Microsoft.MachineLearningServices workspaces 2024-10-01-preview
- Latest
- 2024-10-01
- 2024-10-01-preview
- 2024-07-01-preview
- 2024-04-01
- 2024-04-01-preview
- 2024-01-01-preview
- 2023-10-01
- 2023-08-01-preview
- 2023-06-01-preview
- 2023-04-01
- 2023-04-01-preview
- 2023-02-01-preview
- 2022-12-01-preview
- 2022-10-01
- 2022-10-01-preview
- 2022-06-01-preview
- 2022-05-01
- 2022-02-01-preview
- 2022-01-01-preview
- 2021-07-01
- 2021-04-01
- 2021-03-01-preview
- 2021-01-01
- 2020-09-01-preview
- 2020-08-01
- 2020-06-01
- 2020-05-15-preview
- 2020-05-01-preview
- 2020-04-01
- 2020-03-01
- 2020-02-18-preview
- 2020-01-01
- 2019-11-01
- 2019-06-01
- 2019-05-01
- 2018-11-19
- 2018-03-01-preview
Bicep resource definition
The workspaces resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.MachineLearningServices/workspaces resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.MachineLearningServices/workspaces@2024-10-01-preview' = {
identity: {
type: 'string'
userAssignedIdentities: {
{customized property}: {}
}
}
kind: 'string'
location: 'string'
name: 'string'
properties: {
allowPublicAccessWhenBehindVnet: bool
allowRoleAssignmentOnRG: bool
applicationInsights: 'string'
associatedWorkspaces: [
'string'
]
containerRegistries: [
'string'
]
containerRegistry: 'string'
description: 'string'
discoveryUrl: 'string'
enableDataIsolation: bool
enableServiceSideCMKEncryption: bool
enableSimplifiedCmk: bool
enableSoftwareBillOfMaterials: bool
encryption: {
cosmosDbResourceId: 'string'
identity: {
userAssignedIdentity: 'string'
}
keyVaultProperties: {
identityClientId: 'string'
keyIdentifier: 'string'
keyVaultArmId: 'string'
}
searchAccountResourceId: 'string'
status: 'string'
storageAccountResourceId: 'string'
}
existingWorkspaces: [
'string'
]
featureStoreSettings: {
computeRuntime: {
sparkRuntimeVersion: 'string'
}
offlineStoreConnectionName: 'string'
onlineStoreConnectionName: 'string'
}
friendlyName: 'string'
hbiWorkspace: bool
hubResourceId: 'string'
imageBuildCompute: 'string'
ipAllowlist: [
'string'
]
keyVault: 'string'
keyVaults: [
'string'
]
managedNetwork: {
firewallSku: 'string'
isolationMode: 'string'
outboundRules: {
{customized property}: {
category: 'string'
status: 'string'
type: 'string'
// For remaining properties, see OutboundRule objects
}
}
status: {
sparkReady: bool
status: 'string'
}
}
networkAcls: {
defaultAction: 'string'
ipRules: [
{
value: 'string'
}
]
}
primaryUserAssignedIdentity: 'string'
provisionNetworkNow: bool
publicNetworkAccess: 'string'
serverlessComputeSettings: {
serverlessComputeCustomSubnet: 'string'
serverlessComputeNoPublicIP: bool
}
serviceManagedResourcesSettings: {
cosmosDb: {
collectionsThroughput: int
}
}
sharedPrivateLinkResources: [
{
name: 'string'
properties: {
groupId: 'string'
privateLinkResourceId: 'string'
requestMessage: 'string'
status: 'string'
}
}
]
softDeleteRetentionInDays: int
storageAccount: 'string'
storageAccounts: [
'string'
]
systemDatastoresAuthMode: 'string'
v1LegacyMode: bool
workspaceHubConfig: {
additionalWorkspaceStorageAccounts: [
'string'
]
defaultWorkspaceResourceGroup: 'string'
}
}
sku: {
capacity: int
family: 'string'
name: 'string'
size: 'string'
tier: 'string'
}
tags: {
{customized property}: 'string'
}
}
OutboundRule objects
Set the type property to specify the type of object.
For FQDN, use:
{
destination: 'string'
type: 'FQDN'
}
For PrivateEndpoint, use:
{
destination: {
serviceResourceId: 'string'
sparkEnabled: bool
sparkStatus: 'string'
subresourceTarget: 'string'
}
fqdns: [
'string'
]
type: 'PrivateEndpoint'
}
For ServiceTag, use:
{
destination: {
action: 'string'
addressPrefixes: [
'string'
]
portRanges: 'string'
protocol: 'string'
serviceTag: 'string'
}
type: 'ServiceTag'
}
Property values
ComputeRuntimeDto
| Name | Description | Value |
|---|---|---|
| sparkRuntimeVersion | string |
CosmosDbSettings
| Name | Description | Value |
|---|---|---|
| collectionsThroughput | int |
EncryptionProperty
| Name | Description | Value |
|---|---|---|
| cosmosDbResourceId | The byok cosmosdb account that customer brings to store customer's data with encryption |
string |
| identity | Identity to be used with the keyVault | IdentityForCmk |
| keyVaultProperties | KeyVault details to do the encryption | KeyVaultProperties (required) |
| searchAccountResourceId | The byok search account that customer brings to store customer's data with encryption |
string |
| status | Indicates whether or not the encryption is enabled for the workspace. | 'Disabled' 'Enabled' (required) |
| storageAccountResourceId | The byok storage account that customer brings to store customer's data with encryption |
string |
FeatureStoreSettings
| Name | Description | Value |
|---|---|---|
| computeRuntime | ComputeRuntimeDto | |
| offlineStoreConnectionName | string | |
| onlineStoreConnectionName | string |
FqdnOutboundRule
| Name | Description | Value |
|---|---|---|
| destination | string | |
| type | Type of a managed network Outbound Rule of a machine learning workspace. | 'FQDN' (required) |
IdentityForCmk
| Name | Description | Value |
|---|---|---|
| userAssignedIdentity | UserAssignedIdentity to be used to fetch the encryption key from keyVault | string |
IPRule
| Name | Description | Value |
|---|---|---|
| value | An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78). Value could be 'Allow' or 'Deny'. | string |
KeyVaultProperties
| Name | Description | Value |
|---|---|---|
| identityClientId | Currently, we support only SystemAssigned MSI. We need this when we support UserAssignedIdentities |
string |
| keyIdentifier | KeyVault key identifier to encrypt the data | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
| keyVaultArmId | KeyVault Arm Id that contains the data encryption key | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
ManagedNetworkProvisionStatus
| Name | Description | Value |
|---|---|---|
| sparkReady | bool | |
| status | Status for the managed network of a machine learning workspace. | 'Active' 'Inactive' |
ManagedNetworkSettings
