Lilly Tech Systems
Advanced
Azure AI Security
Implement enterprise security controls for AI workloads using Microsoft Entra ID, RBAC, managed identities, Key Vault, and Azure Policy.
Security Layers
Identity (Entra ID)
SSO, MFA, Conditional Access, and Privileged Identity Management for AI platform users.
Access Control (RBAC)
Azure and Azure ML RBAC roles for fine-grained permissions on workspaces, compute, and data.
Secrets (Key Vault)
Centralized management of API keys, connection strings, certificates, and encryption keys.
Encryption
Data encryption at rest (SSE) and in transit (TLS 1.2+), with customer-managed keys (CMK) support.
Azure ML RBAC Roles
| Role | Permissions | Typical User |
|---|---|---|
| AzureML Data Scientist | Run experiments, submit jobs, deploy models | ML engineers |
| AzureML Compute Operator | Create and manage compute resources | Platform team |
| Reader | View workspace resources (read-only) | Stakeholders |
| Contributor | Full access except role assignments | Team leads |
Managed Identities
# Assign managed identity to compute cluster
az ml compute update \
--name gpu-cluster \
--workspace-name ml-workspace \
--resource-group ml-rg \
--identity-type UserAssigned \
--user-assigned-identities /subscriptions/.../identities/ml-identity
# Grant storage access to the managed identity
az role assignment create \
--assignee-object-id <identity-object-id> \
--role "Storage Blob Data Reader" \
--scope /subscriptions/.../storageAccounts/mlstorageCompliance and Governance
- Azure Policy: Enforce standards like requiring private endpoints, encryption, and approved VM sizes
- Microsoft Purview: Data governance, lineage tracking, and sensitivity labeling for training data
- Diagnostic logging: Enable Azure Monitor diagnostic logs for audit trails on all AI resources
- Microsoft Defender: Threat detection for compute resources, containers, and storage accounts
- Responsible AI dashboard: Built-in tools for fairness assessment, error analysis, and model interpretability
Pro tip: Always use managed identities instead of service principal secrets or storage keys for compute-to-service authentication. Managed identities eliminate secret rotation burden and reduce the risk of credential exposure. Combine with Key Vault for any external secrets your training code needs.