1# Live Role Verification
2 
3Query Azure to confirm that provisioned RBAC role assignments are correct and sufficient for the application to function. This complements the static role check in azure-validate by validating **live Azure state**.
4 
5## How It Differs from azure-validate's Role Check
6 
7| Check | Skill | What It Verifies |
8|-------|-------|-----------------|
9| **Static** | azure-validate | Generated Bicep/Terraform has correct role assignments in code |
10| **Live** | azure-deploy (this) | Provisioned Azure resources actually have the right roles assigned |
11 
12Both checks are needed because:
13- Bicep may be correct but provisioning could fail silently for roles
14- Manual changes or policy enforcement may alter role assignments
15- Previous deployments may have stale or conflicting roles
16 
17## When to Run
18 
19After deployment verification (step 7). Resources are now provisioned, so live role assignments can be queried.
20 
21## Verification Steps
22 
23### 1. Identify App Identities
24 
25Read `.azure/deployment-plan.md` to find all services with managed identities. Then query Azure for their principal IDs:
26 
27```bash
28# App Service
29az webapp identity show --name <app-name> -g <resource-group> --query principalId -o tsv
30 
31# Container App
32az containerapp identity show --name <app-name> -g <resource-group> --query principalId -o tsv
33 
34# Function App
35az functionapp identity show --name <app-name> -g <resource-group> --query principalId -o tsv
36```
37 
38### 2. Query Live Role Assignments
39 
40Use MCP tools to list role assignments for each resource **and identity** (using the `principalId` from step 1):
41 
42```
43azure__role(
44  command: "role_assignment_list",
45  scope: "<resourceId>",
46  assignee_object_id: "<principalId>"
47)
48```
49 
50Or via CLI:
51 
52```bash
53az role assignment list --scope <resourceId> --assignee-object-id <principalId> --output table
54```
55 
56### 3. Cross-Check Against Requirements
57 
58For each identity, verify the assigned roles match what the app needs:
59 
60| App Operation | Expected Role | Scope |
61|---------------|---------------|-------|
62| Read/write blobs | Storage Blob Data Contributor | Storage account |
63| Generate user delegation SAS | Storage Blob Delegator | Storage account |
64| Read secrets | Key Vault Secrets User | Key Vault |
65| Send messages | Azure Service Bus Data Sender | Service Bus namespace |
66| Read/write documents | Cosmos DB Built-in Data Contributor | Cosmos DB account |
67 
68### 4. Check for Common Issues
69 
70| Issue | How to Detect | Fix |
71|-------|---------------|-----|
72| Role assigned at wrong scope | Role on resource group but needed on specific resource | Reassign at resource scope |
73| Generic role instead of data role | `Contributor` assigned but no data-plane access | Replace with data-plane role (e.g., `Storage Blob Data Contributor`) |
74| Missing role entirely | No assignment found for identity on target resource | Add role assignment to Bicep and redeploy |
75| Stale role from previous deployment | Old principal ID with roles, new identity without | Clean up old assignments, add new ones |
76 
77## Decision Tree
78 
79```
80Resources provisioned?
81├── No → Skip live check (nothing to query yet)
82└── Yes → For each app identity:
83    ├── Query role assignments on target resources
84    ├── Compare against expected roles from plan
85    │   ├── All roles present and correct → ✅ Pass
86    │   ├── Missing roles → ❌ Fail — add to Bicep, redeploy
87    │   └── Wrong scope or generic roles → ⚠️ Warning — fix and redeploy
88    └── Record results in deployment verification
89```
90 
91## Record in Deployment Verification
92 
93Add live role verification results to the deployment log in `.azure/deployment-plan.md`:
94 
95```markdown
96### Live Role Verification
97- Command: `az role assignment list --scope <resourceId> --assignee-object-id <principalId>`
98- Results:
99  - <identity> → <role> on <resource> ✅
100  - <identity> → missing <expected-role> on <resource> ❌
101- Status: Pass / Fail
102```
103