabled, the statement "AML employing MI with the appropriate read/write RBAC permission on the storage account can access the storage account from a network level." is true. Further network modifications are not necessary. All AML-managed resources are included in this (compute and data preview). Azure is intelligent enough to offer network exceptions based on RBAC. (this was never possible before). Delegated permission is required for user access from AML to storage, and storage cannot be accessed without the proper RBAC and network permissions is real.
- Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fissues%2F105880%23issuecomment-1453288937&data=05%7C01%7Cjiaxinliu%40microsoft.com%7C7c6a71777c9f45333dde08db1bd0159e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638134352805093987%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=JlBwN0X5js2STYkZHrnI0aZ%2Fd7D9xAT7JstNmBymBXU%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAVSBUJSMRMGI53W53FWJ24TW2HAARANCNFSM6AAAAAAVKEYDGU&data=05%7C01%7Cjiaxinliu%40microsoft.com%7C7c6a71777c9f45333dde08db1bd0159e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638134352805093987%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=o98FpnUStEVGI6Cg%2Fvrkc1fNXBbelWdDh86t%2BOlFQr8%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.**@.>>
Jessieliu111
commented
1 year ago Hi team,
Appreciate your update if we have plan to add AML as a trusted service. 😊 Thanks!
Best regards, Jessie Liu Support Engineer | Azure IoT&AI Support Team Phone: (0510) 6665 8360 Mon-Fri 9:00-17:30/7:00-4:00 (UTC+8) No.111, Linghu Road, Xin Wu District, Wuxi, Jiangsu, China @.*** Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you.
From: Jessie Liu Sent: Tuesday, March 7, 2023 11:17 AM To: MicrosoftDocs/azure-docs @.>; MicrosoftDocs/azure-docs @.> Cc: Mention @.***> Subject: RE: [MicrosoftDocs/azure-docs] Please clarify on storage firewall (Issue #105880)
Hi team,
Would you please share if we have plan to add AML service in below list? Thanks!
Best regards, Jessie Liu Support Engineer | Azure IoT&AI Support Team Phone: (0510) 6665 8360 Mon-Fri 9:00-17:30/7:00-4:00 (UTC+8) No.111, Linghu Road, Xin Wu District, Wuxi, Jiangsu, China @.*** Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you.
From: Jessie Liu Sent: Monday, March 6, 2023 1:15 PM To: MicrosoftDocs/azure-docs @.**@.>>; MicrosoftDocs/azure-docs @.**@.>> Cc: Mention @.**@.>> Subject: RE: [MicrosoftDocs/azure-docs] Please clarify on storage firewall (Issue #105880)
Hi team,
Thanks for your detailed information. Is it possible to add AML in the trusted service list in below? The doc structure is not clear on if AML is a trusted service. Please kindly correct me if I’m wrong. Thanks. @.***
Best regards, Jessie Liu Support Engineer | Azure IoT&AI Support Team Phone: (0510) 6665 8360 Mon-Fri 9:00-17:30/7:00-4:00 (UTC+8) No.111, Linghu Road, Xin Wu District, Wuxi, Jiangsu, China @.*** Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you.
From: Naveenommi-MSFT @.**@.>> Sent: Friday, March 3, 2023 6:15 PM To: MicrosoftDocs/azure-docs @.**@.>> Cc: Jessie Liu @.**@.>>; Mention @.**@.>> Subject: Re: [MicrosoftDocs/azure-docs] Please clarify on storage firewall (Issue #105880)
Workspace MSI is employed, in accordance with the documentation, if the virtual network setting is "Allow Azure services on the trusted services list to access this storage account". The workspace MSI is used by Azure Machine Learning to create data previews and profiles.
If you choose "Allow Azure services on the trusted services list to access this storage account”, you don't need to add role assignment from AML to storage."
If "allow azure trusted services" is enabled, the statement "AML employing MI with the appropriate read/write RBAC permission on the storage account can access the storage account from a network level." is true. Further network modifications are not necessary. All AML-managed resources are included in this (compute and data preview). Azure is intelligent enough to offer network exceptions based on RBAC. (this was never possible before). Delegated permission is required for user access from AML to storage, and storage cannot be accessed without the proper RBAC and network permissions is real.
— Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fissues%2F105880%23issuecomment-1453288937&data=05%7C01%7Cjiaxinliu%40microsoft.com%7C7c6a71777c9f45333dde08db1bd0159e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638134352805093987%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=JlBwN0X5js2STYkZHrnI0aZ%2Fd7D9xAT7JstNmBymBXU%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAVSBUJSMRMGI53W53FWJ24TW2HAARANCNFSM6AAAAAAVKEYDGU&data=05%7C01%7Cjiaxinliu%40microsoft.com%7C7c6a71777c9f45333dde08db1bd0159e%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638134352805093987%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=o98FpnUStEVGI6Cg%2Fvrkc1fNXBbelWdDh86t%2BOlFQr8%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.**@.>>
Naveenommi-MSFT
commented
1 year ago Hi @Jessieliu111 Thank you for your feedback!
I'd recommend working closer with our support team via an [Azure support request] (https://docs.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request). Or you can leverage our Q&A forum by posting your issue there so our community, and MVPs can further assist you in troubleshooting this issue or finding potential workarounds.
[Teams Q&A forum] (https://docs.microsoft.com/en-us/answers/topics/46488/office-teams-windows-itpro.html) for technical questions about the configuration and administration of Microsoft Teams on Windows. [Microsoft Teams Community forum] (https://answers.microsoft.com/en-us/msteams/forum?sort=LastReplyDate&dir=Desc&tab=All&status=all&mod=&modAge=&advFil=&postedAfter=&postedBefore=&threadType=All&isFilterExpanded=false&page=1
Jessieliu111
commented
1 year ago Hi team, This issue doesn't need a troubleshoot or a workaround. Only concern is customer insists if AML is a trusted service, it should appear in the list, or it's misleading customers that AML is not a trusted service. Please help advise if we can do this, or justify customer's concern. Many thanks!
Best regards, Jessie Liu Support Engineer | Azure IoT&AI Support Team Phone: (0510) 6665 8360 Mon-Fri 9:00-17:30/7:00-4:00 (UTC+8) No.111, Linghu Road, Xin Wu District, Wuxi, Jiangsu, China @.*** Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you.
From: Naveenommi-MSFT @.> Sent: Wednesday, March 8, 2023 9:15 PM To: MicrosoftDocs/azure-docs @.> Cc: Jessie Liu @.>; Mention @.> Subject: Re: [MicrosoftDocs/azure-docs] Please clarify on storage firewall (Issue #105880)
Hi @Jessieliu111https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FJessieliu111&data=05%7C01%7Cjiaxinliu%40microsoft.com%7C2d796446d4e14ec8d16e08db1fd72aa6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638138781243623993%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=feYO7tbg1uaA%2Fk3mn3SEytpKLGNoWMf5NoUp0Ovu5aE%3D&reserved=0 Thank you for your feedback!
I'd recommend working closer with our support team via an [Azure support request] (https://docs.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-requesthttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-portal%2Fsupportability%2Fhow-to-create-azure-support-request&data=05%7C01%7Cjiaxinliu%40microsoft.com%7C2d796446d4e14ec8d16e08db1fd72aa6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638138781243623993%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=nVXz6CBQLxofZv3dK7T3lY1DR4SbNNvykLwH63B2u1o%3D&reserved=0). Or you can leverage our Q&A forum by posting your issue there so our community, and MVPs can further assist you in troubleshooting this issue or finding potential workarounds.
