Sdílet prostřednictvím


Prerequisites to deploy Manufacturing data solutions in Fabric

Important

Some or all of this functionality is available as part of a preview release. The content and the functionality are subject to change.

Note

All prior versions to 1.0 of Manufacturing data solutions are deprecated. Any deployments prior to version 0.8 can't upgrade to the latest 1.0 version. A redeployment to the latest version is required.

This section provides information on how to prepare for the deployment of Manufacturing data solutions in the designated tenant. The prerequisites are as follows:

  1. Check Azure subscription requirements
  2. Register the preview feature and resource provider
  3. Install PowerShell locally with AZ module
  4. Register necessary Azure resource providers
  5. Validate Virtual Machine availability
  6. Check Microsoft Fabric requirements
  7. Set up Azure Key Vault
  8. Set up User Assigned Managed Identity
  9. Check required access for Manufacturing data solutions
  10. Access and interact with API endpoints

Caution

All the prerequisite steps must be completed before deploying Manufacturing data solutions to the designated tenant. Failing to do so leads to deployment failure.

Check Azure subscription requirements

An Azure subscription is a fundamental component of Microsoft Azure, serving as a logical container for provisioning and managing Azure resources and services.

Sign in to Azure. To proceed, ensure that your subscription has access to Azure OpenAI, is allowlisted with Manufacturing data solutions, and the Microsoft.ManufacturingPlatform namespace and necessary Azure resource providers are registered.

Ensure that you have the following to deploy and test Manufacturing data solutions:

  • An Azure subscription
    • Enabled access to Azure OpenAI
    • On the subscription, user should have Contributor role for Deployment and User Access Administrator role for Role Assignment
    • Quotas availability according to model and region:
      • GPT-4, 0125-Preview (Turbo)
      • GPT-4-32k, 0613
      • GPT-4o, 2024-05-13

Register the preview feature and resource provider

When the request is successfully completed, you can register the preview feature.

  1. Registration can be done through the Azure portal UI or by running an Azure command.

    Note

    Azure OpenAI and allowlisting are mandatory to execute these commands.

    • In the Azure portal UI, go to the Preview features in your subscription. Search for Default Feature and then select Register.

    Screenshot of Feature Registration from Azure portal.

Azure command:

az feature register --subscription YOUR_SUBSCRIPTION_NAME_OR_ID --namespace Microsoft.ManufacturingPlatform --name DefaultFeature

Tip

You can check if the state of the Azure feature is registered by using the following command: az feature show --subscription YOUR_SUBSCRIPTION_NAME_OR_ID --namespace Microsoft.ManufacturingPlatform --name DefaultFeature

Note

Azure resources are categorized under namespaces (for example, Microsoft.Compute, Microsoft.Storage). In this case, 'Microsoft.ManufacturingPlatform' is the namespace under which the resource type is there.

  1. You can execute the registration of the resource provider.

    az provider register --subscription YOUR_SUBSCRIPTION_NAME_OR_ID --namespace Microsoft.ManufacturingPlatform

    Tip

    You can check if the state of the Resource Provider is registered by using the following command: az provider show --subscription YOUR_SUBSCRIPTION_NAME_OR_ID --namespace Microsoft.ManufacturingPlatform

  2. For NRG lockdown, run the following command.

    az feature register --namespace "Microsoft.ContainerService" --name "NRGLockdownPreview"

Install PowerShell locally with AZ module

The Az PowerShell module is a rollup module. Installing the Az PowerShell module downloads the generally available modules and makes their cmdlets available for use. These Az modules are required to run the scripts associated with deployment.

For detailed steps for installation, refer to Azmodule.

Register necessary Azure resource providers

An Azure resource provider is a collection of REST operations that provide functionality for an Azure service. Manufacturing data solutions uses common Azure resources such as AKS and Azure monitoring. Resource provider defines the Azure resources that are available for your subscription to deploy to your account.

You can register Azure resource providers via Azure portal, PowerShell, or Azure CLI. You can find all the needed Azure resource providers that Manufacturing data solutions needs during the deployment in the given table.

