Manage Azure Machine Learning workspaces in the portal or with the Python SDK

In this article, you create, view, and delete Azure Machine Learning workspaces for Azure Machine Learning, using the Azure portal or the SDK for Python

As your needs change or requirements for automation increase you can also manage workspaces using the CLI, or via the VS Code extension.

Prerequisites

Limitations

  • When creating a new workspace, you can either automatically create services needed by the workspace or use existing services. If you want to use existing services from a different Azure subscription than the workspace, you must register the Azure Machine Learning namespace in the subscription that contains those services. For example, creating a workspace in subscription A that uses a storage account from subscription B, the Azure Machine Learning namespace must be registered in subscription B before you can use the storage account with the workspace.

    The resource provider for Azure Machine Learning is Microsoft.MachineLearningServices. For information on how to see if it is registered and how to register it, see the Azure resource providers and types article.

    Important

    This only applies to resources provided during workspace creation; Azure Storage Accounts, Azure Container Register, Azure Key Vault, and Application Insights.

By default, creating a workspace also creates an Azure Container Registry (ACR). Since ACR does not currently support unicode characters in resource group names, use a resource group that does not contain these characters.

Tip

An Azure Application Insights instance is created when you create the workspace. You can delete the Application Insights instance after cluster creation if you want. Deleting it limits the information gathered from the workspace, and may make it more difficult to troubleshoot problems. If you delete the Application Insights instance created by the workspace, you cannot re-create it without deleting and recreating the workspace.

For more information on using this Application Insights instance, see Monitor and collect data from Machine Learning web service endpoints.

Create a workspace

  • Default specification. By default, dependent resources and the resource group will be created automatically. This code creates a workspace named myworkspace and a resource group named myresourcegroup in eastus2.

    from azureml.core import Workspace
    
    ws = Workspace.create(name='myworkspace',
                   subscription_id='<azure-subscription-id>',
                   resource_group='myresourcegroup',
                   create_resource_group=True,
                   location='eastus2'
                   )
    

    Set create_resource_group to False if you have an existing Azure resource group that you want to use for the workspace.

  • Multiple tenants. If you have multiple accounts, add the tenant ID of the Azure Active Directory you wish to use. Find your tenant ID from the Azure portal under Azure Active Directory, External Identities.

    from azureml.core.authentication import InteractiveLoginAuthentication
    from azureml.core import Workspace
    
    interactive_auth = InteractiveLoginAuthentication(tenant_id="my-tenant-id")
    ws = Workspace.create(name='myworkspace',
                subscription_id='<azure-subscription-id>',
                resource_group='myresourcegroup',
                create_resource_group=True,
                location='eastus2',
                auth=interactive_auth
                )
    
  • Sovereign cloud. You'll need extra code to authenticate to Azure if you're working in a sovereign cloud.

    from azureml.core.authentication import InteractiveLoginAuthentication
    from azureml.core import Workspace
    
    interactive_auth = InteractiveLoginAuthentication(cloud="<cloud name>") # for example, cloud="AzureUSGovernment"
    ws = Workspace.create(name='myworkspace',
                subscription_id='<azure-subscription-id>',
                resource_group='myresourcegroup',
                create_resource_group=True,
                location='eastus2',
                auth=interactive_auth
                )
    
  • Use existing Azure resources. You can also create a workspace that uses existing Azure resources with the Azure resource ID format. Find the specific Azure resource IDs in the Azure portal or with the SDK. This example assumes that the resource group, storage account, key vault, App Insights, and container registry already exist.

    import os
    from azureml.core import Workspace
    from azureml.core.authentication import ServicePrincipalAuthentication
    
    service_principal_password = os.environ.get("AZUREML_PASSWORD")
    
    service_principal_auth = ServicePrincipalAuthentication(
        tenant_id="<tenant-id>",
        username="<application-id>",
        password=service_principal_password)
    
                          auth=service_principal_auth,
                               subscription_id='<azure-subscription-id>',
                               resource_group='myresourcegroup',
                               create_resource_group=False,
                               location='eastus2',
                               friendly_name='My workspace',
                               storage_account='subscriptions/<azure-subscription-id>/resourcegroups/myresourcegroup/providers/microsoft.storage/storageaccounts/mystorageaccount',
                               key_vault='subscriptions/<azure-subscription-id>/resourcegroups/myresourcegroup/providers/microsoft.keyvault/vaults/mykeyvault',
                               app_insights='subscriptions/<azure-subscription-id>/resourcegroups/myresourcegroup/providers/microsoft.insights/components/myappinsights',
                               container_registry='subscriptions/<azure-subscription-id>/resourcegroups/myresourcegroup/providers/microsoft.containerregistry/registries/mycontainerregistry',
                               exist_ok=False)
    

For more information, see Workspace SDK reference.

If you have problems in accessing your subscription, see Set up authentication for Azure Machine Learning resources and workflows, as well as the Authentication in Azure Machine Learning notebook.

Networking

Important

For more information on using a private endpoint and virtual network with your workspace, see Network isolation and privacy.

