Microsoft.MachineLearningServices workspaces 2020-06-01

Bicep resource definition

The workspaces resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.MachineLearningServices/workspaces resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.MachineLearningServices/workspaces@2020-06-01' = {
  identity: {
    type: 'string'
    userAssignedIdentities: {
      {customized property}: {}
    }
  }
  location: 'string'
  name: 'string'
  properties: {
    allowPublicAccessWhenBehindVnet: bool
    applicationInsights: 'string'
    containerRegistry: 'string'
    description: 'string'
    discoveryUrl: 'string'
    encryption: {
      keyVaultProperties: {
        identityClientId: 'string'
        keyIdentifier: 'string'
        keyVaultArmId: 'string'
      }
      status: 'string'
    }
    friendlyName: 'string'
    hbiWorkspace: bool
    imageBuildCompute: 'string'
    keyVault: 'string'
    sharedPrivateLinkResources: [
      {
        name: 'string'
        properties: {
          groupId: 'string'
          privateLinkResourceId: 'string'
          requestMessage: 'string'
          status: 'string'
        }
      }
    ]
    storageAccount: 'string'
  }
  sku: {
    name: 'string'
    tier: 'string'
  }
  tags: {
    {customized property}: 'string'
  }
}

Property values

ComponentsSgqdofSchemasIdentityPropertiesUserassignedidentitiesAdditionalproperties

Name Description Value

EncryptionProperty

Name Description Value
keyVaultProperties Customer Key vault properties. KeyVaultProperties (required)
status Indicates whether or not the encryption is enabled for the workspace. 'Disabled'
'Enabled' (required)

Identity

Name Description Value
type The identity type. 'None'
'SystemAssigned'
'SystemAssigned,UserAssigned'
'UserAssigned' (required)
userAssignedIdentities The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. IdentityUserAssignedIdentities

IdentityUserAssignedIdentities

Name Description Value

KeyVaultProperties

Name Description Value
identityClientId For future use - The client id of the identity which will be used to access key vault. string
keyIdentifier Key vault uri to access the encryption key. string (required)
keyVaultArmId The ArmId of the keyVault where the customer owned encryption key is present. string (required)

Microsoft.MachineLearningServices/workspaces

Name Description Value
identity The identity of the resource. Identity
location Specifies the location of the resource. string
name The resource name string (required)
properties The properties of the machine learning workspace. WorkspaceProperties
sku The sku of the workspace. Sku
tags Resource tags Dictionary of tag names and values. See Tags in templates

ResourceTags

Name Description Value

SharedPrivateLinkResource

Name Description Value
name Unique name of the private link. string
properties Resource properties. SharedPrivateLinkResourceProperty

SharedPrivateLinkResourceProperty

Name Description Value
groupId The private link resource group id. string
privateLinkResourceId The resource id that private link links to. string
requestMessage Request message. string
status Indicates whether the connection has been Approved/Rejected/Removed by the owner of the service. 'Approved'
'Disconnected'
'Pending'
'Rejected'
'Timeout'

Sku

Name Description Value
name Name of the sku string
tier Tier of the sku like Basic or Enterprise string

WorkspaceProperties

Name Description Value
allowPublicAccessWhenBehindVnet The flag to indicate whether to allow public access when behind VNet. bool
applicationInsights ARM id of the application insights associated with this workspace. This cannot be changed once the workspace has been created string
containerRegistry ARM id of the container registry associated with this workspace. This cannot be changed once the workspace has been created string
description The description of this workspace. string
discoveryUrl Url for the discovery service to identify regional endpoints for machine learning experimentation services string
encryption The encryption settings of Azure ML workspace. EncryptionProperty
friendlyName The friendly name for this workspace. This name in mutable string
hbiWorkspace The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service bool
imageBuildCompute The compute name for image build string
keyVault ARM id of the key vault associated with this workspace. This cannot be changed once the workspace has been created string
sharedPrivateLinkResources The list of shared private link resources in this workspace. SharedPrivateLinkResource[]
storageAccount ARM id of the storage account associated with this workspace. This cannot be changed once the workspace has been created string

Quickstart samples

The following quickstart samples deploy this resource type.

