Loading source
Pulling the file list, source metadata, and syntax-aware rendering for this listing.
Source from repo
Deploy, evaluate, and manage AI agents end-to-end on Microsoft Azure AI Foundry
Files
Skill
Size
Entrypoint
Format
Open file
Syntax-highlighted preview of this file as included in the skill package.
rbac/rbac.md
1# Microsoft Foundry RBAC Management23Reference for managing RBAC for Microsoft Foundry resources: user permissions, managed identity configuration, and service principal setup for CI/CD.45## Quick Reference67| Property | Value |8|----------|-------|9| **CLI Extension** | `az role assignment`, `az ad sp` |10| **Resource Type** | `Microsoft.CognitiveServices/accounts` |11| **Best For** | Permission management, access auditing, CI/CD setup |1213## When to Use1415- Grant user access to Foundry resources or projects16- Set up developer permissions (Project Manager, Owner roles)17- Audit role assignments or validate permissions18- Configure managed identity roles for connected resources19- Create service principals for CI/CD pipeline automation20- Troubleshoot permission errors2122## Foundry Built-in Roles2324| Role | Create Projects | Data Actions | Role Assignments |25|------|-----------------|--------------|------------------|26| Foundry User | No | Yes | No |27| Foundry Project Manager | Yes | Yes | Yes (Foundry User only) |28| Foundry Account Owner | Yes | No | Yes (Foundry User only) |29| Foundry Owner | Yes | Yes | Yes |3031> ⚠️ **Warning:** Foundry User is auto-assigned via Portal but NOT via SDK/CLI. Automation must explicitly assign roles.3233## Workflows3435All scopes follow the pattern: `/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.CognitiveServices/accounts/<foundry-resource-name>`3637For project-level scoping, append `/projects/<project-name>`.3839### 1. Assign User Permissions4041```bash42az role assignment create --role "53ca6127-db72-4b80-b1b0-d745d6d5456d" --assignee "<user-email-or-object-id>" --scope "<foundry-scope>" # Foundry User43```4445### 2. Assign Developer Permissions4647```bash48# Project Manager (create projects, assign Foundry User roles)49az role assignment create --role "eadc314b-1a2d-4efa-be10-5d325db5065e" --assignee "<user-email-or-object-id>" --scope "<foundry-scope>" # Foundry Project Manager5051# Full ownership including data actions52az role assignment create --role "c883944f-8b7b-4483-af10-35834be79c4a" --assignee "<user-email-or-object-id>" --scope "<foundry-scope>" # Foundry Owner53```5455### 3. Audit Role Assignments5657```bash58# List all assignments59az role assignment list --scope "<foundry-scope>" --output table6061# Detailed with principal names62az role assignment list --scope "<foundry-scope>" --query "[].{Principal:principalName, PrincipalType:principalType, Role:roleDefinitionName}" --output table6364# Foundry roles only65az role assignment list --scope "<foundry-scope>" --query "[?contains(roleDefinitionName, 'Foundry')].{Principal:principalName, Role:roleDefinitionName}" --output table66```6768### 4. Validate Permissions6970```bash71# Current user's roles on resource72az role assignment list --assignee "$(az ad signed-in-user show --query id -o tsv)" --scope "<foundry-scope>" --query "[].roleDefinitionName" --output tsv7374# Check actions available to a role75az role definition list --name "Foundry User" --query "[].permissions[].actions" --output json76```7778**Permission Requirements by Action:**7980| Action | Required Role(s) |81|--------|------------------|82| Deploy models | Foundry User, Foundry Project Manager, Foundry Owner |83| Create projects | Foundry Project Manager, Foundry Account Owner, Foundry Owner |84| Assign Foundry User role | Foundry Project Manager, Foundry Account Owner, Foundry Owner |85| Full data access | Foundry User, Foundry Project Manager, Foundry Owner |8687### 5. Configure Managed Identity Roles8889```bash90# Get managed identity principal ID91PRINCIPAL_ID=$(az cognitiveservices account show --name <foundry-resource-name> --resource-group <resource-group> --query identity.principalId --output tsv)9293# Assign roles to connected resources (repeat pattern for each)94az role assignment create --role "<role-name>" --assignee "$PRINCIPAL_ID" --scope "<resource-scope>"95```9697**Common Managed Identity Role Assignments:**9899| Connected Resource | Role | Purpose |100|--------------------|------|---------|101| Azure Storage | Storage Blob Data Reader | Read files/documents |102| Azure Storage | Storage Blob Data Contributor | Read/write files |103| Azure Key Vault | Key Vault Secrets User | Read secrets |104| Azure AI Search | Search Index Data Reader | Query indexes |105| Azure AI Search | Search Index Data Contributor | Query and modify indexes |106| Azure Cosmos DB | Cosmos DB Account Reader | Read data |107108### 6. Create Service Principal for CI/CD109110```bash111# Create SP with minimal role112az ad sp create-for-rbac --name "foundry-cicd-sp" --role "53ca6127-db72-4b80-b1b0-d745d6d5456d" --scopes "<foundry-scope>" --output json # Foundry User113# Output contains: appId, password, tenant — store securely114115# For project management permissions116az ad sp create-for-rbac --name "foundry-cicd-admin-sp" --role "eadc314b-1a2d-4efa-be10-5d325db5065e" --scopes "<foundry-scope>" --output json # Foundry Project Manager117118# Add Contributor for resource provisioning119SP_APP_ID=$(az ad sp list --display-name "foundry-cicd-sp" --query "[0].appId" -o tsv)120az role assignment create --role "Contributor" --assignee "$SP_APP_ID" --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group>"121```122123> 💡 **Tip:** Use least privilege — start with `Foundry User` and add roles as needed.124125| CI/CD Scenario | Recommended Role | Additional Roles |126|----------------|------------------|------------------|127| Deploy models only | Foundry User | None |128| Manage projects | Foundry Project Manager | None |129| Full provisioning | Foundry Owner | Contributor (on RG) |130| Read-only monitoring | Reader | Foundry User (for data) |131132**CI/CD Pipeline Login:**133134```bash135az login --service-principal --username "<app-id>" --password "<client-secret>" --tenant "<tenant-id>"136az account set --subscription "<subscription-id>"137```138139## Error Handling140141| Issue | Cause | Resolution |142|-------|-------|------------|143| "Authorization failed" when deploying | Missing Foundry User role | Assign Foundry User role at resource scope |144| Cannot create projects | Missing Project Manager or Owner role | Assign Foundry Project Manager role |145| "Access denied" on connected resources | Managed identity missing roles | Assign appropriate roles to MI on each resource |146| Portal works but CLI fails | Portal auto-assigns roles, CLI doesn't | Explicitly assign Foundry User via CLI |147| Service principal cannot access data | Wrong role or scope | Verify Foundry User is assigned at correct scope |148| "Principal does not exist" | User/SP not found in directory | Verify the assignee email or object ID is correct |149| Role assignment already exists | Duplicate assignment attempt | Use `az role assignment list` to verify existing assignments |150151## Additional Resources152153- [Azure AI Foundry RBAC Documentation](https://learn.microsoft.com/azure/ai-foundry/concepts/rbac-ai-foundry)154- [Azure Built-in Roles](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles)155- [Managed Identities Overview](https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview)156- [Service Principal Authentication](https://learn.microsoft.com/azure/developer/github/connect-from-azure)157