Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Enable High Business Impact for Machine Learning Workspaces

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: MachineLearning-001

Ensure that High Business Impact (HBI) feature is enabled for Azure Machine Learning (ML) workspaces that contains sensitive data in order to limit the data that Microsoft Azure collects on your workspaces for diagnostic purposes.

Security

High Business Impact (HBI) prevents sending confidential telemetry data to Microsoft and enables additional encryption in Microsoft managed environments. Enabling HBI ensures that appropriate security measures, compliance requirements, and risk management protocols are in place to protect sensitive and critical data, thereby safeguarding the organization's interests and maintaining trust.

Audit

To determine if the High Business Impact feature is enabled for your Azure Machine Learning workspaces, perform the following actions:

Using Azure Console

  1. Sign in to the Azure Management Console.

  2. Navigate to Azure Machine Learning workspaces blade at https://portal.azure.com/#browse/Microsoft.MachineLearningServices%2Fworkspaces.

  3. Select the Azure subscription that you want to examine from the Subscription filter box.

  4. Click on the name (link) of the Azure Machine Learning workspace that you want to examine.

  5. In the main navigation panel, select Overview, and choose JSON View under Essentials to access the workspace configuration information available in JSON format.

  6. On the Resource JSON panel, check for the "properties.hbiWorkspace" configuration attribute value in the resource configuration object, to determine the High Business Impact feature status for the selected workspace. If the "properties.hbiWorkspace" attribute value is set to false, the High Business Impact (HBI) feature is not enabled for the selected Azure Machine Learning workspace.

  7. Repeat steps no. 4 – 6 for each Azure Machine Learning workspace available within the selected subscription.

  8. Repeat steps no. 3 – 7 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

  1. Run ml workspace list command (Windows/macOS/Linux) with custom query filters to list the name and the associated resource group for each Azure Machine Learning workspace available in the current subscription:

    az ml workspace list
  --output table
  --query '[*].{name:name, resourceGroup:resourceGroup}'

  2. The command output should return the requested Azure Machine Learning workspace identifiers:

    Name                           ResourceGroup
------------------------       ------------------------------
tm-ml-project5-workspace       cloud-shell-storage-westeurope
tm-ml-production-workspace     cloud-shell-storage-westeurope

  3. Run ml workspace show command (Windows/macOS/Linux) with the name of the Azure Machine Learning workspace that you want to examine as the identifier parameter and custom output filters to describe the High Business Impact feature status for the selected workspace:

    az ml workspace show
  --name tm-ml-project5-workspace
  --resource-group cloud-shell-storage-westeurope
  --query 'hbi_workspace'

  4. The command output should return the requested feature status:

    false

    If the ml workspace show command output returns false, as shown in the example above, the High Business Impact (HBI) feature is not enabled for the selected Azure Machine Learning workspace.

  5. Repeat step no. 3 and 4 for each Azure Machine Learning workspace available in the selected Azure subscription.

  6. Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To enable High Business Impact (HBI) for your Azure Machine Learning (ML) workspaces, you must re-create your workspaces with the necessary HBI configuration, by performing the following operations:

Using Azure Console

  1. Sign in to the Azure Management Console.

  2. Navigate to Azure Machine Learning workspaces blade at https://portal.azure.com/#browse/Microsoft.MachineLearningServices%2Fworkspaces.

  3. Select the Azure subscription that you want to access from the Subscription equals all filter box, and choose Apply.

  4. Choose Create, select New workspace, and perform the following actions to create your new Azure Machine Learning workspace:

