Dela via


Prerequisites to deploy Manufacturing data solutions using Solution Center

Important

Some or all of this functionality is available as part of a preview release. The content and the functionality are subject to change.

Note

All prior versions to 1.0 of Manufacturing data solutions are deprecated. Any deployments prior to version 0.8 can't upgrade to the latest 1.0 version. A redeployment to the latest version is required.

This section provides information on how to prepare for the deployment of Data solutions and Factory Operations Agent in Azure AI in the designated tenant. The prerequisites must be completed before deploying Data solutions and Factory Operations Agent in Azure AI to the designated tenant.

Azure subscription requirements

An Azure subscription is a fundamental component of Microsoft Azure, serving as a logical container for provisioning and managing Azure resources and services.

Sign in to Azure. To proceed, ensure that your subscription has access to Azure OpenAI, is allowlisted with Manufacturing data solutions, and the Microsoft.ManufacturingPlatform namespace and necessary Azure resource providers are registered.

Ensure that you have the following to deploy and test Manufacturing data solutions:

  • An Azure subscription

    • Enabled access to Azure OpenAI

    • On the subscription, user should have Contributor role for Deployment and User Access Administrator role for Role Assignment

    • Quotas availability according to model and region:

      • GPT-4, 0125-Preview (Turbo)
      • GPT-4-32k, 0613
      • GPT-4o, 2024-05-13
    • Allowlist your Azure subscription.

    Important

    Manufacturing data solutions in Fabric (preview) and Factory Operations Agent in Azure AI requires registration and is currently only available to approved customers and partners in the EUAP (Early User Access Program) region during the preview period. Request configuration support during the preview period by completing the Allowlist request form. If you later want to enroll in a public region, a new deployment will be required. For a list of available regions, see Azure region availability for Manufacturing data solutions.

Register the preview feature

When the request is successfully completed, you can register the preview feature. Registration can be done through the Azure portal UI or by running an Azure command.

Note

Azure OpenAI and allowlisting is mandatory to execute these commands.

Azure portal UI:

Go to the Preview features in your subscription. Search for Default Feature and then select Register.

Screenshot of Feature Registration from Azure portal.

Azure command:

az feature register --subscription YOUR_SUBSCRIPTION_NAME_OR_ID --namespace Microsoft.ManufacturingPlatform --name DefaultFeature

Note

Azure resources are categorized under namespaces (e.g., Microsoft.Compute, Microsoft.Storage). In this case, 'Microsoft.ManufacturingPlatform' is the namespace under which the resource type is there.

  1. You can execute the registration of the resource provider.

    az provider register --subscription YOUR_SUBSCRIPTION_NAME_OR_ID --namespace Microsoft.ManufacturingPlatform

    Tip

    You can check if the state of the Azure feature is registered by using the following command: az feature show --subscription YOUR_SUBSCRIPTION_NAME_OR_ID --namespace Microsoft.ManufacturingPlatform --name DefaultFeature

  2. For NRG lockdown, run the following command.

    az feature register --namespace "Microsoft.ContainerService" --name "NRGLockdownPreview

Register necessary Azure resource providers

An Azure resource provider is a collection of REST operations that provide functionality for an Azure service. Manufacturing data solutions uses common Azure resources such as AKS and Azure monitoring. Resource provider defines the Azure resources that are available for your subscription to deploy to your account.

You can register Azure resource providers through Azure portal, PowerShell, or Azure CLI. You can find all the needed Azure resource providers that Manufacturing data solutions needs during the deployment in the given table.

Required resource providers
Azure Resource name Azure Resource provider
Azure Data Explorer Microsoft.Kusto
Azure Resource Manager Microsoft.Resources
Microsoft.Authorization
Azure Monitor Microsoft.OperationsManagement
Microsoft.Insights
Microsoft.OperationalInsights
Storage Microsoft.Storage
Azure Kubernetes Service Microsoft.Compute
Microsoft.ContainerService
Microsoft.ContainerRegistry
Microsoft.ContainerInstance
Microsoft.Kubernetes
Azure Cosmos DB Microsoft.DocumentDB
Azure Networking Microsoft.Network
Azure Managed Identity Microsoft.ManagedIdentity
Azure Policy Microsoft.GuestConfiguration
Azure Cache for Redis Microsoft.Cache
Azure Event Hub Microsoft.EventHub
Cognitive Services Microsoft.CognitiveServices
Azure Function App Microsoft.Web
Azure App Configuration Microsoft.AppConfiguration
PowerShell example to show registration state of required resource providers

Connect to Azure with an authenticated account.