| Name | Description | Value |
|---|---|---|
| firewallSku | Firewall Sku used for FQDN Rules | 'Basic' 'Standard' |
| isolationMode | Isolation mode for the managed network of a machine learning workspace. | 'AllowInternetOutbound' 'AllowOnlyApprovedOutbound' 'Disabled' |
| outboundRules | Dictionary of <OutboundRule> | ManagedNetworkSettingsOutboundRules |
| status | Status of the Provisioning for the managed network of a machine learning workspace. | ManagedNetworkProvisionStatus |
ManagedNetworkSettingsOutboundRules
| Name | Description | Value |
|---|
ManagedServiceIdentity
| Name | Description | Value |
|---|---|---|
| type | Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed). | 'None' 'SystemAssigned' 'SystemAssigned,UserAssigned' 'UserAssigned' (required) |
| userAssignedIdentities | The set of user assigned identities associated with the resource. The userAssignedIdentities dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}. The dictionary values can be empty objects ({}) in requests. | UserAssignedIdentities |
Microsoft.MachineLearningServices/workspaces
| Name | Description | Value |
|---|---|---|
| identity | Managed service identity (system assigned and/or user assigned identities) | ManagedServiceIdentity |
| kind | string | |
| location | string | |
| name | The resource name | string Constraints: Pattern = ^[a-zA-Z0-9][a-zA-Z0-9_-]{2,32}$ (required) |
| properties | Additional attributes of the entity. | WorkspaceProperties (required) |
| sku | Optional. This field is required to be implemented by the RP because AML is supporting more than one tier | Sku |
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
NetworkAcls
| Name | Description | Value |
|---|---|---|
| defaultAction | The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated. | 'Allow' 'Deny' |
| ipRules | Rules governing the accessibility of a resource from a specific ip address or ip range. | IPRule[] |
OutboundRule
| Name | Description | Value |
|---|---|---|
| category | Category of a managed network Outbound Rule of a machine learning workspace. | 'Dependency' 'Recommended' 'Required' 'UserDefined' |
| status | Type of a managed network Outbound Rule of a machine learning workspace. | 'Active' 'Inactive' |
| type | Set to 'FQDN' for type FqdnOutboundRule. Set to 'PrivateEndpoint' for type PrivateEndpointOutboundRule. Set to 'ServiceTag' for type ServiceTagOutboundRule. | 'FQDN' 'PrivateEndpoint' 'ServiceTag' (required) |
PrivateEndpointDestination
| Name | Description | Value |
|---|---|---|
| serviceResourceId | string | |
| sparkEnabled | bool | |
| sparkStatus | Type of a managed network Outbound Rule of a machine learning workspace. | 'Active' 'Inactive' |
| subresourceTarget | string |
PrivateEndpointOutboundRule
| Name | Description | Value |
|---|---|---|
| destination | Private Endpoint destination for a Private Endpoint Outbound Rule for the managed network of a machine learning workspace. | PrivateEndpointDestination |
| fqdns | string[] | |
| type | Type of a managed network Outbound Rule of a machine learning workspace. | 'PrivateEndpoint' (required) |
ServerlessComputeSettings
| Name | Description | Value |
|---|---|---|
| serverlessComputeCustomSubnet | The resource ID of an existing virtual network subnet in which serverless compute nodes should be deployed | string |
| serverlessComputeNoPublicIP | The flag to signal if serverless compute nodes deployed in custom vNet would have no public IP addresses for a workspace with private endpoint | bool |
ServiceManagedResourcesSettings
| Name | Description | Value |
|---|---|---|
| cosmosDb | CosmosDbSettings |
ServiceTagDestination
| Name | Description | Value |
|---|---|---|
| action | The action enum for networking rule. | 'Allow' 'Deny' |
| addressPrefixes | Optional, if provided, the ServiceTag property will be ignored. | string[] |
| portRanges | string | |
| protocol | string | |
| serviceTag | string |
ServiceTagOutboundRule
| Name | Description | Value |
|---|---|---|
| destination | Service Tag destination for a Service Tag Outbound Rule for the managed network of a machine learning workspace. | ServiceTagDestination |
| type | Type of a managed network Outbound Rule of a machine learning workspace. | 'ServiceTag' (required) |
SharedPrivateLinkResource
| Name | Description | Value |
|---|---|---|
| name | Unique name of the private link | string |
| properties | Properties of a shared private link resource. | SharedPrivateLinkResourceProperty |
SharedPrivateLinkResourceProperty
| Name | Description | Value |
|---|---|---|
| groupId | group id of the private link | string |
| privateLinkResourceId | the resource id that private link links to | string |
| requestMessage | Request message | string |
| status | Connection status of the service consumer with the service provider | 'Approved' 'Disconnected' 'Pending' 'Rejected' 'Timeout' |
Sku
| Name | Description | Value |
|---|---|---|
| capacity | If the SKU supports scale out/in then the capacity integer should be included. If scale out/in is not possible for the resource this may be omitted. | int |
| family | If the service has different generations of hardware, for the same SKU, then that can be captured here. | string |
| name | The name of the SKU. Ex - P3. It is typically a letter+number code | string (required) |
| size | The SKU size. When the name field is the combination of tier and some other value, this would be the standalone code. | string |
| tier | This field is required to be implemented by the Resource Provider if the service has more than one tier, but is not required on a PUT. | 'Basic' 'Free' 'Premium' 'Standard' |
UserAssignedIdentities
| Name | Description | Value |
|---|
UserAssignedIdentity
| Name | Description | Value |
|---|
WorkspaceHubConfig
| Name | Description | Value |
|---|---|---|
| additionalWorkspaceStorageAccounts | string[] | |
| defaultWorkspaceResourceGroup | string |
WorkspaceProperties
| Name | Description | Value |
|---|---|---|
