共用方式為

Post Manufacturing data solutions deployment updates in Azure

  • 發行項

Important

Some or all of this functionality is available as part of a preview release. The content and the functionality are subject to change.

This section provides information on what changes or updates are needed after deploying Manufacturing data solutions in the designated tenant.

Assign permission in Fabric to the identity of the ingestion application

Manufacturing data solutions contains an Azure Function App resource responsible for ingesting both streaming and batch data. This Azure Function is residing inside the resource group MDS-{your-deployment-name}-MRG-{UniqueID}.

For ingesting streaming data, you can use a connection string to the Fabric Event Hubs namespace.

For ingesting batch data, you can use the service principal (Managed Identity) of the Function App. This identity needs to have permission to Fabric.

  1. Download the file fn-auth-lakehouse.ps1 to your local system. This file can be used for ingesting data.

  2. Start PowerShell as an administrator.

  3. Run the command Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass. This ensures the script can be run in this process only.

  4. Navigate to the folder where the downloaded file is located.

  5. Invoke the script with the correct arguments.

    .\fn-auth-lakehouse.ps1 -FunctionAppIdentity "<FunctionAppObjectId>" -WorkspaceName "<OneLakeWorkspace>" -TenantId <TenantId> For example .\fn-auth-lakehouse.ps1 -FunctionAppIdentity "00001111-aaaa-2222-bbbb-3333cccc4444" -WorkspaceName "mdscontoso" -TenantId "aaaabbbb-0000-cccc-1111-dddd2222eeee" The FunctionAppObjectId can be found by navigating to the Manufacturing data solutions resource group in Azure, search for the Function App with a name resembling fn-mci4m-xxxxxxxx-processor, navigate to this Function App, and move to the Identity blade. The Object ID should be visible on this page.

    Screenshot of Object ID function.

After the script is executed, connection between the Onelake workspace and the Function App is created. Now under Manage access in Onelake workspace you can find the Function App.

Screenshot of Azure Function App image.

Note

Service principals, like managed identities, can only be added when both Microsoft Fabric and Microsoft Azure are located within the same tenant and use the same Entra ID.

Assign manufacturing user roles

There are two roles available on Manufacturing data solutions:

Manufacturing role Description
Manufacturing Admin This role is required to perform management operations, like creating custom entities, mappings, adding custom instructions etc.
Manufacturing User This role is primarily used to query for data by using the Consumption API or Copilot API.

For more details on which endpoints require specific roles, refer to the OpenAPI specifications for the deployed version.

App roles reside in App Registration.

Screenshot of App Roles.

You need to assign certain roles to all testers and users of the sample apps.

  1. Go to Microsoft Entra ID > App Registrations.

  2. Select the app registration with your chosen app name.

    Screenshot of App Registration image.

  3. Select Go to Enterprise Application.

  4. Select Assign users and groups.

  5. Select Add user/group and then select the user and assign the desired role.

    Screenshot of users added image.

Run a health check

It's best to call the Health Check API to validate the success of both the deployment and user role configurations. The Health Check API returns the health of Manufacturing data solutions and whether it's ready to process requests. You need to have the Manufacturing Admin role for validating the authentication.

Generate an authentication token

You need a valid authentication token in the request header when calling a Manufacturing data solutions API. Here are two examples of how to generate this token:

PowerShell

Connect-AzAccount -Tenant YOUR_TENANT_ID
$ACCESS_TOKEN = (Get-AzAccessToken -ResourceUrl "api://{Entra Application Id}").Token

Azure CLI

az login --tenant YOUR_TENANT_ID
ACCESS_TOKEN=$(az account get-access-token --resource api://{Entra Application Id} --query accessToken --output tsv)

Since Manufacturing data solutions service uses the Managed-On Behalf Of [MOBO] model, when you create a Manufacturing data solutions resource, all the needed resources by Manufacturing data solutions service are created in the customer's subscription.

