How can we improve Microsoft Azure Machine Learning?

Workspace ARM resource should repair missing permissions on other Azure objects (e.g. Key Vault)

The Microsoft.MachineLearningServices/workspaces ARM resource should be able to fix missing permissions on Azure resources it depends on (such as Key Vault access policy) when it is redeployed.

Currently, the ML Workspace creates a AAD Service Principal for itself and assigns it at least these permissions (and perhaps more) during provisioning:
- Contributor access to the Resource Group
- Contributor access to the Container Registry
- an access policy in the Key Vault allowing all operations except Purge
- Storage Blob Data Contributor access to the Storage Account

However, if anything happens to these permissions (for example, the Key Vault access policy is accidentally removed because the Key Vault was updated via an ARM template), there should be a way to easily recreate all permissions needed by the ML Workspace.

It would be most convenient if the Microsoft.MachineLearningServices/workspaces ARM resource would check and repair the permissions when it is redeployed (updated).

12 votes
Sign in
Sign in with: Microsoft
Signed in as (Sign out)
You have left! (?) (thinking…)
Jakub Bereżański shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

1 comment

Sign in
Sign in with: Microsoft
Signed in as (Sign out)
  • Christian Weiss commented  ·   ·  Flag as inappropriate

    This looks like a blocker for using ARM templates.

    Ideally, I'd like to set up a "UserAssigned" identity in the ARM template and then assign the necessary accessPolicies myself in the ARM template to that "UserAssigned" identity - together with our custom accessPolicies.

    This way the accessPolicies are always active and no ML background service has to restore them (which would probably result in downtime due to Access denied errors)

Feedback and Knowledge Base