Loading source
Pulling the file list, source metadata, and syntax-aware rendering for this listing.
Source from repo
Deploy, evaluate, and manage AI agents end-to-end on Microsoft Azure AI Foundry
Files
Skill
Size
Entrypoint
Format
Open file
Syntax-highlighted preview of this file as included in the skill package.
rbac/rbac.md
1# Microsoft Foundry RBAC Management2Reference for managing RBAC for Microsoft Foundry resources: user permissions, managed identity configuration, and service principal setup for CI/CD.4## Quick Reference6| Property | Value |8|----------|-------|9| **CLI Extension** | `az role assignment`, `az ad sp` |10| **Resource Type** | `Microsoft.CognitiveServices/accounts` |11| **Best For** | Permission management, access auditing, CI/CD setup |12## When to Use14- Grant user access to Foundry resources or projects16- Set up developer permissions (Project Manager, Owner roles)17- Audit role assignments or validate permissions18- Configure managed identity roles for connected resources19- Create service principals for CI/CD pipeline automation20- Troubleshoot permission errors21## Azure AI Foundry Built-in Roles23| Role | Create Projects | Data Actions | Role Assignments |25|------|-----------------|--------------|------------------|26| Azure AI User | No | Yes | No |27| Azure AI Project Manager | Yes | Yes | Yes (AI User only) |28| Azure AI Account Owner | Yes | No | Yes (AI User only) |29| Azure AI Owner | Yes | Yes | Yes |30> ⚠️ **Warning:** Azure AI User is auto-assigned via Portal but NOT via SDK/CLI. Automation must explicitly assign roles.32## Workflows34All scopes follow the pattern: `/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.CognitiveServices/accounts/<foundry-resource-name>`36For project-level scoping, append `/projects/<project-name>`.38### 1. Assign User Permissions40```bash42az role assignment create --role "Azure AI User" --assignee "<user-email-or-object-id>" --scope "<foundry-scope>"43```44### 2. Assign Developer Permissions46```bash48# Project Manager (create projects, assign AI User roles)49az role assignment create --role "Azure AI Project Manager" --assignee "<user-email-or-object-id>" --scope "<foundry-scope>"50# Full ownership including data actions52az role assignment create --role "Azure AI Owner" --assignee "<user-email-or-object-id>" --scope "<foundry-scope>"53```54### 3. Audit Role Assignments56```bash58# List all assignments59az role assignment list --scope "<foundry-scope>" --output table60# Detailed with principal names62az role assignment list --scope "<foundry-scope>" --query "[].{Principal:principalName, PrincipalType:principalType, Role:roleDefinitionName}" --output table63# Azure AI roles only65az role assignment list --scope "<foundry-scope>" --query "[?contains(roleDefinitionName, 'Azure AI')].{Principal:principalName, Role:roleDefinitionName}" --output table66```67### 4. Validate Permissions69```bash71# Current user's roles on resource72az role assignment list --assignee "$(az ad signed-in-user show --query id -o tsv)" --scope "<foundry-scope>" --query "[].roleDefinitionName" --output tsv73# Check actions available to a role75az role definition list --name "Azure AI User" --query "[].permissions[].actions" --output json76```77**Permission Requirements by Action:**79| Action | Required Role(s) |81|--------|------------------|82| Deploy models | Azure AI User, Azure AI Project Manager, Azure AI Owner |83| Create projects | Azure AI Project Manager, Azure AI Account Owner, Azure AI Owner |84| Assign Azure AI User role | Azure AI Project Manager, Azure AI Account Owner, Azure AI Owner |85| Full data access | Azure AI User, Azure AI Project Manager, Azure AI Owner |86### 5. Configure Managed Identity Roles88```bash90# Get managed identity principal ID91PRINCIPAL_ID=$(az cognitiveservices account show --name <foundry-resource-name> --resource-group <resource-group> --query identity.principalId --output tsv)92# Assign roles to connected resources (repeat pattern for each)94az role assignment create --role "<role-name>" --assignee "$PRINCIPAL_ID" --scope "<resource-scope>"95```96**Common Managed Identity Role Assignments:**98| Connected Resource | Role | Purpose |100|--------------------|------|---------|101| Azure Storage | Storage Blob Data Reader | Read files/documents |102| Azure Storage | Storage Blob Data Contributor | Read/write files |103| Azure Key Vault | Key Vault Secrets User | Read secrets |104| Azure AI Search | Search Index Data Reader | Query indexes |105| Azure AI Search | Search Index Data Contributor | Query and modify indexes |106| Azure Cosmos DB | Cosmos DB Account Reader | Read data |107### 6. Create Service Principal for CI/CD109```bash111# Create SP with minimal role112az ad sp create-for-rbac --name "foundry-cicd-sp" --role "Azure AI User" --scopes "<foundry-scope>" --output json113# Output contains: appId, password, tenant — store securely114# For project management permissions116az ad sp create-for-rbac --name "foundry-cicd-admin-sp" --role "Azure AI Project Manager" --scopes "<foundry-scope>" --output json117# Add Contributor for resource provisioning119SP_APP_ID=$(az ad sp list --display-name "foundry-cicd-sp" --query "[0].appId" -o tsv)120az role assignment create --role "Contributor" --assignee "$SP_APP_ID" --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group>"121```122> 💡 **Tip:** Use least privilege — start with `Azure AI User` and add roles as needed.124| CI/CD Scenario | Recommended Role | Additional Roles |126|----------------|------------------|------------------|127| Deploy models only | Azure AI User | None |128| Manage projects | Azure AI Project Manager | None |129| Full provisioning | Azure AI Owner | Contributor (on RG) |130| Read-only monitoring | Reader | Azure AI User (for data) |131**CI/CD Pipeline Login:**133```bash135az login --service-principal --username "<app-id>" --password "<client-secret>" --tenant "<tenant-id>"136az account set --subscription "<subscription-id>"137```138## Error Handling140| Issue | Cause | Resolution |142|-------|-------|------------|143| "Authorization failed" when deploying | Missing Azure AI User role | Assign Azure AI User role at resource scope |144| Cannot create projects | Missing Project Manager or Owner role | Assign Azure AI Project Manager role |145| "Access denied" on connected resources | Managed identity missing roles | Assign appropriate roles to MI on each resource |146| Portal works but CLI fails | Portal auto-assigns roles, CLI doesn't | Explicitly assign Azure AI User via CLI |147| Service principal cannot access data | Wrong role or scope | Verify Azure AI User is assigned at correct scope |148| "Principal does not exist" | User/SP not found in directory | Verify the assignee email or object ID is correct |149| Role assignment already exists | Duplicate assignment attempt | Use `az role assignment list` to verify existing assignments |150## Additional Resources152- [Azure AI Foundry RBAC Documentation](https://learn.microsoft.com/azure/ai-foundry/concepts/rbac-ai-foundry)154- [Azure Built-in Roles](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles)155- [Managed Identities Overview](https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview)156- [Service Principal Authentication](https://learn.microsoft.com/azure/developer/github/connect-from-azure)157