Get the Manufacturing data solutions Service URL

You need the Manufacturing data solutions Service URL when constructing the URL for Manufacturing data solutions API calls. You can get it from Service URL from the screenshot given:

Screenshot showing how you can configure Manufacturing data solutions after deployment.

Use any API tool to run the following GET Request.

  1. Run GET https://{serviceUrl}/mds/service/health, making sure to pass in the authentication token in the header.

    Name Required Description
    Authorization True The bearer token used to authenticate the request
    User-Agent True Short string to identify the client. For more details, refer User Agent.

    Here are two examples of how to make this call:

    PowerShell

    Invoke-RestMethod -Uri "https://{serviceUrl}/mds/service/health" -Method Get -Headers @{ Authorization = "Bearer $ACCESS_TOKEN" }

    Azure CLI

    az rest --method get --url https://$serviceUrl/mds/service/health --headers "Authorization=Bearer $ACCESS_TOKEN"

  2. The response codes should be one of the given values:

    Code Name Description
    200 OK Successful request
    401 Unauthorized Unable to authenticate the request
    403 Forbidden Insufficient role access: (for example, you don't have the right role or you aren't added to the registration)

Upload sample data (optional)

Manufacturing data solutions initially contains no data. The steps to upload the Bakery Shop sample dataset are as follows:

  1. Navigate to the Power BI portal
  2. Select your Fabric workspace and your Fabric Lakehouse.
  3. Locate the Lakehouse folder specified during the deployment.
  4. Select ... > Upload > Upload files.
  5. Download and extract all the CSV files in the Transformed zip.
  6. Select Open > Upload > Select all the files in the mapping folder. The mapping folder is within the Transformed folder.
  7. Select Open and then Upload.

Note

It takes about 5 minutes after loading for the data to be ready for querying.

Update Manufacturing data solutions resource using Azure portal

After your deployment is complete, you can update the properties of your deployment like version, SKU, copilot configuration, managed identity, and fabric configuration.

  • Version Update

Screenshot showing how you can configure Manufacturing data solutions version after deployment.

Choose the version you want and select the Submit button to update your Manufacturing data solutions instance.

  • Agent Configuration : You can switch between your own Azure OpenAI resource or Manufacturing data solutions managed Azure OpenAI deployment. You can also configure GPT Model name, GPT Model version, and GPT Model capacity for the GPT model. For Embeddings model only Model capacity can be changed.

Note

If you previously switched from Manufacturing data solutions managed Azure OpenAI to your own Azure OpenAI resource and again wish to switch back to Manufacturing data solutions managed Azure OpenAI within timespan of 48 hours, then purge the previous solution deployed OpenAI instance.

Screenshot of Agent Configuration Update.

  • Managed Identity: You can add or change the current managed identity if necessary.

    Screenshot showing how to add or change managed identity.

  • Fabric Configuration: You can update both OneLake and Key Vault configurations.

    Screenshot showing how you can update fabric configuration in Manufacturing data solutions.

  • SKU: In the Manufacturing data solutions Deployment details, select the SKU and select Update. Then, choose the desired SKU.

    Screenshot showing how you can SKU update for Manufacturing data solutions.

  • Deny Assignment Settings: This should be used only in critical situations when unblocking is needed say for S360 issues or vulnerability management and additional access is needed on underlying resources say AKS. Please use this sparingly as these are elevated permissions. Please do not delete a resource. AKS access is subject to intersection with AKS Admin Group ID. Users are encouraged to contact support before using this. For using, in Deployment details, select Deny Assignment Settings and select Add, then a Group Object ID can be specified. Deny assignments will not be applicable to this group.

    Screenshot showing how you can add Deny Assignment

Access Manufacturing data solutions API over a private network

You can access Manufacturing data solutions API over a private network by using the Azure Private Endpoint and the Azure Private DNS Zone.