Connect-AzAccount -Tenant YOUR_TENANT_ID -Subscription YOUR_SUBSCRIPTION_ID

List registration state of required resource providers.


    $providerNamespaces = "Microsoft.Kusto", "Microsoft.Resources", "Microsoft.Authorization", "Microsoft.OperationsManagement", "Microsoft.Insights", "Microsoft.OperationalInsights", "Microsoft.Storage", "Microsoft.Compute", "Microsoft.ContainerService", "Microsoft.ContainerRegistry", "Microsoft.ContainerInstance", "Microsoft.Kubernetes", "Microsoft.DocumentDB", "Microsoft.Network", "Microsoft.ManagedIdentity", "Microsoft.GuestConfiguration", "Microsoft.Cache", "Microsoft.EventHub", "Microsoft.CognitiveServices", "Microsoft.Web", "Microsoft.AppConfiguration"
    foreach ($providerNamespace in $providerNamespaces) {
        $registrationStates = @((Get-AzResourceProvider -ProviderNamespace $providerNamespace).RegistrationState | Select-Object -Unique)
        Write-Host "Provider Namespace: $providerNamespace, Registration States: [ " -NoNewline
        foreach ($registrationState in $registrationStates) {
            $color = if ($registrationState -eq "Registered") { "Green" } else { "Red" }
            Write-Host $registrationState -ForegroundColor $color -NoNewline
            if ($registrationState -ne $registrationStates[-1]) {
                Write-Host ", " -NoNewline
            }
        }
        Write-Host " ]"
    }

PowerShell example to register required resource providers

Connect to Azure with an authenticated account.

    
Connect-AzAccount -Tenant YOUR_TENANT_ID -Subscription YOUR_SUBSCRIPTION_ID
    

Register required resource providers.

   
$providerNamespaces = "Microsoft.Kusto", "Microsoft.Resources", "Microsoft.Authorization", "Microsoft.OperationsManagement", "Microsoft.Insights", "Microsoft.OperationalInsights", "Microsoft.Storage", "Microsoft.Compute", "Microsoft.ContainerService", "Microsoft.ContainerRegistry", "Microsoft.ContainerInstance", "Microsoft.Kubernetes", "Microsoft.DocumentDB", "Microsoft.Network", "Microsoft.ManagedIdentity", "Microsoft.GuestConfiguration", "Microsoft.Cache", "Microsoft.EventHub", "Microsoft.CognitiveServices", "Microsoft.Web", "Microsoft.AppConfiguration"
    foreach ($providerNamespace in $providerNamespaces) {
        Register-AzResourceProvider -ProviderNamespace $providerNamespace
    }

Install PowerShell locally with AZ module

The Az PowerShell module is a rollup module. Installing the Az PowerShell module downloads the generally available modules and makes their cmdlets available for use. These Az modules are required to run the scripts associated with deployment.

For detailed steps for installing Azmodule, refer to Install Azmodule.

Validate Virtual Machine availability

After the deployment is completed, AKS Clusters are created. AKS clusters use virtual machines of the Standard_DS family. Both Standard_DS2_v2 and Standard_DS2_v3 are used. Ensure these clusters are available in all availability zones for your subscription and region.

Check Standard_DS2_v2 SKU size:

    az vm list-skus --subscription YOUR_SUBSCRIPTION_NAME_OR_ID --location YOUR_REGION --size Standard_DS2_v2 --all --output table

Check Standard_DS3_v2 SKU size:

    az vm list-skus --subscription YOUR_SUBSCRIPTION_NAME_OR_ID --location YOUR_REGION --size Standard_DS3_v2 --all --output table

The restrictions should mention None.

A negative result can look like the following example.

    virtualMachines  eastus2      Standard_DS2_v2         1,2,3    NotAvailableForSubscription, type: Zone, locations: eastus2, zones: 3
    virtualMachines  eastus2      Standard_DS3_v2         1,2,3    NotAvailableForSubscription, type: Zone, locations: eastus2, zones: 3

If the virtual machines aren't available, file an Azure Support ticket for your subscription and region.