| allowPublicAccessWhenBehindVnet | The flag to indicate whether to allow public access when behind VNet. | bool |
| allowRoleAssignmentOnRG | The flag to indicate whether we will do role assignment for the workspace MSI on resource group level. | bool |
| applicationInsights | ARM id of the application insights associated with this workspace. | string |
| associatedWorkspaces | string[] | |
| containerRegistries | string[] | |
| containerRegistry | ARM id of the container registry associated with this workspace. | string |
| description | The description of this workspace. | string |
| discoveryUrl | Url for the discovery service to identify regional endpoints for machine learning experimentation services | string |
| enableDataIsolation | bool | |
| enableServiceSideCMKEncryption | bool | |
| enableSimplifiedCmk | Flag to tell if simplified CMK should be enabled for this workspace. | bool |
| enableSoftwareBillOfMaterials | Flag to tell if SoftwareBillOfMaterials should be enabled for this workspace. | bool |
| encryption | EncryptionProperty | |
| existingWorkspaces | string[] | |
| featureStoreSettings | Settings for feature store type workspace. | FeatureStoreSettings |
| friendlyName | The friendly name for this workspace. This name in mutable | string |
| hbiWorkspace | The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service | bool |
| hubResourceId | string | |
| imageBuildCompute | The compute name for image build | string |
| ipAllowlist | The list of IPv4 addresses that are allowed to access the workspace. | string[] |
| keyVault | ARM id of the key vault associated with this workspace. This cannot be changed once the workspace has been created | string |
| keyVaults | string[] | |
| managedNetwork | Managed Network settings for a machine learning workspace. | ManagedNetworkSettings |
| networkAcls | A set of rules governing the network accessibility of the workspace. | NetworkAcls |
| primaryUserAssignedIdentity | The user assigned identity resource id that represents the workspace identity. | string |
| provisionNetworkNow | Set to trigger the provisioning of the managed VNet with the default Options when creating a Workspace with the managed VNet enabled, or else it does nothing. | bool |
| publicNetworkAccess | Whether requests from Public Network are allowed. | 'Disabled' 'Enabled' |
| serverlessComputeSettings | Settings for serverless compute in a workspace | ServerlessComputeSettings |
| serviceManagedResourcesSettings | The service managed resource settings. | ServiceManagedResourcesSettings |
| sharedPrivateLinkResources | The list of shared private link resources in this workspace. | SharedPrivateLinkResource[] |
| softDeleteRetentionInDays | Retention time in days after workspace get soft deleted. | int |
| storageAccount | ARM id of the storage account associated with this workspace. This cannot be changed once the workspace has been created | string |
| storageAccounts | string[] | |
| systemDatastoresAuthMode | The auth mode used for accessing the system datastores of the workspace. | 'AccessKey' 'Identity' 'UserDelegationSAS' |
| v1LegacyMode | Enabling v1_legacy_mode may prevent you from using features provided by the v2 API. | bool |
| workspaceHubConfig | WorkspaceHub's configuration object. | WorkspaceHubConfig |
WorkspaceTags
| Name | Description | Value |
|---|
Quickstart samples
The following quickstart samples deploy this resource type.
| Bicep File | Description |
|---|---|
| Azure AI Studio basic setup | This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. |
| Azure AI Studio basic setup | This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. |
| Azure AI Studio basic setup | This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. |
| Azure AI Studio Network Restricted | This set of templates demonstrates how to set up Azure AI Studio with private link and egress disabled, using Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. |
| Azure AI Studio Network Restricted | This set of templates demonstrates how to set up Azure AI Studio with private link and egress disabled, using Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. |
| Azure AI Studio with Microsoft Entra ID Authentication | This set of templates demonstrates how to set up Azure AI Studio with Microsoft Entra ID authentication for dependent resources, such as Azure AI Services and Azure Storage. |
| Azure Machine Learning end-to-end secure setup | This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. |
| Azure Machine Learning end-to-end secure setup (legacy) | This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. |
| Create an AKS compute target with a Private IP address | This template creates an AKS compute target in given Azure Machine Learning service workspace with a private IP address. |
| Create an Azure Machine Learning service workspace | This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the minimal set of resources you require to get started with Azure Machine Learning. |
| Create an Azure Machine Learning service workspace (CMK) | This deployment template specifies how to create an Azure Machine Learning workspace with service-side encryption using your encryption keys. |
| Create an Azure Machine Learning service workspace (CMK) | This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. The example shows how to configure Azure Machine Learning for encryption with a customer-managed encryption key. |
| Create an Azure Machine Learning service workspace (legacy) | This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up. |
| Create an Azure Machine Learning service workspace (vnet) | This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up. |
| Deploy Secure Azure AI Studio with a managed virtual network | This template creates a secure Azure AI Studio environment with robust network and identity security restrictions. |
ARM template resource definition
The workspaces resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.MachineLearningServices/workspaces resource, add the following JSON to your template.