Bicep File Description
Azure AI Studio basic setup This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure AI Studio basic setup This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure AI Studio basic setup This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure AI Studio Network Restricted This set of templates demonstrates how to set up Azure AI Studio with private link and egress disabled, using Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure AI Studio Network Restricted This set of templates demonstrates how to set up Azure AI Studio with private link and egress disabled, using Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure AI Studio with Microsoft Entra ID Authentication This set of templates demonstrates how to set up Azure AI Studio with Microsoft Entra ID authentication for dependent resources, such as Azure AI Services and Azure Storage.
Azure Machine Learning end-to-end secure setup This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Azure Machine Learning end-to-end secure setup (legacy) This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Create an AKS compute target with a Private IP address This template creates an AKS compute target in given Azure Machine Learning service workspace with a private IP address.
Create an Azure Machine Learning service workspace This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the minimal set of resources you require to get started with Azure Machine Learning.
Create an Azure Machine Learning service workspace (CMK) This deployment template specifies how to create an Azure Machine Learning workspace with service-side encryption using your encryption keys.
Create an Azure Machine Learning service workspace (CMK) This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. The example shows how to configure Azure Machine Learning for encryption with a customer-managed encryption key.
Create an Azure Machine Learning service workspace (legacy) This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up.
Create an Azure Machine Learning service workspace (vnet) This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up.
Deploy Secure Azure AI Studio with a managed virtual network This template creates a secure Azure AI Studio environment with robust network and identity security restrictions.

ARM template resource definition

The workspaces resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.MachineLearningServices/workspaces resource, add the following JSON to your template.

{
  "type": "Microsoft.MachineLearningServices/workspaces",
  "apiVersion": "2020-06-01",
  "name": "string",
  "identity": {
    "type": "string",
    "userAssignedIdentities": {
      "{customized property}": {
      }
    }
  },
  "location": "string",
  "properties": {
    "allowPublicAccessWhenBehindVnet": "bool",
    "applicationInsights": "string",
    "containerRegistry": "string",
    "description": "string",
    "discoveryUrl": "string",
    "encryption": {
      "keyVaultProperties": {
        "identityClientId": "string",
        "keyIdentifier": "string",
        "keyVaultArmId": "string"
      },
      "status": "string"
    },
    "friendlyName": "string",
    "hbiWorkspace": "bool",
    "imageBuildCompute": "string",
    "keyVault": "string",
    "sharedPrivateLinkResources": [
      {
        "name": "string",
        "properties": {
          "groupId": "string",
          "privateLinkResourceId": "string",
          "requestMessage": "string",
          "status": "string"
        }
      }
    ],
    "storageAccount": "string"
  },
  "sku": {
    "name": "string",
    "tier": "string"
  },
  "tags": {
    "{customized property}": "string"
  }
}

Property values

ComponentsSgqdofSchemasIdentityPropertiesUserassignedidentitiesAdditionalproperties

Name Description Value

EncryptionProperty

Name Description Value
keyVaultProperties Customer Key vault properties. KeyVaultProperties (required)
status Indicates whether or not the encryption is enabled for the workspace. 'Disabled'
'Enabled' (required)

Identity

Name Description Value
type The identity type. 'None'
'SystemAssigned'
'SystemAssigned,UserAssigned'
'UserAssigned' (required)
userAssignedIdentities The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. IdentityUserAssignedIdentities

IdentityUserAssignedIdentities

Name Description Value

KeyVaultProperties

Name Description Value
identityClientId For future use - The client id of the identity which will be used to access key vault. string
keyIdentifier Key vault uri to access the encryption key. string (required)
keyVaultArmId The ArmId of the keyVault where the customer owned encryption key is present. string (required)

Microsoft.MachineLearningServices/workspaces

Name Description Value
apiVersion The api version '2020-06-01'
identity The identity of the resource. Identity
location Specifies the location of the resource. string
name The resource name string (required)
properties The properties of the machine learning workspace. WorkspaceProperties
sku The sku of the workspace. Sku
tags Resource tags Dictionary of tag names and values. See Tags in templates
type The resource type 'Microsoft.MachineLearningServices/workspaces'