Microsoft Fabric requirements

Microsoft Fabric is a comprehensive data platform for managing and analyzing data seamlessly. It includes services like Fabric Lakehouse and event streams for large-scale data processing and analysis. Configuration for Fabric resources for Manufacturing data solutions is for authentication and data ingestion.

Note

Fabric workspace should be in the same tenant with the Manufacturing data solutions deployment.

For more information, see Enable Microsoft Fabric for your organization - Microsoft Fabric | Microsoft Learn. Once enabled use Microsoft Fabric: Microsoft Fabric Enabled. After Fabric is enabled, create a One lake workspace: Create a workspace - Microsoft Fabric | Microsoft Learn

Set up Azure Key Vault and Managed Identity

Key Vault is an Azure service that securely stores and manages secrets. You can use Key Vault to store the primary connection-string keys for Fabric event streams. Managed Identity enables secure, automated identity management, allowing applications to access Azure resources without needing explicit credentials. With Managed Identity, you grant users secure access to Key Vault, simplifying the management of access permissions.

  • Create an Azure Key Vault.
  1. Fill the values in the Basics tab.

    Screenshot of keyvault.

    Configuration Item Description
    Subscription Name Name of the Subscription
    Resource Group Create or choose the resource group where you want to create Key Vault
    Name Name of Key Vault
    Region Select Desired Region
    Pricing Tier Select the required pricing tier
    Soft Delete Enabled
    Days to Retain Deleted Vaults 90 (default)
    Purge Protection Choose Disable/Enable (default is Disable)
  2. Fill the values in the Access Configuration tab.

    Screenshot of Access Configuration Tab of keyvault.

  3. All other tabs can be left with default values. Select Review and Create.

    Note

    While creating the resource, ensure that in the access configuration tab, none of the checkboxes are selected under Resource access section. This practice ensures that access to the Key Vault is strictly controlled and only granted intentionally and explicitly.

    • Create a User Assigned Managed Identity. For creating a User Assigned Managed Identity, see Managed Identities

    Note

    An Azure user assigned managed identity used to provide access to the Key Vault.

    • Grant yourself Key Vault Secrets Officer role on the Key Vault.

    • Grant the Key Vault Secrets User role to the User Assigned Managed Identity in the Key Vault.

    • Grant Owner role to the User Assigned Managed Identity to itself. Every UMI is associated with a Service Principal with the same name. This service principal should have Owner role on the same UMI resource.

    Note

    Assigning the Key Vault Secrets Officer grants the Contributor role, while the Key Vault Secrets User role allows listing and reading secrets without the ability to create or modify them.

    • Make a note of the Key Vault URI (for example, "https://your_keyvault_name.vault.azure.net"). You're asked to enter this URI during deployment time.

    Screenshot of keyvault URI.

Check required access for Factory Operations Agent

These steps guide you on creating a new app registration to control user access and creating a Microsoft Entra security group. The app registration script creates a new app with the required app roles. Microsoft Entra security group is created to give access to users and owners to the underlying AKS created after deployment of Manufacturing data solutions.

Create a new app registration

  1. Download the AppRegistration.ps1 to your local system.

  2. Start PowerShell as an administrator.

  3. Run the command Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass. This command ensures that the script is run in this process only.

  4. Sign-in to your Azure account using the command: Connect-AzAccount -Tenant YOUR_TENANT_ID

  5. Navigate to the folder where the downloaded file is located.

  6. Invoke the script, making sure to pass in the name you want to use for your app, for example: .\AppRegistration.ps1 "app_name"

  7. Make a note of the returned value for ApplicationID, referred to as Entra Application ID during the deployment.

    Screenshot of Azure app registration ID.

    Screenshot of Azure app roles registration.

Create Microsoft Entra group

Microsoft Entra Group is an identity and access management tool for controlling and managing access to resources within Azure environments.

You need a Microsoft Entra group with a list of owners and members that are given admin access to the underlying AKS. The group can be either a security group or a Microsoft 365 group. For more information on how to create a new group, see How to manage groups. Make a note of the Object ID, referred to as AKS Admin Group ID during the deployment.

Screenshot showing how to create a new Microsoft Entra group.

These steps are crucial for the successful deployment and operation of Manufacturing data solutions.

Access and interact with API endpoints

This section provides guidance on tool for working with API endpoints. We recommend using Insomnia with the Dataverse Web API to access the Manufacturing data solutions and Copilot API endpoints. However, you can also use other tools based on your needs and preferences.

Next Steps