{
"type": "Microsoft.MachineLearningServices/workspaces",
"apiVersion": "2024-10-01-preview",
"name": "string",
"identity": {
"type": "string",
"userAssignedIdentities": {
"{customized property}": {
}
}
},
"kind": "string",
"location": "string",
"properties": {
"allowPublicAccessWhenBehindVnet": "bool",
"allowRoleAssignmentOnRG": "bool",
"applicationInsights": "string",
"associatedWorkspaces": [ "string" ],
"containerRegistries": [ "string" ],
"containerRegistry": "string",
"description": "string",
"discoveryUrl": "string",
"enableDataIsolation": "bool",
"enableServiceSideCMKEncryption": "bool",
"enableSimplifiedCmk": "bool",
"enableSoftwareBillOfMaterials": "bool",
"encryption": {
"cosmosDbResourceId": "string",
"identity": {
"userAssignedIdentity": "string"
},
"keyVaultProperties": {
"identityClientId": "string",
"keyIdentifier": "string",
"keyVaultArmId": "string"
},
"searchAccountResourceId": "string",
"status": "string",
"storageAccountResourceId": "string"
},
"existingWorkspaces": [ "string" ],
"featureStoreSettings": {
"computeRuntime": {
"sparkRuntimeVersion": "string"
},
"offlineStoreConnectionName": "string",
"onlineStoreConnectionName": "string"
},
"friendlyName": "string",
"hbiWorkspace": "bool",
"hubResourceId": "string",
"imageBuildCompute": "string",
"ipAllowlist": [ "string" ],
"keyVault": "string",
"keyVaults": [ "string" ],
"managedNetwork": {
"firewallSku": "string",
"isolationMode": "string",
"outboundRules": {
"{customized property}": {
"category": "string",
"status": "string",
"type": "string"
// For remaining properties, see OutboundRule objects
}
},
"status": {
"sparkReady": "bool",
"status": "string"
}
},
"networkAcls": {
"defaultAction": "string",
"ipRules": [
{
"value": "string"
}
]
},
"primaryUserAssignedIdentity": "string",
"provisionNetworkNow": "bool",
"publicNetworkAccess": "string",
"serverlessComputeSettings": {
"serverlessComputeCustomSubnet": "string",
"serverlessComputeNoPublicIP": "bool"
},
"serviceManagedResourcesSettings": {
"cosmosDb": {
"collectionsThroughput": "int"
}
},
"sharedPrivateLinkResources": [
{
"name": "string",
"properties": {
"groupId": "string",
"privateLinkResourceId": "string",
"requestMessage": "string",
"status": "string"
}
}
],
"softDeleteRetentionInDays": "int",
"storageAccount": "string",
"storageAccounts": [ "string" ],
"systemDatastoresAuthMode": "string",
"v1LegacyMode": "bool",
"workspaceHubConfig": {
"additionalWorkspaceStorageAccounts": [ "string" ],
"defaultWorkspaceResourceGroup": "string"
}
},
"sku": {
"capacity": "int",
"family": "string",
"name": "string",
"size": "string",
"tier": "string"
},
"tags": {
"{customized property}": "string"
}
}
OutboundRule objects
Set the type property to specify the type of object.
For FQDN, use:
{
"destination": "string",
"type": "FQDN"
}
For PrivateEndpoint, use:
{
"destination": {
"serviceResourceId": "string",
"sparkEnabled": "bool",
"sparkStatus": "string",
"subresourceTarget": "string"
},
"fqdns": [ "string" ],
"type": "PrivateEndpoint"
}
For ServiceTag, use:
{
"destination": {
"action": "string",
"addressPrefixes": [ "string" ],
"portRanges": "string",
"protocol": "string",
"serviceTag": "string"
},
"type": "ServiceTag"
}
Property values
ComputeRuntimeDto
| Name | Description | Value |
|---|---|---|
| sparkRuntimeVersion | string |
CosmosDbSettings
| Name | Description | Value |
|---|---|---|
| collectionsThroughput | int |
EncryptionProperty
| Name | Description | Value |
|---|---|---|
| cosmosDbResourceId | The byok cosmosdb account that customer brings to store customer's data with encryption |
string |
| identity | Identity to be used with the keyVault | IdentityForCmk |
| keyVaultProperties | KeyVault details to do the encryption | KeyVaultProperties (required) |
| searchAccountResourceId | The byok search account that customer brings to store customer's data with encryption |
string |
| status | Indicates whether or not the encryption is enabled for the workspace. | 'Disabled' 'Enabled' (required) |
| storageAccountResourceId | The byok storage account that customer brings to store customer's data with encryption |
string |
FeatureStoreSettings
| Name | Description | Value |
|---|---|---|
| computeRuntime | ComputeRuntimeDto | |
| offlineStoreConnectionName | string | |
| onlineStoreConnectionName | string |
FqdnOutboundRule
| Name | Description | Value |
|---|---|---|
| destination | string | |
| type | Type of a managed network Outbound Rule of a machine learning workspace. | 'FQDN' (required) |
IdentityForCmk
| Name | Description | Value |
|---|---|---|
| userAssignedIdentity | UserAssignedIdentity to be used to fetch the encryption key from keyVault | string |
IPRule
| Name | Description | Value |
|---|---|---|
| value | An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78). Value could be 'Allow' or 'Deny'. | string |
KeyVaultProperties
| Name | Description | Value |
|---|---|---|
| identityClientId | Currently, we support only SystemAssigned MSI. We need this when we support UserAssignedIdentities |
string |
| keyIdentifier | KeyVault key identifier to encrypt the data | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
| keyVaultArmId | KeyVault Arm Id that contains the data encryption key | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
ManagedNetworkProvisionStatus
| Name | Description | Value |
|---|---|---|
| sparkReady | bool | |
| status | Status for the managed network of a machine learning workspace. | 'Active' 'Inactive' |
ManagedNetworkSettings
| Name | Description | Value |
|---|---|---|
| firewallSku | Firewall Sku used for FQDN Rules | 'Basic' 'Standard' |
| isolationMode | Isolation mode for the managed network of a machine learning workspace. | 'AllowInternetOutbound' 'AllowOnlyApprovedOutbound' 'Disabled' |
| outboundRules | Dictionary of <OutboundRule> | ManagedNetworkSettingsOutboundRules |
| status | Status of the Provisioning for the managed network of a machine learning workspace. | ManagedNetworkProvisionStatus |
ManagedNetworkSettingsOutboundRules
| Name | Description | Value |
|---|
ManagedServiceIdentity
| Name | Description | Value |
|---|---|---|
| type | Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed). | 'None' 'SystemAssigned' 'SystemAssigned,UserAssigned' 'UserAssigned' (required) |
| userAssignedIdentities | The set of user assigned identities associated with the resource. The userAssignedIdentities dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}. The dictionary values can be empty objects ({}) in requests. | UserAssignedIdentities |
Microsoft.MachineLearningServices/workspaces
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2024-10-01-preview' |
| identity | Managed service identity (system assigned and/or user assigned identities) | ManagedServiceIdentity |
| kind | string | |
| location | string | |
| name | The resource name | string Constraints: Pattern = ^[a-zA-Z0-9][a-zA-Z0-9_-]{2,32}$ (required) |
| properties | Additional attributes of the entity. | WorkspaceProperties (required) |
| sku | Optional. This field is required to be implemented by the RP because AML is supporting more than one tier | Sku |
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates |
| type | The resource type | 'Microsoft.MachineLearningServices/workspaces' |
NetworkAcls
| Name | Description | Value |
|---|---|---|
| defaultAction | The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated. | 'Allow' 'Deny' |
| ipRules | Rules governing the accessibility of a resource from a specific ip address or ip range. | IPRule[] |