Required resource providers
Azure Resource name Azure Resource provider
Azure Data Explorer Microsoft.Kusto
Azure Resource Manager Microsoft.Resources
Microsoft.Authorization
Azure Monitor Microsoft.OperationsManagement
Microsoft.Insights
Microsoft.OperationalInsights
Storage Microsoft.Storage
Azure Kubernetes Service Microsoft.Compute
Microsoft.ContainerService
Microsoft.ContainerRegistry
Microsoft.ContainerInstance
Microsoft.Kubernetes
Azure Cosmos DB Microsoft.DocumentDB
Azure Networking Microsoft.Network
Azure Managed Identity Microsoft.ManagedIdentity
Azure Policy Microsoft.GuestConfiguration
Azure Cache for Redis Microsoft.Cache
Azure Event Hub Microsoft.EventHub
Cognitive Services Microsoft.CognitiveServices
Azure Function App Microsoft.Web
Azure App Configuration Microsoft.AppConfiguration
Azure Alerts Management Microsoft.AlertsManagement
PowerShell example to show registration state of required resource providers

Connect to Azure with an authenticated account.


Connect-AzAccount -Tenant YOUR_TENANT_ID -Subscription YOUR_SUBSCRIPTION_ID

List registration state of required resource providers.


    $providerNamespaces = "Microsoft.Kusto", "Microsoft.Resources", "Microsoft.Authorization", "Microsoft.OperationsManagement", "Microsoft.Insights", "Microsoft.OperationalInsights", "Microsoft.Storage", "Microsoft.Compute", "Microsoft.ContainerService", "Microsoft.ContainerRegistry", "Microsoft.ContainerInstance", "Microsoft.Kubernetes", "Microsoft.DocumentDB", "Microsoft.Network", "Microsoft.ManagedIdentity", "Microsoft.GuestConfiguration", "Microsoft.Cache", "Microsoft.EventHub", "Microsoft.CognitiveServices", "Microsoft.Web", "Microsoft.AppConfiguration", "Microsoft.AlertsManagement"
    foreach ($providerNamespace in $providerNamespaces) {
        $registrationStates = @((Get-AzResourceProvider -ProviderNamespace $providerNamespace).RegistrationState | Select-Object -Unique)
        Write-Host "Provider Namespace: $providerNamespace, Registration States: [ " -NoNewline
        foreach ($registrationState in $registrationStates) {
            $color = if ($registrationState -eq "Registered") { "Green" } else { "Red" }
            Write-Host $registrationState -ForegroundColor $color -NoNewline
            if ($registrationState -ne $registrationStates[-1]) {
                Write-Host ", " -NoNewline
            }
        }
        Write-Host " ]"
    }

PowerShell example to register required resource providers

Connect to Azure with an authenticated account.

    
Connect-AzAccount -Tenant YOUR_TENANT_ID -Subscription YOUR_SUBSCRIPTION_ID
    

Register required resource providers.

   
$providerNamespaces = "Microsoft.Kusto", "Microsoft.Resources", "Microsoft.Authorization", "Microsoft.OperationsManagement", "Microsoft.Insights", "Microsoft.OperationalInsights", "Microsoft.Storage", "Microsoft.Compute", "Microsoft.ContainerService", "Microsoft.ContainerRegistry", "Microsoft.ContainerInstance", "Microsoft.Kubernetes", "Microsoft.DocumentDB", "Microsoft.Network", "Microsoft.ManagedIdentity", "Microsoft.GuestConfiguration", "Microsoft.Cache", "Microsoft.EventHub", "Microsoft.CognitiveServices", "Microsoft.Web", "Microsoft.AppConfiguration", "Microsoft.AlertsManagement"
    foreach ($providerNamespace in $providerNamespaces) {
        Register-AzResourceProvider -ProviderNamespace $providerNamespace
    }

Validate Virtual Machine availability

After the deployment is completed, the AKS Clusters are created. The AKS cluster is using virtual machines of the Standard_DS family. Both Standard_DS2_v2 and Standard_DS3_v2 are used. Make sure these clusters are available in all availability zones for your subscription and region.

Check Standard_DS2_v2 SKU size:

    az vm list-skus --subscription YOUR_SUBSCRIPTION_NAME_OR_ID --location YOUR_REGION --size Standard_DS2_v2 --all --output table

Check Standard_DS3_v2 SKU size:

    az vm list-skus --subscription YOUR_SUBSCRIPTION_NAME_OR_ID --location YOUR_REGION --size Standard_DS3_v2 --all --output table

The restrictions should mention None.

