Manage access control for managed feature store

This article describes how to manage access (authorization) to an Azure Machine Learning managed feature store. Azure role-based access control (Azure RBAC) manages access to Azure resources, including the ability to create new resources or use existing ones. Users in your Microsoft Entra ID receive specific roles, which grant access to resources. Azure provides both built-in roles and the ability to create custom roles.

Identities and user types

Azure Machine Learning supports role-based access control for these managed feature store resources:

  • feature store
  • feature store entity
  • feature set

To control access to these resources, consider the user types shown here. For each user type, the identity can be either a Microsoft Entra identity, a service principal, or an Azure managed identity (both system-managed and user-assigned).

  • Feature set developers (for example, data scientist, data engineers, and machine learning engineers): They primarily work with the feature store workspace and they handle
    • The feature management lifecycle, from creation to archive
    • Materialization and feature backfill set-up
    • Feature freshness and quality monitoring
  • Feature set consumers (for example, data scientist and machine learning engineers): They primarily work in a project workspace, and they use features in these ways:
    • Feature discovery for model reuse
    • Experimentation with features during training, to see if those features improve model performance
    • Set up of the training/inference pipelines that use the features
  • Feature store Admins: They typically handle:
    • Feature store lifecycle management (from creation to retirement)
    • Feature store user access lifecycle management
    • Feature store configuration: quota and storage (offline/online stores)
    • Cost management

This table describes the permissions required for each user type:

Role Description Required permissions
feature store admin who can create/update/delete feature store Permissions required for the feature store admin role
feature set consumer who can use defined feature sets in their machine learning lifecycle. Permissions required for the feature set consumer role
feature set developer who can create/update feature sets, or set up materializations - for example, backfill and recurrent jobs. Permissions required for the feature set developer role

If your feature store requires materialization, these permissions are also required:

Role Description Required permissions
feature store materialization managed identity The Azure user-assigned managed identity that the feature store materialization jobs use for data access. This identity is required if the feature store enables materialization Permissions required for the feature store materialization managed identity role

For more information about role creation, visit the create custom role resource.

Resources

Granting of access involves these resources:

  • the Azure Machine Learning managed Feature store
  • the Azure storage account (Gen2) that the feature store uses as an offline store
  • the Azure user-assigned managed identity that the feature store uses for its materialization jobs
  • the Azure user storage accounts that host the feature set source data

Permissions required for the feature store admin role

To create and/or delete a managed feature store, we recommend the built-in Contributor and User Access Administrator roles on the resource group. You can also create a custom Feature store admin role with these minimum permissions:

Scope Action/Role
resourceGroup (the location of the feature store creation) Microsoft.MachineLearningServices/workspaces/featurestores/read
resourceGroup (the location of the feature store creation) Microsoft.MachineLearningServices/workspaces/featurestores/write
resourceGroup (the location of the feature store creation) Microsoft.MachineLearningServices/workspaces/featurestores/delete
the feature store Microsoft.Authorization/roleAssignments/write
the user assigned managed identity Managed Identity Operator role

When a feature store is provisioned, other resources are provisioned by default. However, you can use existing resources. If new resources are needed, the identity that creates the feature store must have these permissions on the resource group:

  • Microsoft.Storage/storageAccounts/write
  • Microsoft.Storage/storageAccounts/blobServices/containers/write
  • Microsoft.Insights/components/write
  • Microsoft.KeyVault/vaults/write
  • Microsoft.ContainerRegistry/registries/write
  • Microsoft.OperationalInsights/workspaces/write
  • Microsoft.ManagedIdentity/userAssignedIdentities/write

Permissions required for the feature set consumer role

Use these built-in roles to consume the feature sets defined in the feature store:

Scope Role
the feature store AzureML Data Scientist
the source data storage accounts; in other words, the feature set data sources Storage Blob Data Reader role
the storage feature store offline store storage account Storage Blob Data Reader role

Note

The AzureML Data Scientist allows the users to create and update feature sets in the feature store.

To avoid use of the AzureML Data Scientist role, you can use these individual actions:

Scope Action/Role
the feature store Microsoft.MachineLearningServices/workspaces/featurestores/read
the feature store Microsoft.MachineLearningServices/workspaces/featuresets/read
the feature store Microsoft.MachineLearningServices/workspaces/featurestoreentities/read
the feature store Microsoft.MachineLearningServices/workspaces/datastores/listSecrets/action
the feature store Microsoft.MachineLearningServices/workspaces/jobs/read

Permissions required for the feature set developer role

To develop feature sets in the feature store, use these built-in roles:

Scope Role
the feature store AzureML Data Scientist
the source data storage accounts Storage Blob Data Reader role
the feature store offline store storage account Storage Blob Data Reader role

To avoid use of the AzureML Data Scientist role, you can use these individual actions (in addition to the actions listed for Featureset consumer)

Scope Role
the feature store Microsoft.MachineLearningServices/workspaces/featuresets/write
the feature store Microsoft.MachineLearningServices/workspaces/featuresets/delete
the feature store Microsoft.MachineLearningServices/workspaces/featuresets/action
the feature store Microsoft.MachineLearningServices/workspaces/featurestoreentities/write
the feature store Microsoft.MachineLearningServices/workspaces/featurestoreentities/delete
the feature store Microsoft.MachineLearningServices/workspaces/featurestoreentities/action

Permissions required for the feature store materialization managed identity role

In addition to all of the permissions that the feature set consumer role requires, use these built-in roles:

Scope Action/Role
feature store AzureML Data Scientist role
storage account of feature store offline store Storage Blob Data Contributor role
storage accounts of source data Storage Blob Data Reader role

New actions created for managed feature store

These new actions are created for managed feature store usage:

Action Description
Microsoft.MachineLearningServices/workspaces/featurestores/read List, get feature store
Microsoft.MachineLearningServices/workspaces/featurestores/write Create and update the feature store (configure materialization stores, materialization compute, etc.)
Microsoft.MachineLearningServices/workspaces/featurestores/delete Delete feature store
Microsoft.MachineLearningServices/workspaces/featuresets/read List and show feature sets
Microsoft.MachineLearningServices/workspaces/featuresets/write Create and update feature sets. Can configure materialization settings along with create or update
Microsoft.MachineLearningServices/workspaces/featuresets/delete Delete feature sets
Microsoft.MachineLearningServices/workspaces/featuresets/action Trigger actions on feature sets (for example, a backfill job)
Microsoft.MachineLearningServices/workspaces/featurestoreentities/read List and show feature store entities
Microsoft.MachineLearningServices/workspaces/featurestoreentities/write Create and update feature store entities
Microsoft.MachineLearningServices/workspaces/featurestoreentities/delete Delete entities
Microsoft.MachineLearningServices/workspaces/featurestoreentities/action Trigger actions on feature store entities

There's no ACL (access control list) for instances of a feature store entity and a feature set.

Next steps