OutboundRule
| Name | Description | Value |
|---|---|---|
| category | Category of a managed network Outbound Rule of a machine learning workspace. | 'Dependency' 'Recommended' 'Required' 'UserDefined' |
| status | Type of a managed network Outbound Rule of a machine learning workspace. | 'Active' 'Inactive' |
| type | Set to 'FQDN' for type FqdnOutboundRule. Set to 'PrivateEndpoint' for type PrivateEndpointOutboundRule. Set to 'ServiceTag' for type ServiceTagOutboundRule. | 'FQDN' 'PrivateEndpoint' 'ServiceTag' (required) |
PrivateEndpointDestination
| Name | Description | Value |
|---|---|---|
| serviceResourceId | string | |
| sparkEnabled | bool | |
| sparkStatus | Type of a managed network Outbound Rule of a machine learning workspace. | 'Active' 'Inactive' |
| subresourceTarget | string |
PrivateEndpointOutboundRule
| Name | Description | Value |
|---|---|---|
| destination | Private Endpoint destination for a Private Endpoint Outbound Rule for the managed network of a machine learning workspace. | PrivateEndpointDestination |
| fqdns | string[] | |
| type | Type of a managed network Outbound Rule of a machine learning workspace. | 'PrivateEndpoint' (required) |
ServerlessComputeSettings
| Name | Description | Value |
|---|---|---|
| serverlessComputeCustomSubnet | The resource ID of an existing virtual network subnet in which serverless compute nodes should be deployed | string |
| serverlessComputeNoPublicIP | The flag to signal if serverless compute nodes deployed in custom vNet would have no public IP addresses for a workspace with private endpoint | bool |
ServiceManagedResourcesSettings
| Name | Description | Value |
|---|---|---|
| cosmosDb | CosmosDbSettings |
ServiceTagDestination
| Name | Description | Value |
|---|---|---|
| action | The action enum for networking rule. | 'Allow' 'Deny' |
| addressPrefixes | Optional, if provided, the ServiceTag property will be ignored. | string[] |
| portRanges | string | |
| protocol | string | |
| serviceTag | string |
ServiceTagOutboundRule
| Name | Description | Value |
|---|---|---|
| destination | Service Tag destination for a Service Tag Outbound Rule for the managed network of a machine learning workspace. | ServiceTagDestination |
| type | Type of a managed network Outbound Rule of a machine learning workspace. | 'ServiceTag' (required) |
SharedPrivateLinkResource
| Name | Description | Value |
|---|---|---|
| name | Unique name of the private link | string |
| properties | Properties of a shared private link resource. | SharedPrivateLinkResourceProperty |
SharedPrivateLinkResourceProperty
| Name | Description | Value |
|---|---|---|
| groupId | group id of the private link | string |
| privateLinkResourceId | the resource id that private link links to | string |
| requestMessage | Request message | string |
| status | Connection status of the service consumer with the service provider | 'Approved' 'Disconnected' 'Pending' 'Rejected' 'Timeout' |
Sku
| Name | Description | Value |
|---|---|---|
| capacity | If the SKU supports scale out/in then the capacity integer should be included. If scale out/in is not possible for the resource this may be omitted. | int |
| family | If the service has different generations of hardware, for the same SKU, then that can be captured here. | string |
| name | The name of the SKU. Ex - P3. It is typically a letter+number code | string (required) |
| size | The SKU size. When the name field is the combination of tier and some other value, this would be the standalone code. | string |
| tier | This field is required to be implemented by the Resource Provider if the service has more than one tier, but is not required on a PUT. | 'Basic' 'Free' 'Premium' 'Standard' |
UserAssignedIdentities
| Name | Description | Value |
|---|
UserAssignedIdentity
| Name | Description | Value |
|---|
WorkspaceHubConfig
| Name | Description | Value |
|---|---|---|
| additionalWorkspaceStorageAccounts | string[] | |
| defaultWorkspaceResourceGroup | string |
WorkspaceProperties
| Name | Description | Value |
|---|---|---|
| allowPublicAccessWhenBehindVnet | The flag to indicate whether to allow public access when behind VNet. | bool |
| allowRoleAssignmentOnRG | The flag to indicate whether we will do role assignment for the workspace MSI on resource group level. | bool |
| applicationInsights | ARM id of the application insights associated with this workspace. | string |
| associatedWorkspaces | string[] | |
| containerRegistries | string[] | |
| containerRegistry | ARM id of the container registry associated with this workspace. | string |
| description | The description of this workspace. | string |
| discoveryUrl | Url for the discovery service to identify regional endpoints for machine learning experimentation services | string |
| enableDataIsolation | bool | |
| enableServiceSideCMKEncryption | bool | |
| enableSimplifiedCmk | Flag to tell if simplified CMK should be enabled for this workspace. | bool |
| enableSoftwareBillOfMaterials | Flag to tell if SoftwareBillOfMaterials should be enabled for this workspace. | bool |
| encryption | EncryptionProperty | |
| existingWorkspaces | string[] | |
| featureStoreSettings | Settings for feature store type workspace. | FeatureStoreSettings |
| friendlyName | The friendly name for this workspace. This name in mutable | string |
| hbiWorkspace | The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service | bool |
| hubResourceId | string | |
| imageBuildCompute | The compute name for image build | string |
| ipAllowlist | The list of IPv4 addresses that are allowed to access the workspace. | string[] |
| keyVault | ARM id of the key vault associated with this workspace. This cannot be changed once the workspace has been created | string |
| keyVaults | string[] | |
| managedNetwork | Managed Network settings for a machine learning workspace. | ManagedNetworkSettings |
| networkAcls | A set of rules governing the network accessibility of the workspace. | NetworkAcls |
| primaryUserAssignedIdentity | The user assigned identity resource id that represents the workspace identity. | string |
| provisionNetworkNow | Set to trigger the provisioning of the managed VNet with the default Options when creating a Workspace with the managed VNet enabled, or else it does nothing. | bool |
| publicNetworkAccess | Whether requests from Public Network are allowed. | 'Disabled' 'Enabled' |
| serverlessComputeSettings | Settings for serverless compute in a workspace | ServerlessComputeSettings |
| serviceManagedResourcesSettings | The service managed resource settings. | ServiceManagedResourcesSettings |
| sharedPrivateLinkResources | The list of shared private link resources in this workspace. | SharedPrivateLinkResource[] |
| softDeleteRetentionInDays | Retention time in days after workspace get soft deleted. | int |
| storageAccount | ARM id of the storage account associated with this workspace. This cannot be changed once the workspace has been created | string |
| storageAccounts | string[] | |
| systemDatastoresAuthMode | The auth mode used for accessing the system datastores of the workspace. | 'AccessKey' 'Identity' 'UserDelegationSAS' |
| v1LegacyMode | Enabling v1_legacy_mode may prevent you from using features provided by the v2 API. | bool |
| workspaceHubConfig | WorkspaceHub's configuration object. | WorkspaceHubConfig |
WorkspaceTags
| Name | Description | Value |
|---|
Quickstart templates
The following quickstart templates deploy this resource type.
