Loading source
Pulling the file list, source metadata, and syntax-aware rendering for this listing.
Source from repo
Build and deploy AI applications on Azure AI Foundry using Microsoft's model catalog and AI services
Files
Skill
Size
Entrypoint
Format
Open file
Syntax-highlighted preview of this file as included in the skill package.
rbac/rbac.md
1# Microsoft Foundry RBAC Management2Reference for managing RBAC for Microsoft Foundry resources: user permissions, managed identity configuration, and service principal setup for CI/CD.4## Quick Reference6| Property | Value |8|----------|-------|9| **CLI Extension** | `az role assignment`, `az ad sp` |10| **Resource Type** | `Microsoft.CognitiveServices/accounts` |11| **Best For** | Permission management, access auditing, CI/CD setup |12## When to Use14- Grant user access to Foundry resources or projects16- Set up developer permissions (Project Manager, Owner roles)17- Audit role assignments or validate permissions18- Configure managed identity roles for connected resources19- Create service principals for CI/CD pipeline automation20- Troubleshoot permission errors21## Foundry Built-in Roles23| Role | Create Projects | Data Actions | Role Assignments |25|------|-----------------|--------------|------------------|26| Foundry User | No | Yes | No |27| Foundry Project Manager | Yes | Yes | Yes (Foundry User only) |28| Foundry Account Owner | Yes | No | Yes (Foundry User only) |29| Foundry Owner | Yes | Yes | Yes |30> ⚠️ **Warning:** Foundry User is auto-assigned via Portal but NOT via SDK/CLI. Automation must explicitly assign roles.32## Workflows34All scopes follow the pattern: `/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.CognitiveServices/accounts/<foundry-resource-name>`36For project-level scoping, append `/projects/<project-name>`.38### 1. Assign User Permissions40```bash42az role assignment create --role "53ca6127-db72-4b80-b1b0-d745d6d5456d" --assignee "<user-email-or-object-id>" --scope "<foundry-scope>" # Foundry User43```44### 2. Assign Developer Permissions46```bash48# Project Manager (create projects, assign Foundry User roles)49az role assignment create --role "eadc314b-1a2d-4efa-be10-5d325db5065e" --assignee "<user-email-or-object-id>" --scope "<foundry-scope>" # Foundry Project Manager50# Full ownership including data actions52az role assignment create --role "c883944f-8b7b-4483-af10-35834be79c4a" --assignee "<user-email-or-object-id>" --scope "<foundry-scope>" # Foundry Owner53```54### 3. Audit Role Assignments56```bash58# List all assignments59az role assignment list --scope "<foundry-scope>" --output table60# Detailed with principal names62az role assignment list --scope "<foundry-scope>" --query "[].{Principal:principalName, PrincipalType:principalType, Role:roleDefinitionName}" --output table63# Foundry roles only65az role assignment list --scope "<foundry-scope>" --query "[?contains(roleDefinitionName, 'Foundry')].{Principal:principalName, Role:roleDefinitionName}" --output table66```67### 4. Validate Permissions69```bash71# Current user's roles on resource72az role assignment list --assignee "$(az ad signed-in-user show --query id -o tsv)" --scope "<foundry-scope>" --query "[].roleDefinitionName" --output tsv73# Check actions available to a role75az role definition list --name "Foundry User" --query "[].permissions[].actions" --output json76```77**Permission Requirements by Action:**79| Action | Required Role(s) |81|--------|------------------|82| Deploy models | Foundry User, Foundry Project Manager, Foundry Owner |83| Create projects | Foundry Project Manager, Foundry Account Owner, Foundry Owner |84| Assign Foundry User role | Foundry Project Manager, Foundry Account Owner, Foundry Owner |85| Full data access | Foundry User, Foundry Project Manager, Foundry Owner |86### 5. Configure Managed Identity Roles88```bash90# Get managed identity principal ID91PRINCIPAL_ID=$(az cognitiveservices account show --name <foundry-resource-name> --resource-group <resource-group> --query identity.principalId --output tsv)92# Assign roles to connected resources (repeat pattern for each)94az role assignment create --role "<role-name>" --assignee "$PRINCIPAL_ID" --scope "<resource-scope>"95```96**Common Managed Identity Role Assignments:**98| Connected Resource | Role | Purpose |100|--------------------|------|---------|101| Azure Storage | Storage Blob Data Reader | Read files/documents |102| Azure Storage | Storage Blob Data Contributor | Read/write files |103| Azure Key Vault | Key Vault Secrets User | Read secrets |104| Azure AI Search | Search Index Data Reader | Query indexes |105| Azure AI Search | Search Index Data Contributor | Query and modify indexes |106| Azure Cosmos DB | Cosmos DB Account Reader | Read data |107### 6. Create Service Principal for CI/CD109```bash111# Create SP with minimal role112az ad sp create-for-rbac --name "foundry-cicd-sp" --role "53ca6127-db72-4b80-b1b0-d745d6d5456d" --scopes "<foundry-scope>" --output json # Foundry User113# Output contains: appId, password, tenant — store securely114# For project management permissions116az ad sp create-for-rbac --name "foundry-cicd-admin-sp" --role "eadc314b-1a2d-4efa-be10-5d325db5065e" --scopes "<foundry-scope>" --output json # Foundry Project Manager117# Add Contributor for resource provisioning119SP_APP_ID=$(az ad sp list --display-name "foundry-cicd-sp" --query "[0].appId" -o tsv)120az role assignment create --role "Contributor" --assignee "$SP_APP_ID" --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group>"121```122> 💡 **Tip:** Use least privilege — start with `Foundry User` and add roles as needed.124| CI/CD Scenario | Recommended Role | Additional Roles |126|----------------|------------------|------------------|127| Deploy models only | Foundry User | None |128| Manage projects | Foundry Project Manager | None |129| Full provisioning | Foundry Owner | Contributor (on RG) |130| Read-only monitoring | Reader | Foundry User (for data) |131**CI/CD Pipeline Login:**133```bash135az login --service-principal --username "<app-id>" --password "<client-secret>" --tenant "<tenant-id>"136az account set --subscription "<subscription-id>"137```138## Error Handling140| Issue | Cause | Resolution |142|-------|-------|------------|143| "Authorization failed" when deploying | Missing Foundry User role | Assign Foundry User role at resource scope |144| Cannot create projects | Missing Project Manager or Owner role | Assign Foundry Project Manager role |145| "Access denied" on connected resources | Managed identity missing roles | Assign appropriate roles to MI on each resource |146| Portal works but CLI fails | Portal auto-assigns roles, CLI doesn't | Explicitly assign Foundry User via CLI |147| Service principal cannot access data | Wrong role or scope | Verify Foundry User is assigned at correct scope |148| "Principal does not exist" | User/SP not found in directory | Verify the assignee email or object ID is correct |149| Role assignment already exists | Duplicate assignment attempt | Use `az role assignment list` to verify existing assignments |150## Additional Resources152- [Azure AI Foundry RBAC Documentation](https://learn.microsoft.com/azure/ai-foundry/concepts/rbac-ai-foundry)154- [Azure Built-in Roles](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles)155- [Managed Identities Overview](https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview)156- [Service Principal Authentication](https://learn.microsoft.com/azure/developer/github/connect-from-azure)157