Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Note
This document refers to the Microsoft Foundry (classic) portal.
🔍 View the Microsoft Foundry (new) documentation to learn about the new portal.
In this article, you learn how to create the following Microsoft Foundry resources by using the Azure Machine Learning SDK and Azure CLI (with machine learning extension):
- A Foundry hub
- A Foundry connection
Note
A hub is used only for a hub-based project. A Foundry project doesn't use a hub. For more information, see Types of projects.
Prerequisites
- An Azure account with an active subscription. If you don't have one, create a free Azure account, which includes a free trial subscription.
- RBAC roles: You must have the Contributor or Owner role on your Azure subscription or resource group to create a hub. If you're creating a connection to existing resources, ensure you have Contributor access to those resources as well.
- For Python SDK: Azure Machine Learning Python SDK (v2.0 or later), Azure Identity Python SDK, and Python 3.8 or later.
- For Azure CLI: Azure CLI and Azure Machine Learning extension.
- If connecting to existing resources: Azure Storage account or Azure Key Vault must already exist in the same subscription (same resource group, or in another resource group that you have access to).
Set up your environment
Use the following tabs to select whether you're using the Python SDK or Azure CLI:
Install packages. (If in a notebook cell, use
%pip installinstead.)pip install azure-ai-ml pip install azure-identityProvide your subscription details:
# Enter details of your subscription subscription_id = "<SUBSCRIPTION_ID>" resource_group = "<RESOURCE_GROUP>"Get a handle to the subscription. All the Python code in this article uses
ml_client:# get a handle to the subscription from azure.ai.ml import MLClient from azure.identity import DefaultAzureCredential ml_client = MLClient(DefaultAzureCredential(), subscription_id, resource_group)(Optional) If you have multiple accounts, add the tenant ID of the Microsoft Entra ID you wish to use into the
DefaultAzureCredential. Find your tenant ID from the Azure portal under Microsoft Entra ID, External Identities.DefaultAzureCredential(interactive_browser_tenant_id="<TENANT_ID>")(Optional) If you're working on in the Azure Government - US or Azure China 21Vianet regions, specify the region into which you want to authenticate. You can specify the region with
DefaultAzureCredential. The following example authenticates to the Azure Government - US region:from azure.identity import AzureAuthorityHosts DefaultAzureCredential(authority=AzureAuthorityHosts.AZURE_GOVERNMENT)Verify the connection.
for hub in ml_client.workspaces.list(): print(f" - {hub.name}")
If you receive an authentication error, ensure your Azure credentials are configured (run az login or set up your credentials via the Azure Identity SDK). If you receive a permission error, check that you have the Contributor role on the subscription or resource group.
References: MLClient, DefaultAzureCredential
Create the Foundry hub and Microsoft Foundry connection
Use the following examples to create a new hub. Replace example string values with your own values:
from azure.ai.ml.entities import Hub
my_hub_name = "myexamplehub"
my_location = "East US"
my_display_name = "My Example Hub"
# Construct a basic hub
my_hub = Hub(
name=my_hub_name,
location=my_location,
display_name=my_display_name
)
# Create the hub and wait for completion
created_hub = ml_client.workspaces.begin_create(my_hub).result()
print(f"Created hub: {created_hub.name}")
This code creates a new hub with the specified name, location, and display name. Azure automatically provisions associated Azure Storage and Azure Key Vault resources.
References: Hub, MLClient.workspaces.begin_create
Create a Foundry connection
After creating your own Foundry resource or Azure OpenAI resource in the same resource group, you can connect it to your hub. You can also connect Azure AI Search from any resource group in your same subscription.