| Template | Description |
|---|---|
Azure AI Studio basic setup |
This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. |
| Azure AI Studio basic setup |
This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. |
| Azure AI Studio basic setup |
This set of templates demonstrates how to set up Azure AI Studio with the basic setup, meaning with public internet access enabled, Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. |
| Azure AI Studio Network Restricted |
This set of templates demonstrates how to set up Azure AI Studio with private link and egress disabled, using Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. |
| Azure AI Studio Network Restricted |
This set of templates demonstrates how to set up Azure AI Studio with private link and egress disabled, using Microsoft-managed keys for encryption and Microsoft-managed identity configuration for the AI resource. |
| Azure AI Studio with Microsoft Entra ID Authentication |
This set of templates demonstrates how to set up Azure AI Studio with Microsoft Entra ID authentication for dependent resources, such as Azure AI Services and Azure Storage. |
| Azure Machine Learning end-to-end secure setup |
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. |
| Azure Machine Learning end-to-end secure setup (legacy) |
This set of Bicep templates demonstrates how to set up Azure Machine Learning end-to-end in a secure set up. This reference implementation includes the Workspace, a compute cluster, compute instance and attached private AKS cluster. |
| Azure Machine Learning Workspace |
This template creates a new Azure Machine Learning Workspace, along with an encrypted Storage Account, KeyVault and Applications Insights Logging |
| Create AML workspace with multiple Datasets & Datastores |
This template creates Azure Machine Learning workspace with multiple datasets & datastores. |
| Create an AKS compute target with a Private IP address |
This template creates an AKS compute target in given Azure Machine Learning service workspace with a private IP address. |
| Create an Azure Machine Learning service workspace |
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the minimal set of resources you require to get started with Azure Machine Learning. |
| Create an Azure Machine Learning service workspace (CMK) |
This deployment template specifies how to create an Azure Machine Learning workspace with service-side encryption using your encryption keys. |
| Create an Azure Machine Learning service workspace (CMK) |
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. The example shows how to configure Azure Machine Learning for encryption with a customer-managed encryption key. |
| Create an Azure Machine Learning service workspace (legacy) |
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up. |
| Create an Azure Machine Learning service workspace (vnet) |
This deployment template specifies an Azure Machine Learning workspace, and its associated resources including Azure Key Vault, Azure Storage, Azure Application Insights and Azure Container Registry. This configuration describes the set of resources you require to get started with Azure Machine Learning in a network isolated set up. |
| Deploy Secure Azure AI Studio with a managed virtual network |
This template creates a secure Azure AI Studio environment with robust network and identity security restrictions. |
Terraform (AzAPI provider) resource definition
The workspaces resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.MachineLearningServices/workspaces resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.MachineLearningServices/workspaces@2024-10-01-preview"
name = "string"
identity = {
type = "string"
userAssignedIdentities = {
{customized property} = {
}
}
}
kind = "string"
location = "string"
body = jsonencode({
properties = {
allowPublicAccessWhenBehindVnet = bool
allowRoleAssignmentOnRG = bool
applicationInsights = "string"
associatedWorkspaces = [
"string"
]
containerRegistries = [
"string"
]
containerRegistry = "string"
description = "string"
discoveryUrl = "string"
enableDataIsolation = bool
enableServiceSideCMKEncryption = bool
enableSimplifiedCmk = bool
enableSoftwareBillOfMaterials = bool
encryption = {
cosmosDbResourceId = "string"
identity = {
userAssignedIdentity = "string"
}
keyVaultProperties = {
identityClientId = "string"
keyIdentifier = "string"
keyVaultArmId = "string"
}
searchAccountResourceId = "string"
status = "string"
storageAccountResourceId = "string"
}
existingWorkspaces = [
"string"
]
featureStoreSettings = {
computeRuntime = {
sparkRuntimeVersion = "string"
}
offlineStoreConnectionName = "string"
onlineStoreConnectionName = "string"
}
friendlyName = "string"
hbiWorkspace = bool
hubResourceId = "string"
imageBuildCompute = "string"
ipAllowlist = [
"string"
]
keyVault = "string"
keyVaults = [
"string"
]
managedNetwork = {
firewallSku = "string"
isolationMode = "string"
outboundRules = {
{customized property} = {
category = "string"
status = "string"
type = "string"
// For remaining properties, see OutboundRule objects
}
}
status = {
sparkReady = bool
status = "string"
}
}
networkAcls = {
defaultAction = "string"
ipRules = [
{
value = "string"
}
]
}
primaryUserAssignedIdentity = "string"
provisionNetworkNow = bool
publicNetworkAccess = "string"
serverlessComputeSettings = {
serverlessComputeCustomSubnet = "string"
serverlessComputeNoPublicIP = bool
}
serviceManagedResourcesSettings = {
cosmosDb = {
collectionsThroughput = int
}
}
sharedPrivateLinkResources = [
{
name = "string"
properties = {
groupId = "string"
privateLinkResourceId = "string"
requestMessage = "string"
status = "string"
}
}
]
softDeleteRetentionInDays = int
storageAccount = "string"
storageAccounts = [
"string"
]
systemDatastoresAuthMode = "string"
v1LegacyMode = bool
workspaceHubConfig = {
additionalWorkspaceStorageAccounts = [
"string"
]
defaultWorkspaceResourceGroup = "string"
}
}
})
sku = {
capacity = int
family = "string"
name = "string"
size = "string"
tier = "string"
}
tags = {
{customized property} = "string"
}
}
OutboundRule objects
Set the type property to specify the type of object.