[Teams Q&A forum] (https://docs.microsoft.com/en-us/answers/topics/46488/office-teams-windows-itpro.htmlhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fanswers%2Ftopics%2F46488%2Foffice-teams-windows-itpro.html&data=05%7C01%7Cjiaxinliu%40microsoft.com%7C2d796446d4e14ec8d16e08db1fd72aa6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638138781243623993%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=qPEAZrhVyhYB%2BbgMZFZwESkO8xf2jseDsxaaYUiW3Jc%3D&reserved=0) for technical questions about the configuration and administration of Microsoft Teams on Windows. [Microsoft Teams Community forum] (https://answers.microsoft.com/en-us/msteams/forum?sort=LastReplyDate&dir=Desc&tab=All&status=all&mod=&modAge=&advFil=&postedAfter=&postedBefore=&threadType=All&isFilterExpanded=false&page=1https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fanswers.microsoft.com%2Fen-us%2Fmsteams%2Fforum%3Fsort%3DLastReplyDate%26dir%3DDesc%26tab%3DAll%26status%3Dall%26mod%3D%26modAge%3D%26advFil%3D%26postedAfter%3D%26postedBefore%3D%26threadType%3DAll%26isFilterExpanded%3Dfalse%26page%3D1&data=05%7C01%7Cjiaxinliu%40microsoft.com%7C2d796446d4e14ec8d16e08db1fd72aa6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638138781243623993%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Fl0yd35GwhZxXPiQ185wWjcgZ7V2kJDzgcDWy6SGo78%3D&reserved=0
- Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fissues%2F105880%23issuecomment-1460139654&data=05%7C01%7Cjiaxinliu%40microsoft.com%7C2d796446d4e14ec8d16e08db1fd72aa6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638138781243780221%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ny0aNt1%2BDd3X%2FqEZfYzD6l8fXUF1z8VW36gvmYSD0GU%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAVSBUJQPZIDQUHW47DWD2KLW3CA6PANCNFSM6AAAAAAVKEYDGU&data=05%7C01%7Cjiaxinliu%40microsoft.com%7C2d796446d4e14ec8d16e08db1fd72aa6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638138781243780221%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=pCKZfLxuAPP8stB5JzCV%2Bd18xn5x%2B54wvknIZkslvo4%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.**@.>>
Naveenommi-MSFT
commented
1 year ago Hi @Jessieliu111 Thank you for bringing this to our attention. I've delegated this to content author @jhirono, who will review it and offer their insightful opinions.
Jessieliu111
commented
1 year ago Hi Jumpei,
Good day! Hope you are doing great! Would you please help check if we can add AML as a trusted service in the trusted service list? Customer has concern on this. Thanks!
Best regards, Jessie Liu Support Engineer | Azure IoT&AI Support Team Phone: (0510) 6665 8360 Mon-Fri 9:00-17:30/7:00-4:00 (UTC+8) No.111, Linghu Road, Xin Wu District, Wuxi, Jiangsu, China @.*** Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you.
From: Naveenommi-MSFT @.> Sent: Saturday, March 11, 2023 5:08 PM To: MicrosoftDocs/azure-docs @.> Cc: Jessie Liu @.>; Mention @.> Subject: Re: [MicrosoftDocs/azure-docs] Please clarify on storage firewall (Issue #105880)
Hi @Jessieliu111https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FJessieliu111&data=05%7C01%7Cjiaxinliu%40microsoft.com%7Ca2c9091a1d114203c38408db22101042%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638141224652110463%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=dQKrVwT5FloYfPRG4mUsARroTE58js7dLlL%2FJIoARYs%3D&reserved=0 Thank you for bringing this to our attention. I've delegated this to content author @jhironohttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fjhirono&data=05%7C01%7Cjiaxinliu%40microsoft.com%7Ca2c9091a1d114203c38408db22101042%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638141224652266686%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=nMLBFjR7NXiGf2VAhQnOrAD4QbWAnpPL6LcFiZV%2FutU%3D&reserved=0, who will review it and offer their insightful opinions.
- Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fissues%2F105880%23issuecomment-1464866969&data=05%7C01%7Cjiaxinliu%40microsoft.com%7Ca2c9091a1d114203c38408db22101042%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638141224652266686%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=tazUlBfF%2Bo5M0AVmABogzFovigdme0gEBmoFiDtkdT8%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAVSBUJQPDRIABT463GNYO5LW3Q6FVANCNFSM6AAAAAAVKEYDGU&data=05%7C01%7Cjiaxinliu%40microsoft.com%7Ca2c9091a1d114203c38408db22101042%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638141224652266686%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=qiQypVkYZxvPhzEvGnVu%2Bmd8b8I8KO7q61CjIRRgCBI%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.**@.>>
Jessieliu111
commented
1 year ago Hi @@.***>,
Configure Azure Storage firewalls and virtual networks | Microsoft Learnhttps://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#trusted-access-based-on-system-assigned-managed-identity
I'm not sure if above doc falls in @Jumpei @.***>'s scope, as it's Storage blob doc... Please kindly help verify.
Many thanks.
Best regards, Jessie Liu Support Engineer | Azure IoT&AI Support Team Phone: (0510) 6665 8360 Mon-Fri 9:00-17:30/7:00-4:00 (UTC+8) No.111, Linghu Road, Xin Wu District, Wuxi, Jiangsu, China @.*** Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you.
From: Naveenommi-MSFT @.> Sent: Saturday, March 11, 2023 5:08 PM To: MicrosoftDocs/azure-docs @.> Cc: Jessie Liu @.>; Mention @.> Subject: Re: [MicrosoftDocs/azure-docs] Please clarify on storage firewall (Issue #105880)
Hi @Jessieliu111https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FJessieliu111&data=05%7C01%7Cjiaxinliu%40microsoft.com%7Ca2c9091a1d114203c38408db22101042%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638141224652110463%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=dQKrVwT5FloYfPRG4mUsARroTE58js7dLlL%2FJIoARYs%3D&reserved=0 Thank you for bringing this to our attention. I've delegated this to content author @jhironohttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fjhirono&data=05%7C01%7Cjiaxinliu%40microsoft.com%7Ca2c9091a1d114203c38408db22101042%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638141224652266686%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=nMLBFjR7NXiGf2VAhQnOrAD4QbWAnpPL6LcFiZV%2FutU%3D&reserved=0, who will review it and offer their insightful opinions.
- Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fissues%2F105880%23issuecomment-1464866969&data=05%7C01%7Cjiaxinliu%40microsoft.com%7Ca2c9091a1d114203c38408db22101042%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638141224652266686%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=tazUlBfF%2Bo5M0AVmABogzFovigdme0gEBmoFiDtkdT8%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAVSBUJQPDRIABT463GNYO5LW3Q6FVANCNFSM6AAAAAAVKEYDGU&data=05%7C01%7Cjiaxinliu%40microsoft.com%7Ca2c9091a1d114203c38408db22101042%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638141224652266686%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=qiQypVkYZxvPhzEvGnVu%2Bmd8b8I8KO7q61CjIRRgCBI%3D&reserved=0. You are receiving this because you were mentioned.Message ID: @.**@.>>
jhirono
commented
1 year ago User's compute (compute instance, cluster, managed online endpoint, etc.) cannot use this privilege. AzureML paas service can use this config.
https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?tabs=azure-portal#grant-access-from-azure-resource-instances will answer other questions.
jhirono
commented
11 months ago @Naveenommi-MSFT plz close this issue
[Enter feedback here] Hi team,
We have queries on the document under :
It makes people confused if AML is a trusted service for storage. If cx select a Resource instance and add their workspace name, granting roles on storage account is necessary. But if cx select "Allow Azure services on the trusted services list to access this storage account”, does this include AML: compute (batch service) and data preview? If we select "Allow Azure services on the trusted services list to access this storage account”, do we need to add role assignment from AML to storage? Please also help confirm if below statement is true: AML using MI with the appropriate read/write RBAC permission on the storage account can access the storage account from a network level if “allow azure trusted services” is enabled. No other network changes is required. This includes all managed resources within AML (compute and data preview). Azure is smart enough to provide network exceptions based on RBAC (this was never possible before). User access from AML to storage uses delegated permission and cannot access storage without the appropriate RBAC and network permissions.
Please ping me at jiaxinliu@microsoft.com for more clarification. Thanks!
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.