It is critical who has access and what he can do in ML workspace.
Role Access Levels:
- AzureML Data Scientist
Can perform all actions within an Azure Machine Learning workspace, except for creating or deleting compute resources and modifying the workspace itself.
- AzureML Compute Operator
Can create, manage and access compute resources within a workspace.
Read-only actions in the workspace. Readers can list and view assets, including datastore credentials, in a workspace. Readers can't create or update these assets.
View, create, edit, or delete (where applicable) assets in a workspace. For example, contributors can create an experiment, create or attach a compute cluster, submit a run, and deploy a web service.
Full access to the workspace, including the ability to view, create, edit, or delete (where applicable) assets in a workspace. Additionally, you can change role assignments.
- AzureML Registry User
Can get registries, and read, write and delete assets within them. Cannot create new registry resources or delete them.
An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources.
This access is restricted by the roles assigned to the service principal, giving you control over which resources can be accessed and at which level.
For security reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with a user identity.
Create a service principal using Azure portal
Go to Azure Active Directory
Select App Registrations > New Registration
Enter a name for the application
You will be taken to Application.
Go to Certificates & secrets
Click New client secret,
Write Description and when Expire.
In list will be shown the fresh generated client secret
Write down and keep safe the Value, it will not be shown again.
Will be referred later as Password.
Click on Overview
Create a service principal using Azure CLI
Command prompt Visual studio
# Login (interactive process)
If you have multiple subscriptions or you do not know the ID
# Find subscriptions details
az account list -o table
# Set current subscriptions
az account set -s <Subscription ID>
# Assume to create a an Azure Service Principal
# Name: ml-auth-contributor
# Role: Contributor
#Scope: All Workspaces in whole subscription id: Contributor
az ad sp create-for-rbac --name ml-auth-contributor --role Contributor --scopes /subscriptions/nnnnnnnnnnnn-nnnnnnnnnnnnn-nnnnnnnnnnnnResult:
Creating 'Contributor' role assignment under scope '/subscriptions/nnnn-nnnnnn-nnnnnnn'
The output includes credentials that you must protect. Be sure that you do not include these credentials in your code or check the credentials into your source control. For more information, see https://aka.ms/azadsp-cli
appId will be reffered as Client ID
How to use Service Principal
Get WorkSpace to be used in experiment.
If you have not yet:
pip install azure.identity
pip install azure.mgmt.support
Login (usingAzure service principal)
from azure.mgmt.support import MicrosoftSupport
from msrestazure.azure_active_directory import ServicePrincipalCredentials
#sub_id = "<SUBSCRIPTION_ID>"
sp_creds = ServicePrincipalCredentials(client_id='<APP_CLIENT_ID>', secret='<SECRET_OR_PASSWPRD>')
#SupportClient = MicrosoftSupport(sp_creds, sub_id)
from azureml.core import Workspace
ws = Workspace(
Workspace.create(name='<WORKSPACE_NAME>', subscription_id='<SUBSCRIPTION_ID>', resource_group='<RESOURCE_GROUP_NAME>'
Make sure there is:
from azureml.core import Workspace
ws = Workspace.from_config()
Workspace.create(name='<WORKSPACE_NAME>', subscription_id='<SUBSCRIPTION_ID>', resource_group='<RESOURCE_GROP_NAME>')
!!!Set up authentication - Azure Machine Learning | Microsoft Learn
Manage roles in your workspace - Azure Machine Learning | Microsoft Learn
Create an Azure service principal – Azure CLI | Microsoft Learn
Azure ML Package client library for Python | Microsoft Learn
Set up authentication - Azure Machine Learning | Microsoft Learn
Manage workspaces in portal or Python SDK (v2) - Azure Machine Learning | Microsoft Learn
az ml workspace | Microsoft Learn
azureml.core.workspace.Workspace class - Azure Machine Learning Python | Microsoft Learn
Workspace | Azure Machine Learning