The Azure Machine Learning Python SDK provides the PrivateEndpointConfig class, which can be used with Workspace.create() to create a workspace with a private endpoint. This class requires an existing virtual network.

Vulnerability scanning

Microsoft Defender for Cloud provides unified security management and advanced threat protection across hybrid cloud workloads. You should allow Microsoft Defender for Cloud to scan your resources and follow its recommendations. For more, see Azure Container Registry image scanning by Defender for Cloud and Azure Kubernetes Services integration with Defender for Cloud.

Advanced

By default, metadata for the workspace is stored in an Azure Cosmos DB instance that Microsoft maintains. This data is encrypted using Microsoft-managed keys.

To limit the data that Microsoft collects on your workspace, select High business impact workspace in the portal, or set hbi_workspace=true in Python. For more information on this setting, see Encryption at rest.

Important

Selecting high business impact can only be done when creating a workspace. You cannot change this setting after workspace creation.

Use your own key

You can provide your own key for data encryption. Doing so creates the Azure Cosmos DB instance that stores metadata in your Azure subscription.

Important

The Cosmos DB instance is created in a Microsoft-managed resource group in your subscription. The following services are also created in this resource group, and are used by the customer-managed key configuration:

  • Azure Storage Account
  • Azure Search

Since these services are created in your Azure subscription, it means that you are charged for these service instances. If your subscription does not have enough quota for the Azure Cosmos DB service, a failure will occur. For more information on quotas, see Azure Cosmos DB service quotas

The managed resource group is named in the format <AML Workspace Resource Group Name><GUID>. If your Azure Machine Learning workspace uses a private endpoint, a virtual network is also created in this resource group. This VNet is used to secure communication between the services in this resource group and your Azure Machine Learning workspace.

  • Do not delete the resource group that contains this Cosmos DB instance, or any of the resources automatically created in this group. If you need to delete the resource group, Cosmos DB instance, etc., you must delete the Azure Machine Learning workspace that uses it. The resource group, Cosmos DB instance, and other automatically created resources are deleted when the associated workspace is deleted.
  • The Request Units used by this Cosmos DB account automatically scale as needed. The minimum RU is 1200. The maximum RU is 12000.
  • You cannot provide your own VNet for use with the Cosmos DB instance that is created. You also cannot modify the virtual network. For example, you cannot change the IP address range that it uses.

To estimate the additional cost of the Azure Cosmos DB instance, use the Azure pricing calculator.

Use the following steps to provide your own key:

Important

Before following these steps, you must first perform the following actions:

  1. Authorize the Machine Learning App (in Identity and Access Management) with contributor permissions on your subscription.

  2. Follow the steps in Configure customer-managed keys to:

    • Register the Azure Cosmos DB provider
    • Create and configure an Azure Key Vault
    • Generate a key

    You do not need to manually create the Azure Cosmos DB instance, one will be created for you during workspace creation. This Azure Cosmos DB instance will be created in a separate resource group using a name based on this pattern: <your-workspace-resource-name>_<GUID>.

You cannot change this setting after workspace creation. If you delete the Azure Cosmos DB used by your workspace, you must also delete the workspace that is using it.

Use cmk_keyvault and resource_cmk_uri to specify the customer managed key.

from azureml.core import Workspace
   ws = Workspace.create(name='myworkspace',
               subscription_id='<azure-subscription-id>',
               resource_group='myresourcegroup',
               create_resource_group=True,
               location='eastus2'
               cmk_keyvault='subscriptions/<azure-subscription-id>/resourcegroups/myresourcegroup/providers/microsoft.keyvault/vaults/<keyvault-name>', 
               resource_cmk_uri='<key-identifier>'
               )

Download a configuration file

If you will be creating a compute instance, skip this step. The compute instance has already created a copy of this file for you.

If you plan to use code on your local environment that references this workspace (ws), write the configuration file:

ws.write_config()

Place the file into the directory structure with your Python scripts or Jupyter Notebooks. It can be in the same directory, a subdirectory named .azureml, or in a parent directory. When you create a compute instance, this file is added to the correct directory on the VM for you.

Connect to a workspace

In your Python code, you create a workspace object to connect to your workspace. This code will read the contents of the configuration file to find your workspace. You will get a prompt to sign in if you are not already authenticated.

from azureml.core import Workspace

ws = Workspace.from_config()
  • Multiple tenants. If you have multiple accounts, add the tenant ID of the Azure Active Directory you wish to use. Find your tenant ID from the Azure portal under Azure Active Directory, External Identities.

    from azureml.core.authentication import InteractiveLoginAuthentication
    from azureml.core import Workspace
    
    interactive_auth = InteractiveLoginAuthentication(tenant_id="my-tenant-id")
    ws = Workspace.from_config(auth=interactive_auth)
    
  • Sovereign cloud. You'll need extra code to authenticate to Azure if you're working in a sovereign cloud.

    from azureml.core.authentication import InteractiveLoginAuthentication
    from azureml.core import Workspace
    
    interactive_auth = InteractiveLoginAuthentication(cloud="<cloud name>") # for example, cloud="AzureUSGovernment"
    ws = Workspace.from_config(auth=interactive_auth)
    

If you have problems in accessing your subscription, see Set up authentication for Azure Machine Learning resources and workflows, as well as the Authentication in Azure Machine Learning notebook.

