Disable local authentication on ML Compute#

Security · Machine Learning · Rule · 2023_12 · Critical

Azure Machine Learning compute resources should have local authentication methods disabled.

Description#

Azure Machine Learning (ML) compute can have local authenication enabled or disabled. When enabled local authentication methods must be managed and audited separately.

Disabling local authentication ensures that Entra ID (previously Azure Active Directory) is used exclusively for authentication. Using Entra ID, provides consistency as a single authoritative source which:

Increases clarity and reduces security risks from human errors and configuration complexity.
Provides support for advanced identity security and governance features.

Recommendation#

Consider disabling local authentication on ML - Compute as part of a broader security strategy.

Examples#

Configure with Azure template#

To deploy ML - compute that passes this rule:

Set the properties.disableLocalAuth property to true.

For example:

Azure Template snippet

{
  "type": "Microsoft.MachineLearningServices/workspaces/computes",
  "apiVersion": "2023-06-01-preview",
  "name": "[format('{0}/{1}', parameters('name'), parameters('name'))]",
  "location": "[parameters('location')]",
  "properties": {
    "computeType": "ComputeInstance",
    "disableLocalAuth": true,
    "properties": {
      "vmSize": "[parameters('vmSize')]",
      "idleTimeBeforeShutdown": "PT15M"
    }
  },
  "dependsOn": [
    "[resourceId('Microsoft.MachineLearningServices/workspaces', parameters('name'))]"
  ]
}

Configure with Bicep#