A negative result can look like the following example.

    virtualMachines  eastus2      Standard_DS2_v2         1,2,3    NotAvailableForSubscription, type: Zone, locations: eastus2, zones: 3
    virtualMachines  eastus2      Standard_DS3_v2         1,2,3    NotAvailableForSubscription, type: Zone, locations: eastus2, zones: 3

If the virtual machines aren't available, file an Azure Support ticket for your subscription and region.

Check Microsoft Fabric requirements

Microsoft Fabric is a comprehensive data platform for managing and analyzing data seamlessly. It includes services like Fabric Lakehouse and event streams for large-scale data processing and analysis. Configuration for Fabric resources for Manufacturing data solutions is for authentication and data ingestion.

Note

Fabric workspace should be in the same tenant with the Manufacturing data solutions deployment.

For more information, see Enable Microsoft Fabric for your organization - Microsoft Fabric | Microsoft Learn, and to use Microsoft Fabric, see Microsoft Fabric Enabled. After Fabric is enabled, create a One lake workspace, Create a workspace - Microsoft Fabric | Microsoft Learn.

Set up source of batch data ingestion for Manufacturing data solutions in Fabric Lakehouse

A lakehouse is a unified data architecture allowing for efficient storage, management, and analysis of structured and unstructured data. You can use Fabric lakehouse to store the batch data received from Manufacturing Industry.

  1. Create a Fabric Lakehouse inside the workspace you created. If you don’t have one or would like to create a new instance, you can follow the instructions here - Create a Lakehouse with OneLake -Microsoft Fabric | Microsoft Learn

    Screenshot of Onelake.

  2. Create a subfolder for the batch data to be ingested. For example, you can create a folder called Production Data inside which you can later upload your data related to Production.

    Screenshot of Lakehouse Folder.

  3. Make a note of the OneLake URL (for example:https://onelake.dfs.fabric.contoso.com) and Path (for example: workspace_name/lakehouse_name.lakehouse/Files/Productiondata). You can find the full URI by selecting on your Fabric Lakehouse, Select ... to the right of Files, and select Properties.

    Screenshot of source of URL and ABFS path.

  4. You're asked to enter these values as parameters during deployment time. Copy one lake URL and ABFS path, these values are added as input in Deployment time.

    Screenshot of adding URL and ABFS path.

Set up source of stream data ingestion for Manufacturing data solutions in Fabric event streams

An event stream is a continuous flow of data representing events or changes, often used in real-time processing and analytics to track and react to occurrences.

  1. Create three Fabric event streams, one for ISA 95 Data, one for OPC UA Metadata, and one for OPC UA Data ingestion. For more information about the ISA 95 data, see Overview of manufacturing industry data model (preview). For creating an event stream, refer to Create and manage an event streams in Microsoft Fabric - Microsoft Fabric|Microsoft Learn.

    Screenshot of Eventstream Creation.

  2. Edit the event streams created during deployment as follows:

    • For each event stream, configure the source as the existing Azure Event Hub (select "External Source") or a new custom endpoint from your data system.

    Screenshot of selecting custom endpoint for source.

    Note

    Prefer to select Custom Endpoint as it automatically creates event hub and the best practice is to use Custom Endpoint.

    • For each event stream, modify the destination as a new Custom Endpoint.

      Screenshot showing event streams.

    • Go to the details tab of each Custom Endpoint created in destination and note the Primary Connection String information for the three event streams.

    Screenshot of primary connection string for event hubs.

    • If data streaming rate is more than 10k events or tags per second, then configure Event throughput as High for that eventstream.

    Screenshot of enabling high throughput in eventstream.

Set up Azure Key Vault

Key Vault is an Azure service that securely stores and manages secrets. You can use Key Vault to store the primary connection-string keys for Fabric event streams. Managed Identity enables secure, automated identity management, allowing applications to access Azure resources without needing explicit credentials. With Managed Identity, you grant users secure access to Key Vault, simplifying the management of access permissions.

To create an Azure Key Vault, follow these steps:

  1. Fill the values in the Basics tab.

    Screenshot of keyvault.