To set up a private endpoint for Manufacturing data solutions, follow these steps:

  1. Go to the Azure portal.

  2. Search for and select the Application Gateway provisioned with your Manufacturing data solutions resource.

  3. Select Private link from the left-hand menu and select the Private endpoint connections tab.

  4. Select + Private endpoint to create a new private endpoint.

    Screenshot showing application gateway private endpoint connection landing page.

  5. On the Basics tab, configure the subscription, resource group, private endpoint name, network interface name, and region for the Private Endpoint. Select Next.

    Screenshot showing a private endpoint create basic tab.

    Configuration Item Description
    Subscription Select Subscription Name
    Resource Group Select Existing Resource Group Name or Create New
    Name Private Endpoint Name
    Network Interface Name Private Endpoint Network Interface Name
    Region Select Region

  6. On the Resource tab, select Next.

    Screenshot showing a private endpoint create resource tab.

  7. On the Virtual Network tab, select the virtual network and subnet where the private endpoint network interface should be provisioned to. This endpoint should be the same virtual network and subnet from where Manufacturing data solutions API are being accessed.

    Screenshot showing a private endpoint create virtual network tab.

    Configuration Item Description
    Virtual Network Select Virtual Network
    Subnet Select Subnet
    Network policy for private endpoints Disabled (Default)
    Private IP Configuration Dynamically allocate IP address (Default)
    Application Security Group Add if needed; this step is optional

  8. Go to Review + Create tab and select the Create button.

    Screenshot showing a review + create tab.

After the private endpoint is created, to configure the DNS routing for Manufacturing data solutions Host, follow these steps:

  1. Go to the Azure portal.

  2. Select All Services and search for Private DNS zones.

  3. Select Create.

  4. On the Basics tab, configure the subscription, resource group, and region for the Private DNS Zone.

    Screenshot of basics tab of private DNS zones.

    Configuration Item Description
    Subscription Select Subscription
    Resource group Select Resource Group
    Name Name of Private DNS Zone
    Resource group location Location of Selected Resource Group

  5. For the Name field, enter <mds-location>.cloudapp.azure.com.

  6. Select Review + Create.

  7. After the Private DNS Zone is created, go to the overview page and select the Virtual network links from the left-hand menu.

  8. Select + Add to create a new virtual network link.

  9. Configure the link name, Enable auto registration to true, and select the Virtual Network where the private endpoint network interface was provisioned to.

  10. Select OK.

    Screenshot showing a virtual network link create page for the private DNS zone.

  11. Go to the overview page of the Private DNS Zone and select + Record set.

  12. On the Record set tab, configure the Type field to A - Address record.

  13. For the Name field, enter the Manufacturing data solutions Service Url without <mds-location>.cloudapp.azure.com suffix.

  14. For the IP address field, enter the private IP address of the private endpoint network interface.

  15. Select OK.

    Screenshot showing a DNS A-record for the private endpoint network interface.

✅ Congratulations, now you can access Manufacturing data solutions API over the private network ensuring that the traffic is secure and isolated from the public internet.

Limitations

  • The IP allocation method for the private endpoint network interface is fixed to Dynamic. Once IP allocated is released, the DNS record set needs to be updated with the new IP address in the Private DNS Zone.

  • Private Link Configuration for Application Gateway has an idle timeout of ~5 minutes (300 seconds). To avoid hitting this limit, applications connecting to Manufacturing data solutions endpoints through private endpoint must use TCP keepalive intervals of less than 300 seconds.

Delete Manufacturing data solutions Resources

This section provides information on how to undeploy Manufacturing data solutions from the designated tenant. To undeploy Manufacturing data solutions, perform the following steps:

  1. Go to the Azure portal.
  2. Navigate to the resource group where you deployed the Manufacturing data solutions.
  3. Select Delete resource group.
  4. Select Copy to clipboard the name of the resource group.
  5. Paste that into the section entitled Enter resource group name to confirm deletion.
  6. Select Delete and then Delete again to confirm.

Note

It takes about 30 minutes to delete.