Skip to content

Disable local authentication on ML Compute#

Security · Machine Learning · Rule · 2023_12 · Critical

Azure Machine Learning compute resources should have local authentication methods disabled.

Description#

Azure Machine Learning (ML) compute can have local authenication enabled or disabled. When enabled local authentication methods must be managed and audited separately.

Disabling local authentication ensures that Entra ID (previously Azure Active Directory) is used exclusively for authentication. Using Entra ID, provides consistency as a single authoritative source which:

  • Increases clarity and reduces security risks from human errors and configuration complexity.
  • Provides support for advanced identity security and governance features.

Recommendation#

Consider disabling local authentication on ML - Compute as part of a broader security strategy.

Examples#

Configure with Azure template#

To deploy ML - compute that passes this rule:

  • Set the properties.disableLocalAuth property to true.

For example:

Azure Template snippet
{
  "type": "Microsoft.MachineLearningServices/workspaces/computes",
  "apiVersion": "2023-06-01-preview",
  "name": "[format('{0}/{1}', parameters('name'), parameters('name'))]",
  "location": "[parameters('location')]",
  "properties": {
    "computeType": "ComputeInstance",
    "disableLocalAuth": true,
    "properties": {
      "vmSize": "[parameters('vmSize')]",
      "idleTimeBeforeShutdown": "PT15M"
    }
  },
  "dependsOn": [
    "[resourceId('Microsoft.MachineLearningServices/workspaces', parameters('name'))]"
  ]
}

Configure with Bicep#

To deploy ML - compute that passes this rule:

  • Set the properties.disableLocalAuth property to true.

For example:

Azure Bicep snippet
resource compute_instance 'Microsoft.MachineLearningServices/workspaces/computes@2023-06-01-preview' = {
  parent: workspace
  name: name
  location: location
  properties: {
    computeType: 'ComputeInstance'
    disableLocalAuth: true
    properties: {
      vmSize: vmSize
      idleTimeBeforeShutdown: 'PT15M'
      subnet: {
        id: subnet.id
      }
    }
  }
}

Comments