    Configuration Item Description
    Subscription Name Name of the Subscription
    Resource Group Create or choose the resource group where you want to create Key Vault
    Name Name of Key Vault
    Region Select Desired Region
    Pricing Tier Select the required pricing tier
    Soft Delete Enabled
    Days to Retain Deleted Vaults 90 (default)
    Purge Protection Choose Disable/Enable (default is Disable)
  2. Fill the values in the Access Configuration tab.

    Screenshot of Access Configuration Tab of keyvault.

  3. All other tabs can be left with default values. Select Review and Create.

    Note

    While creating the resource, ensure that in the access configuration tab, none of the checkboxes are selected under Resource access section. this practice ensures that access to the Key Vault is strictly controlled and only granted intentionally and explicitly.

Note

Assigning the Key Vault Secrets Officer grants the Contributor role, while the Key Vault Secrets User role allows listing and reading secrets without the ability to create or modify them.

  • Grant yourself Key Vault Secrets Officer role on the Key Vault.

  • Make a note of the Key Vault URI (for example, "https://your_keyvault_name.vault.azure.net"). You're asked to enter this URI during deployment time.

    Screenshot of keyvault URI.

Create three secrets in the Key Vault

To create three secrets in the Key Vault, follow these steps:

Screenshot of the three keyvault secrets.

Note

The Secret Names must remain unchanged. You're required to adhere to the established naming convention.

Secret Name Value
IngestionEventHubConnection Connection string - primary key of the Fabric ISA 95 Data eventstream destination custom app destination. For more information about the ISA 95 data, see Overview of manufacturing industry data model (preview)
OPCUAMetaDataEventHubConnection Connection string - primary key of the Fabric OPC UA Metadata eventstream destination custom app
OPCUADataEventHubConnection Connection string - primary key of the Fabric OPC UA Data eventstream destination custom app

Set up User Assigned Managed Identity

  • Create a User Assigned Managed Identity. For creating a User Assigned Managed Identity, see Managed Identities

Note

An Azure user assigned managed identity used to provide access to the Key Vault.

  • Grant the Key Vault Secret User role to the User Assigned Managed Identity in the Key Vault.

  • Grant Owner role to the User Assigned Managed Identity to itself. Every UMI is associated with a Service Principal with the same name. This service principal should have Owner role on the same UMI resource.

  • In case you want to bring your own Azure OpenAI resource, the User Managed Identity should have Cognitive Services Data Contributor role for data plane service to access the models and either Contributor or Owner role for control plane service to access the resource.

Check required access for Manufacturing data solutions

These steps guide you on creating a new app registration to control user access and creating a Microsoft Entra security group. The app registration script creates a new app with the required app roles. Microsoft Entra security group is created to give access to users and owners to the underlying AKS created after deployment of Manufacturing data solutions.

Create a new app registration

  1. Download the AppRegistration.ps1 to your local system.

  2. Start PowerShell as an administrator.

  3. Run the command Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass This ensures the script can be run in this process only.

  4. Sign-in to your Azure account using the command: Connect-AzAccount -Tenant YOUR_TENANT_ID

  5. Navigate to the folder where the downloaded file is located.

  6. Invoke the script, making sure to pass in the name you want to use for your app. For example: .\AppRegistration.ps1 "app_name"

  7. Make a note of the returned value for ApplicationID, referred to as Entra Application Id during the deployment.

    Screenshot of Azure app registration ID.

    Screenshot of Azure app roles registration.

Create Microsoft Entra group

Microsoft Entra Group is an identity and access management tool for controlling and managing access to resources within Azure environments.

You need a Microsoft Entra group with a list of owners and members that are given admin access to the underlying AKS. The group can be either a security group or a Microsoft 365 group. For more information on how to create a new group, see How to manage groups. Make a note of the Object ID, referred to as AKS Admin Group ID during the deployment.

Screenshot showing how to create a new Microsoft Entra group.

These steps are crucial for the successful deployment and operation of Manufacturing data solutions.

Access and interact with API endpoints

To access the Manufacturing data solutions and copilot API endpoints, we recommend using Insomnia with the Dataverse Web API. However, you can also use other tools based on your needs and preferences.

Next Steps