    1. For Basics, provide the following information:
      1. For Subscription, choose your Azure subscription.
      2. For Resource group, select the correct resource group.
      3. Provide a unique name for the workspace in the Name box.
      4. For Region, select the Azure cloud region where the workspace will be deployed.
      5. For Storage account, choose the storage account that is used as the default datastore for the workspace.
      6. For Key vault, select the key vault used to store secrets and other sensitive information required by the workspace.
      7. For Application insights, choose whether to enable the Application Insights monitoring feature. You can create a new Azure Application Insights resource or select an existing one from your subscription.
      8. For Container registry, select the container registry used to register docker images used in training and deployments.
      9. Choose Next : Networking to continue the workspace setup process.
    2. For Networking, choose the type of network isolation that you need for your workspace. Choose Next : Encryption to continue the setup.
    3. For Encryption, perform the following actions:
      1. For Encryption type, choose Customer-managed keys to use your own Customer-Managed Key (CMK) for data encryption (recommended).
      2. For Key vault, choose Click to select the key, and select the appropriate key vault and Customer-Managed Key (CMK).
      3. Choose Next : Identity to continue.
    4. For Identity, perform the following operations:
      1. Choose System assigned identity for Identity type under Managed identity.
      2. Select Identity-based access for Storage account access type under Storage account access.
      3. Under Data impact, check the High business impact workspace setting checkbox to enable the High Business Impact (HBI) feature for your new workspace.
      4. Choose Next : Tags to continue the setup.
    5. For Tags, use the Name and Value fields to create tags that will help organize the identity of the workspace. Choose Next : Review + create to validate the workspace setup.
    6. For Review + create, review the resource configuration details, then choose Create to create your new Azure Machine Learning workspace.

  5. Repeat step no. 4 for each workspace that you want to re-create, available within the selected Azure subscription.

  6. Repeat steps no. 3 – 5 for each subscription available in your Microsoft Azure cloud account.

Using Azure CLI

  1. Define the configuration file for your new Azure Machine Learning workspace. Create a new configuration file (YAML format), name the file workspace-config.yml, and paste the following content. Set hbi_workspace to true to enable High Business Impact (HBI), and replace other configuration parameter values with your own information):

    $schema: https://azuremlschemas.azureedge.net/latest/workspace.schema.json
name: tm-new-project5-workspace
location: westeurope
display_name: tm-new-project5-workspace
customer_managed_key:
	key_vault: /subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-project5-vault
	key_uri: https://cc-project5-vault.vault.azure.net/keys/cc-ml-workspace-key/abcd1234abcd1234abcd1234abcd1234
hbi_workspace: true

  2. Run ml workspace create command (Windows/macOS/Linux) with the configuration file defined at the previous step (i.e. workspace-config.yml), to create your new, HBI-protected Azure Machine Learning workspace:

    az ml workspace create
  --resource-group cloud-shell-storage-westeurope
  --file workspace-config.yml

  3. The command output should return the new workspace configuration information:

    {
	"hbi_workspace": true,
	"customer_managed_key": {
		"cosmosdb_id": "",
		"key_uri": "https://cc-project5-vault.vault.azure.net/keys/cc-ml-workspace-key/abcd1234abcd1234abcd1234abcd1234",
		"key_vault": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.KeyVault/vaults/cc-project5-vault",
		"search_id": "",
		"storage_id": ""
	},
	"description": "tm-new-project5-workspace",
	"discovery_url": "https://westeurope.api.azureml.ms/discovery",
	"display_name": "tm-new-project5-workspace",
	"enable_data_isolation": false,
	"id": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.MachineLearningServices/workspaces/tm-new-project5-workspace",
	"identity": {
		"principal_id": "abcd1234-abcd-1234-abcd-1234abcd1234",
		"tenant_id": "abcd1234-abcd-1234-abcd-1234abcd1234",
		"type": "system_assigned"
	},
	"key_vault": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Keyvault/vaults/1234abcd12341234abcd1234",
	"location": "westeurope",
	"managed_network": {
		"isolation_mode": "disabled",
		"outbound_rules": []
	},
	"mlflow_tracking_uri": "azureml://westeurope.api.azureml.ms/mlflow/v1.0/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.MachineLearningServices/workspaces/tm-new-project5-workspace",
	"name": "tm-new-project5-workspace",
	"public_network_access": "Enabled",
	"resourceGroup": "cloud-shell-storage-westeurope",
	"resource_group": "cloud-shell-storage-westeurope",
	"serverless_compute": {
		"no_public_ip": false
	},
	"storage_account": "/subscriptions/abcd1234-abcd-1234-abcd-1234abcd1234/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.Storage/storageAccounts/1234abcd12341234abcd1234",
	"tags": {
		"AttachAppInsightsToWorkspace": "false",
		"createdByToolkit": "cli-v2-1.16.1"
	}
}

  4. Repeat steps no. 1 - 3 for each workspace that you want to re-create, available in the selected Azure subscription.

  5. Repeat steps no. 1 – 4 for each subscription available in your Microsoft Azure cloud account.

References

Publication date Jun 19, 2024

Related MachineLearning rules