For FQDN, use:
{
destination = "string"
type = "FQDN"
}
For PrivateEndpoint, use:
{
destination = {
serviceResourceId = "string"
sparkEnabled = bool
sparkStatus = "string"
subresourceTarget = "string"
}
fqdns = [
"string"
]
type = "PrivateEndpoint"
}
For ServiceTag, use:
{
destination = {
action = "string"
addressPrefixes = [
"string"
]
portRanges = "string"
protocol = "string"
serviceTag = "string"
}
type = "ServiceTag"
}
Property values
ComputeRuntimeDto
| Name | Description | Value |
|---|---|---|
| sparkRuntimeVersion | string |
CosmosDbSettings
| Name | Description | Value |
|---|---|---|
| collectionsThroughput | int |
EncryptionProperty
| Name | Description | Value |
|---|---|---|
| cosmosDbResourceId | The byok cosmosdb account that customer brings to store customer's data with encryption |
string |
| identity | Identity to be used with the keyVault | IdentityForCmk |
| keyVaultProperties | KeyVault details to do the encryption | KeyVaultProperties (required) |
| searchAccountResourceId | The byok search account that customer brings to store customer's data with encryption |
string |
| status | Indicates whether or not the encryption is enabled for the workspace. | 'Disabled' 'Enabled' (required) |
| storageAccountResourceId | The byok storage account that customer brings to store customer's data with encryption |
string |
FeatureStoreSettings
| Name | Description | Value |
|---|---|---|
| computeRuntime | ComputeRuntimeDto | |
| offlineStoreConnectionName | string | |
| onlineStoreConnectionName | string |
FqdnOutboundRule
| Name | Description | Value |
|---|---|---|
| destination | string | |
| type | Type of a managed network Outbound Rule of a machine learning workspace. | 'FQDN' (required) |
IdentityForCmk
| Name | Description | Value |
|---|---|---|
| userAssignedIdentity | UserAssignedIdentity to be used to fetch the encryption key from keyVault | string |
IPRule
| Name | Description | Value |
|---|---|---|
| value | An IPv4 address range in CIDR notation, such as '124.56.78.91' (simple IP address) or '124.56.78.0/24' (all addresses that start with 124.56.78). Value could be 'Allow' or 'Deny'. | string |
KeyVaultProperties
| Name | Description | Value |
|---|---|---|
| identityClientId | Currently, we support only SystemAssigned MSI. We need this when we support UserAssignedIdentities |
string |
| keyIdentifier | KeyVault key identifier to encrypt the data | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
| keyVaultArmId | KeyVault Arm Id that contains the data encryption key | string Constraints: Min length = 1 Pattern = [a-zA-Z0-9_] (required) |
ManagedNetworkProvisionStatus
| Name | Description | Value |
|---|---|---|
| sparkReady | bool | |
| status | Status for the managed network of a machine learning workspace. | 'Active' 'Inactive' |
ManagedNetworkSettings
| Name | Description | Value |
|---|---|---|
| firewallSku | Firewall Sku used for FQDN Rules | 'Basic' 'Standard' |
| isolationMode | Isolation mode for the managed network of a machine learning workspace. | 'AllowInternetOutbound' 'AllowOnlyApprovedOutbound' 'Disabled' |
| outboundRules | Dictionary of <OutboundRule> | ManagedNetworkSettingsOutboundRules |
| status | Status of the Provisioning for the managed network of a machine learning workspace. | ManagedNetworkProvisionStatus |
ManagedNetworkSettingsOutboundRules
| Name | Description | Value |
|---|
ManagedServiceIdentity
| Name | Description | Value |
|---|---|---|
| type | Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed). | 'None' 'SystemAssigned' 'SystemAssigned,UserAssigned' 'UserAssigned' (required) |
| userAssignedIdentities | The set of user assigned identities associated with the resource. The userAssignedIdentities dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}. The dictionary values can be empty objects ({}) in requests. | UserAssignedIdentities |
Microsoft.MachineLearningServices/workspaces
| Name | Description | Value |
|---|---|---|
| identity | Managed service identity (system assigned and/or user assigned identities) | ManagedServiceIdentity |
| kind | string | |
| location | string | |
| name | The resource name | string Constraints: Pattern = ^[a-zA-Z0-9][a-zA-Z0-9_-]{2,32}$ (required) |
| properties | Additional attributes of the entity. | WorkspaceProperties (required) |
| sku | Optional. This field is required to be implemented by the RP because AML is supporting more than one tier | Sku |
| tags | Resource tags | Dictionary of tag names and values. |
| type | The resource type | "Microsoft.MachineLearningServices/workspaces@2024-10-01-preview" |
NetworkAcls
| Name | Description | Value |
|---|---|---|
| defaultAction | The default action when no rule from ipRules and from virtualNetworkRules match. This is only used after the bypass property has been evaluated. | 'Allow' 'Deny' |
| ipRules | Rules governing the accessibility of a resource from a specific ip address or ip range. | IPRule[] |
OutboundRule
| Name | Description | Value |
|---|---|---|
| category | Category of a managed network Outbound Rule of a machine learning workspace. | 'Dependency' 'Recommended' 'Required' 'UserDefined' |
| status | Type of a managed network Outbound Rule of a machine learning workspace. | 'Active' 'Inactive' |
| type | Set to 'FQDN' for type FqdnOutboundRule. Set to 'PrivateEndpoint' for type PrivateEndpointOutboundRule. Set to 'ServiceTag' for type ServiceTagOutboundRule. | 'FQDN' 'PrivateEndpoint' 'ServiceTag' (required) |
PrivateEndpointDestination
| Name | Description | Value |
|---|---|---|
| serviceResourceId | string | |
| sparkEnabled | bool | |
| sparkStatus | Type of a managed network Outbound Rule of a machine learning workspace. | 'Active' 'Inactive' |
| subresourceTarget | string |
PrivateEndpointOutboundRule
| Name | Description | Value |
|---|---|---|
| destination | Private Endpoint destination for a Private Endpoint Outbound Rule for the managed network of a machine learning workspace. | PrivateEndpointDestination |
| fqdns | string[] | |
| type | Type of a managed network Outbound Rule of a machine learning workspace. | 'PrivateEndpoint' (required) |
ServerlessComputeSettings
| Name | Description | Value |
|---|---|---|