ResourceTags

Name Description Value

SharedPrivateLinkResource

Name Description Value
name Unique name of the private link. string
properties Resource properties. SharedPrivateLinkResourceProperty

SharedPrivateLinkResourceProperty

Name Description Value
groupId The private link resource group id. string
privateLinkResourceId The resource id that private link links to. string
requestMessage Request message. string
status Indicates whether the connection has been Approved/Rejected/Removed by the owner of the service. 'Approved'
'Disconnected'
'Pending'
'Rejected'
'Timeout'

Sku

Name Description Value
name Name of the sku string
tier Tier of the sku like Basic or Enterprise string

WorkspaceProperties

Name Description Value
allowPublicAccessWhenBehindVnet The flag to indicate whether to allow public access when behind VNet. bool
applicationInsights ARM id of the application insights associated with this workspace. This cannot be changed once the workspace has been created string
containerRegistry ARM id of the container registry associated with this workspace. This cannot be changed once the workspace has been created string
description The description of this workspace. string
discoveryUrl Url for the discovery service to identify regional endpoints for machine learning experimentation services string
encryption The encryption settings of Azure ML workspace. EncryptionProperty
friendlyName The friendly name for this workspace. This name in mutable string
hbiWorkspace The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service bool
imageBuildCompute The compute name for image build string
keyVault ARM id of the key vault associated with this workspace. This cannot be changed once the workspace has been created string
sharedPrivateLinkResources The list of shared private link resources in this workspace. SharedPrivateLinkResource[]
storageAccount ARM id of the storage account associated with this workspace. This cannot be changed once the workspace has been created string

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
Azure AI Studio basic setup

Deploy to Azure
This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure AI Studio basic setup

Deploy to Azure
This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure AI Studio basic setup

Deploy to Azure
This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure AI Studio Network Restricted

Deploy to Azure
This set of templates demonstrates how to set up Azure AI Studio with private link and egress disabled, using Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure AI Studio Network Restricted

Deploy to Azure
This set of templates demonstrates how to set up Azure AI Studio with private link and egress disabled, using Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource.
Azure AI Studio with Microsoft Entra ID Authentication

Deploy to Azure
This set of templates demonstrates how to set up Azure AI Studio with Microsoft Entra ID authentication for dependent resources, such as Azure AI Services and Azure Storage.
Azure Machine Learning end-to-end secure setup

Deploy to Azure
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Azure Machine Learning end-to-end secure setup (legacy)

Deploy to Azure
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster.
Azure Machine Learning Workspace

Deploy to Azure
This template creates a new Azure Machine Learning Workspace, along with an encrypted Storage Account, KeyVault and Applications Insights Logging
Create AML workspace with multiple Datasets & Datastores

Deploy to Azure
This template creates Azure Machine Learning workspace with multiple datasets & datastores.
Create an AKS compute target with a Private IP address

Deploy to Azure
This template creates an AKS compute target in given Azure Machine Learning service workspace with a private IP address.
Create an Azure Machine Learning service workspace

Deploy to Azure
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the minimal set of resources you require to get started with Azure Machine Learning.
Create an Azure Machine Learning service workspace (CMK)

Deploy to Azure
This deployment template specifies how to create an Azure Machine Learning workspace with service-side encryption using your encryption keys.
Create an Azure Machine Learning service workspace (CMK)

Deploy to Azure
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. The example shows how to configure Azure Machine Learning for encryption with a customer-managed encryption key.
Create an Azure Machine Learning service workspace (legacy)

Deploy to Azure
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up.
Create an Azure Machine Learning service workspace (vnet)

Deploy to Azure
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up.
Deploy Secure Azure AI Studio with a managed virtual network

Deploy to Azure
This template creates a secure Azure AI Studio environment with robust network and identity security restrictions.