Find a workspace

See a list of all the workspaces you can use.

Find your subscriptions in the Subscriptions page in the Azure portal. Copy the ID and use it in the code below to see all workspaces available for that subscription.

from azureml.core import Workspace

Workspace.list('<subscription-id>')

The Workspace.list(..) method does not return the full workspace object. It includes only basic information about existing workspaces in the subscription. To get a full object for specific workspace, use Workspace.get(..).

Delete a workspace

When you no longer need a workspace, delete it.

Warning

Once an Azure Machine Learning workspace has been deleted, it cannot be recovered.

If you accidentally deleted your workspace, you may still be able to retrieve your notebooks. For details, see Failover for business continuity and disaster recovery.

Delete the workspace ws:

ws.delete(delete_dependent_resources=False, no_wait=False)

The default action is not to delete resources associated with the workspace, that is, container registry, storage account, key vault, and application insights. Set delete_dependent_resources to True to delete these resources as well.

Clean up resources

Important

The resources that you created can be used as prerequisites to other Azure Machine Learning tutorials and how-to articles.

If you don't plan to use any of the resources that you created, delete them so you don't incur any charges:

  1. In the Azure portal, select Resource groups on the far left.

  2. From the list, select the resource group that you created.

  3. Select Delete resource group.

    Screenshot of the selections to delete a resource group in the Azure portal.

  4. Enter the resource group name. Then select Delete.

Troubleshooting

  • Supported browsers in Azure Machine Learning studio: We recommend that you use the most up-to-date browser that's compatible with your operating system. The following browsers are supported:

    • Microsoft Edge (The new Microsoft Edge, latest version. Not Microsoft Edge legacy)
    • Safari (latest version, Mac only)
    • Chrome (latest version)
    • Firefox (latest version)
  • Azure portal:

    • If you go directly to your workspace from a share link from the SDK or the Azure portal, you can't view the standard Overview page that has subscription information in the extension. In this scenario, you also can't switch to another workspace. To view another workspace, go directly to Azure Machine Learning studio and search for the workspace name.
    • All assets (Datasets, Experiments, Computes, and so on) are available only in Azure Machine Learning studio. They're not available from the Azure portal.
    • Attempting to export a template for a workspace from the Azure portal may return an error similar to the following text: Could not get resource of the type <type>. Resources of this type will not be exported. As a workaround, use one of the templates provided at https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.machinelearningservices as the basis for your template.

Workspace diagnostics

You can run diagnostics on your workspace from Azure Machine Learning studio or the Python SDK. After diagnostics run, a list of any detected problems is returned. This list includes links to possible solutions. For more information, see How to use workspace diagnostics.

Resource provider errors

When creating an Azure Machine Learning workspace, or a resource used by the workspace, you may receive an error similar to the following messages:

  • No registered resource provider found for location {location}
  • The subscription is not registered to use namespace {resource-provider-namespace}

Most resource providers are automatically registered, but not all. If you receive this message, you need to register the provider mentioned.

The following table contains a list of the resource providers required by Azure Machine Learning:

Resource provider Why it's needed
Microsoft.MachineLearningServices Creating the Azure Machine Learning workspace.
Microsoft.Storage Azure Storage Account is used as the default storage for the workspace.
Microsoft.ContainerRegistry Azure Container Registry is used by the workspace to build Docker images.
Microsoft.KeyVault Azure Key Vault is used by the workspace to store secrets.
Microsoft.Notebooks/NotebookProxies Integrated notebooks on Azure Machine Learning compute instance.
Microsoft.ContainerService If you plan on deploying trained models to Azure Kubernetes Services.

If you plan on using a customer-managed key with Azure Machine Learning, then the following service providers must be registered:

Resource provider Why it's needed
Microsoft.DocumentDB/databaseAccounts Azure CosmosDB instance that logs metadata for the workspace.
Microsoft.Search/searchServices Azure Search provides indexing capabilities for the workspace.

For information on registering resource providers, see Resolve errors for resource provider registration.

Moving the workspace

Warning

Moving your Azure Machine Learning workspace to a different subscription, or moving the owning subscription to a new tenant, is not supported. Doing so may cause errors.

Deleting the Azure Container Registry

The Azure Machine Learning workspace uses Azure Container Registry (ACR) for some operations. It will automatically create an ACR instance when it first needs one.

Warning

Once an Azure Container Registry has been created for a workspace, do not delete it. Doing so will break your Azure Machine Learning workspace.

Examples

Examples of creating a workspace:

Next steps

Once you have a workspace, learn how to Train and deploy a model.

To learn more about planning a workspace for your organization's requirements, see Organize and set up Azure Machine Learning.

To check for problems with your workspace, see How to use workspace diagnostics.

If you need to move a workspace to another Azure subscription, see How to move a workspace.