| serverlessComputeCustomSubnet | The resource ID of an existing virtual network subnet in which serverless compute nodes should be deployed | string |
| serverlessComputeNoPublicIP | The flag to signal if serverless compute nodes deployed in custom vNet would have no public IP addresses for a workspace with private endpoint | bool |
ServiceManagedResourcesSettings
| Name | Description | Value |
|---|---|---|
| cosmosDb | CosmosDbSettings |
ServiceTagDestination
| Name | Description | Value |
|---|---|---|
| action | The action enum for networking rule. | 'Allow' 'Deny' |
| addressPrefixes | Optional, if provided, the ServiceTag property will be ignored. | string[] |
| portRanges | string | |
| protocol | string | |
| serviceTag | string |
ServiceTagOutboundRule
| Name | Description | Value |
|---|---|---|
| destination | Service Tag destination for a Service Tag Outbound Rule for the managed network of a machine learning workspace. | ServiceTagDestination |
| type | Type of a managed network Outbound Rule of a machine learning workspace. | 'ServiceTag' (required) |
SharedPrivateLinkResource
| Name | Description | Value |
|---|---|---|
| name | Unique name of the private link | string |
| properties | Properties of a shared private link resource. | SharedPrivateLinkResourceProperty |
SharedPrivateLinkResourceProperty
| Name | Description | Value |
|---|---|---|
| groupId | group id of the private link | string |
| privateLinkResourceId | the resource id that private link links to | string |
| requestMessage | Request message | string |
| status | Connection status of the service consumer with the service provider | 'Approved' 'Disconnected' 'Pending' 'Rejected' 'Timeout' |
Sku
| Name | Description | Value |
|---|---|---|
| capacity | If the SKU supports scale out/in then the capacity integer should be included. If scale out/in is not possible for the resource this may be omitted. | int |
| family | If the service has different generations of hardware, for the same SKU, then that can be captured here. | string |
| name | The name of the SKU. Ex - P3. It is typically a letter+number code | string (required) |
| size | The SKU size. When the name field is the combination of tier and some other value, this would be the standalone code. | string |
| tier | This field is required to be implemented by the Resource Provider if the service has more than one tier, but is not required on a PUT. | 'Basic' 'Free' 'Premium' 'Standard' |
UserAssignedIdentities
| Name | Description | Value |
|---|
UserAssignedIdentity
| Name | Description | Value |
|---|
WorkspaceHubConfig
| Name | Description | Value |
|---|---|---|
| additionalWorkspaceStorageAccounts | string[] | |
| defaultWorkspaceResourceGroup | string |
WorkspaceProperties
| Name | Description | Value |
|---|---|---|
| allowPublicAccessWhenBehindVnet | The flag to indicate whether to allow public access when behind VNet. | bool |
| allowRoleAssignmentOnRG | The flag to indicate whether we will do role assignment for the workspace MSI on resource group level. | bool |
| applicationInsights | ARM id of the application insights associated with this workspace. | string |
| associatedWorkspaces | string[] | |
| containerRegistries | string[] | |
| containerRegistry | ARM id of the container registry associated with this workspace. | string |
| description | The description of this workspace. | string |
| discoveryUrl | Url for the discovery service to identify regional endpoints for machine learning experimentation services | string |
| enableDataIsolation | bool | |
| enableServiceSideCMKEncryption | bool | |
| enableSimplifiedCmk | Flag to tell if simplified CMK should be enabled for this workspace. | bool |
| enableSoftwareBillOfMaterials | Flag to tell if SoftwareBillOfMaterials should be enabled for this workspace. | bool |
| encryption | EncryptionProperty | |
| existingWorkspaces | string[] | |
| featureStoreSettings | Settings for feature store type workspace. | FeatureStoreSettings |
| friendlyName | The friendly name for this workspace. This name in mutable | string |
| hbiWorkspace | The flag to signal HBI data in the workspace and reduce diagnostic data collected by the service | bool |
| hubResourceId | string | |
| imageBuildCompute | The compute name for image build | string |
| ipAllowlist | The list of IPv4 addresses that are allowed to access the workspace. | string[] |
| keyVault | ARM id of the key vault associated with this workspace. This cannot be changed once the workspace has been created | string |
| keyVaults | string[] | |
| managedNetwork | Managed Network settings for a machine learning workspace. | ManagedNetworkSettings |
| networkAcls | A set of rules governing the network accessibility of the workspace. | NetworkAcls |
| primaryUserAssignedIdentity | The user assigned identity resource id that represents the workspace identity. | string |
| provisionNetworkNow | Set to trigger the provisioning of the managed VNet with the default Options when creating a Workspace with the managed VNet enabled, or else it does nothing. | bool |
| publicNetworkAccess | Whether requests from Public Network are allowed. | 'Disabled' 'Enabled' |
| serverlessComputeSettings | Settings for serverless compute in a workspace | ServerlessComputeSettings |
| serviceManagedResourcesSettings | The service managed resource settings. | ServiceManagedResourcesSettings |
| sharedPrivateLinkResources | The list of shared private link resources in this workspace. | SharedPrivateLinkResource[] |
| softDeleteRetentionInDays | Retention time in days after workspace get soft deleted. | int |
| storageAccount | ARM id of the storage account associated with this workspace. This cannot be changed once the workspace has been created | string |
| storageAccounts | string[] | |
| systemDatastoresAuthMode | The auth mode used for accessing the system datastores of the workspace. | 'AccessKey' 'Identity' 'UserDelegationSAS' |
| v1LegacyMode | Enabling v1_legacy_mode may prevent you from using features provided by the v2 API. | bool |
| workspaceHubConfig | WorkspaceHub's configuration object. | WorkspaceHubConfig |
WorkspaceTags
| Name | Description | Value |
|---|