Terraform (AzAPI provider) resource definition

The workspaces resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.MachineLearningServices/workspaces resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.MachineLearningServices/workspaces@2020-06-01"
  name = "string"
  identity = {
    type = "string"
    userAssignedIdentities = {
      {customized property} = {
      }
    }
  }
  location = "string"
  sku = {
    name = "string"
    tier = "string"
  }
  tags = {
    {customized property} = "string"
  }
  body = jsonencode({
    properties = {
      allowPublicAccessWhenBehindVnet = bool
      applicationInsights = "string"
      containerRegistry = "string"
      description = "string"
      discoveryUrl = "string"
      encryption = {
        keyVaultProperties = {
          identityClientId = "string"
          keyIdentifier = "string"
          keyVaultArmId = "string"
        }
        status = "string"
      }
      friendlyName = "string"
      hbiWorkspace = bool
      imageBuildCompute = "string"
      keyVault = "string"
      sharedPrivateLinkResources = [
        {
          name = "string"
          properties = {
            groupId = "string"
            privateLinkResourceId = "string"
            requestMessage = "string"
            status = "string"
          }
        }
      ]
      storageAccount = "string"
    }
  })
}

Property values

ComponentsSgqdofSchemasIdentityPropertiesUserassignedidentitiesAdditionalproperties

Name Description Value

EncryptionProperty

Name Description Value
keyVaultProperties Customer Key vault properties. KeyVaultProperties (required)
status Indicates whether or not the encryption is enabled for the workspace. 'Disabled'
'Enabled' (required)

Identity

Name Description Value
type The identity type. 'None'
'SystemAssigned'
'SystemAssigned,UserAssigned'
'UserAssigned' (required)
userAssignedIdentities The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. IdentityUserAssignedIdentities

IdentityUserAssignedIdentities

Name Description Value

KeyVaultProperties

Name Description Value
identityClientId For future use - The client id of the identity which will be used to access key vault. string
keyIdentifier Key vault uri to access the encryption key. string (required)
keyVaultArmId The ArmId of the keyVault where the customer owned encryption key is present. string (required)

Microsoft.MachineLearningServices/workspaces

Name Description Value
identity The identity of the resource. Identity
location Specifies the location of the resource. string
name The resource name string (required)
properties The properties of the machine learning workspace. WorkspaceProperties
sku The sku of the workspace. Sku
tags Resource tags Dictionary of tag names and values.
type The resource type "Microsoft.MachineLearningServices/workspaces@2020-06-01"

ResourceTags

Name Description Value

SharedPrivateLinkResource

Name Description Value
name Unique name of the private link. string
properties Resource properties. SharedPrivateLinkResourceProperty

SharedPrivateLinkResourceProperty

Name Description Value
groupId The private link resource group id. string
privateLinkResourceId The resource id that private link links to. string
requestMessage Request message. string
status Indicates whether the connection has been Approved/Rejected/Removed by the owner of the service. 'Approved'
'Disconnected'
'Pending'
'Rejected'
'Timeout'

Sku

Name Description Value
name Name of the sku string
tier Tier of the sku like Basic or Enterprise string

WorkspaceProperties

Name Description Value
allowPublicAccessWhenBehindVnet The flag to indicate whether to allow public access when behind VNet. bool
applicationInsights ARM id of the application insights associated with this workspace. This cannot be changed once the workspace has been created string
containerRegistry ARM id of the container registry associated with this workspace. This cannot be changed once the workspace has been created string
description The description of this workspace. string
discoveryUrl Url for the discovery service to identify regional endpoints for machine learning experimentation services string
encryption The encryption settings of Azure ML workspace. EncryptionProperty
friendlyName The friendly name for this workspace. This name in mutable string
hbiWorkspace The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service bool
imageBuildCompute The compute name for image build string
keyVault ARM id of the key vault associated with this workspace. This cannot be changed once the workspace has been created string
sharedPrivateLinkResources The list of shared private link resources in this workspace. SharedPrivateLinkResource[]
storageAccount ARM id of the storage account associated with this workspace. This cannot be changed once the workspace has been created string