Include your hub in your
ml_clientconnection:Enter your subscription details. For
<AML_WORKSPACE_NAME>, enter your hub name:# Enter details of your AML workspace subscription_id = "<SUBSCRIPTION_ID>" resource_group = "<RESOURCE_GROUP>" workspace = "<AML_WORKSPACE_NAME>"Get a handle to the hub:
# get a handle to the workspace from azure.ai.ml import MLClient from azure.identity import DefaultAzureCredential ml_client = MLClient( DefaultAzureCredential(), subscription_id, resource_group, workspace )
Use
ml_clientto create the connection to your Foundry Tools. You can find endpoints in Azure portal under Resource management > Keys and endpoints. For a Foundry resource, use the AI Services endpoint. For Azure AI Search, use the URL for the endpoint.from azure.ai.ml.entities import AzureAIServicesConnection # Construct a connection to Azure AI Services my_connection_name = "my-ai-services-connection" # Any name you want aiservices_resource_name = "<your-resource-name>" # From Azure portal my_endpoint = "<your-endpoint>" # From Azure portal my_api_keys = None # Leave blank to use Azure Entra ID (AAD) authentication my_ai_services_resource_id = f"/subscriptions/{subscription_id}/resourceGroups/{resource_group}/providers/Microsoft.CognitiveServices/accounts/{aiservices_resource_name}" my_connection = AzureAIServicesConnection( name=my_connection_name, endpoint=my_endpoint, api_key=my_api_keys, ai_services_resource_id=my_ai_services_resource_id ) # Create the connection ml_client.connections.create_or_update(my_connection) print(f"Created connection: {my_connection.name}")References:
AzureAIServicesConnection, MLClient.connections
Create a hub with existing dependency resources
By default, a hub automatically creates associated Azure Storage and Azure Key Vault resources. If you want to reuse existing Azure Storage or Azure Key Vault resources, you can specify them during hub creation. In the following examples, replace the placeholder values with your own resource IDs:
Tip
You can retrieve the resource ID of the storage account and key vault from the Azure portal by going to the resource's overview and selecting JSON view. The resource ID is located in the id field. You can also use the Azure CLI to retrieve the resource ID. For example, use az storage account show --name {my_storage_account_name} --query "id" and az keyvault show --name {my_key_vault_name} --query "id".
from azure.ai.ml.entities import Hub
my_hub_name = "myexamplehub"
my_location = "East US"
my_display_name = "My Example Hub"
my_resource_group = "myresourcegroupname"
my_storage_account_id = "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.Storage/storageAccounts/<storage-account-name>"
my_key_vault_id = "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<key-vault-name>"
# Construct a hub with existing dependency resources
my_hub = Hub(
name=my_hub_name,
location=my_location,
display_name=my_display_name,
resource_group=my_resource_group,
storage_account_id=my_storage_account_id,
key_vault_id=my_key_vault_id
)
# Create the hub
created_hub = ml_client.workspaces.begin_create(my_hub).result()
print(f"Created hub with existing resources: {created_hub.name}")
To find resource IDs for existing resources, visit the Azure portal, navigate to the resource's Overview page, and select JSON view. The resource ID appears in the id field. Alternatively, use Azure CLI:
# Get Storage account resource ID
az storage account show --name <storage-account-name> --resource-group <resource-group> --query "id"
# Get Key Vault resource ID
az keyvault show --name <key-vault-name> --resource-group <resource-group> --query "id"
References: Hub
Update Azure Application Insights and Azure Container Registry
To use custom environments for Prompt Flow, you need to configure an Azure Container Registry for your hub. To use Azure Application Insights for Prompt Flow deployments, you need to configure an Azure Application Insights resource for your hub. Updating the workspace-attached Azure Container Registry or Application Insights resources might break lineage of previous jobs, deployed inference endpoints, or your ability to rerun earlier jobs in the workspace. After association with a Foundry hub, Azure Container Registry and Application Insights resources can't be disassociated (set to null).
You can use the Azure portal, Azure SDK/CLI options, or the infrastructure-as-code templates to update both Azure Application Insights and Azure Container Registry for the hub.
from azure.ai.ml.entities import Hub
my_app_insights = "{APPLICATION_INSIGHTS_ARM_ID}"
my_container_registry = "{CONTAINER_REGISTRY_ARM_ID}"
# construct a hub with Application Insights and Container Registry
my_hub = Hub(name="myexamplehub",
location="East US",
application_insights=my_app_insights,
container_registry=my_container_registry)
# update_dependent_resources is used to give consent to update the workspace dependent resources.
updated_hub = ml_client.workspaces.begin_update(workspace=my_hub, update_dependent_resources=True).result()
print(f"Hub updated: {updated_hub.name}")
This script updates an existing hub with the specified Application Insights and Container Registry resources. The update_dependent_resources=True parameter confirms the update.
Reference: Hub, MLClient.workspaces.begin_update()