Loading source
Pulling the file list, source metadata, and syntax-aware rendering for this listing.
Source from repo
Build and deploy AI applications on Azure AI Foundry using Microsoft's model catalog and AI services
Files
Skill
Size
Entrypoint
Format
Open file
Syntax-highlighted preview of this file as included in the skill package.
rbac/rbac.md
1# Microsoft Foundry RBAC Management2Reference for managing RBAC for Microsoft Foundry resources: user permissions, managed identity configuration, and service principal setup for CI/CD.4## Quick Reference6| Property | Value |8|----------|-------|9| **CLI Extension** | `az role assignment`, `az ad sp` |10| **Resource Type** | `Microsoft.CognitiveServices/accounts` |11| **Best For** | Permission management, access auditing, CI/CD setup |12## When to Use14- Grant user access to Foundry resources or projects16- Set up developer permissions (Project Manager, Owner roles)17- Audit role assignments or validate permissions18- Configure managed identity roles for connected resources19- Create service principals for CI/CD pipeline automation20- Troubleshoot permission errors21## Azure AI Foundry Built-in Roles23| Role | Create Projects | Data Actions | Role Assignments |25|------|-----------------|--------------|------------------|26| Azure AI User | No | Yes | No |27| Azure AI Project Manager | Yes | Yes | Yes (AI User only) |28| Azure AI Account Owner | Yes | No | Yes (AI User only) |29| Azure AI Owner | Yes | Yes | Yes |30> ⚠️ **Warning:** Azure AI User is auto-assigned via Portal but NOT via SDK/CLI. Automation must explicitly assign roles.32## Workflows34All scopes follow the pattern: `/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.CognitiveServices/accounts/<foundry-resource-name>`36For project-level scoping, append `/projects/<project-name>`.38### 1. Assign User Permissions40```bash42az role assignment create --role "Azure AI User" --assignee "<user-email-or-object-id>" --scope "<foundry-scope>"43```44### 2. Assign Developer Permissions46```bash48# Project Manager (create projects, assign AI User roles)49az role assignment create --role "Azure AI Project Manager" --assignee "<user-email-or-object-id>" --scope "<foundry-scope>"50# Full ownership including data actions52az role assignment create --role "Azure AI Owner" --assignee "<user-email-or-object-id>" --scope "<foundry-scope>"53```54### 3. Audit Role Assignments56```bash58# List all assignments59az role assignment list --scope "<foundry-scope>" --output table60# Detailed with principal names62az role assignment list --scope "<foundry-scope>" --query "[].{Principal:principalName, PrincipalType:principalType, Role:roleDefinitionName}" --output table63# Azure AI roles only65az role assignment list --scope "<foundry-scope>" --query "[?contains(roleDefinitionName, 'Azure AI')].{Principal:principalName, Role:roleDefinitionName}" --output table66```67### 4. Validate Permissions69```bash71# Current user's roles on resource72az role assignment list --assignee "$(az ad signed-in-user show --query id -o tsv)" --scope "<foundry-scope>" --query "[].roleDefinitionName" --output tsv73# Check actions available to a role75az role definition list --name "Azure AI User" --query "[].permissions[].actions" --output json76```77**Permission Requirements by Action:**79| Action | Required Role(s) |81|--------|------------------|82| Deploy models | Azure AI User, Azure AI Project Manager, Azure AI Owner |83| Create projects | Azure AI Project Manager, Azure AI Account Owner, Azure AI Owner |84| Assign Azure AI User role | Azure AI Project Manager, Azure AI Account Owner, Azure AI Owner |85| Full data access | Azure AI User, Azure AI Project Manager, Azure AI Owner |86### 5. Configure Managed Identity Roles88```bash90# Get managed identity principal ID91PRINCIPAL_ID=$(az cognitiveservices account show --name <foundry-resource-name> --resource-group <resource-group> --query identity.principalId --output tsv)92# Assign roles to connected resources (repeat pattern for each)94az role assignment create --role "<role-name>" --assignee "$PRINCIPAL_ID" --scope "<resource-scope>"95```96**Common Managed Identity Role Assignments:**98| Connected Resource | Role | Purpose |100|--------------------|------|---------|101| Azure Storage | Storage Blob Data Reader | Read files/documents |102| Azure Storage | Storage Blob Data Contributor | Read/write files |103| Azure Key Vault | Key Vault Secrets User | Read secrets |104| Azure AI Search | Search Index Data Reader | Query indexes |105| Azure AI Search | Search Index Data Contributor | Query and modify indexes |106| Azure Cosmos DB | Cosmos DB Account Reader | Read data |107### 6. Create Service Principal for CI/CD109```bash111# Create SP with minimal role112az ad sp create-for-rbac --name "foundry-cicd-sp" --role "Azure AI User" --scopes "<foundry-scope>" --output json113# Output contains: appId, password, tenant — store securely114# For project management permissions116az ad sp create-for-rbac --name "foundry-cicd-admin-sp" --role "Azure AI Project Manager" --scopes "<foundry-scope>" --output json117# Add Contributor for resource provisioning119SP_APP_ID=$(az ad sp list --display-name "foundry-cicd-sp" --query "[0].appId" -o tsv)120az role assignment create --role "Contributor" --assignee "$SP_APP_ID" --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group>"121```122> 💡 **Tip:** Use least privilege — start with `Azure AI User` and add roles as needed.124| CI/CD Scenario | Recommended Role | Additional Roles |126|----------------|------------------|------------------|127| Deploy models only | Azure AI User | None |128| Manage projects | Azure AI Project Manager | None |129| Full provisioning | Azure AI Owner | Contributor (on RG) |130| Read-only monitoring | Reader | Azure AI User (for data) |131**CI/CD Pipeline Login:**133```bash135az login --service-principal --username "<app-id>" --password "<client-secret>" --tenant "<tenant-id>"136az account set --subscription "<subscription-id>"137```138## Error Handling140| Issue | Cause | Resolution |142|-------|-------|------------|143| "Authorization failed" when deploying | Missing Azure AI User role | Assign Azure AI User role at resource scope |144| Cannot create projects | Missing Project Manager or Owner role | Assign Azure AI Project Manager role |145| "Access denied" on connected resources | Managed identity missing roles | Assign appropriate roles to MI on each resource |146| Portal works but CLI fails | Portal auto-assigns roles, CLI doesn't | Explicitly assign Azure AI User via CLI |147| Service principal cannot access data | Wrong role or scope | Verify Azure AI User is assigned at correct scope |148| "Principal does not exist" | User/SP not found in directory | Verify the assignee email or object ID is correct |149| Role assignment already exists | Duplicate assignment attempt | Use `az role assignment list` to verify existing assignments |150## Additional Resources152- [Azure AI Foundry RBAC Documentation](https://learn.microsoft.com/azure/ai-foundry/concepts/rbac-ai-foundry)154- [Azure Built-in Roles](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles)155- [Managed Identities Overview](https://learn.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview)156- [Service Principal Authentication](https://learn.microsoft.com/azure/developer/github/connect-from-azure)157