Summary
The Foundry service now automatically assigns required roles to per-agent managed identities on agent creation. The azd agents extension should remove its client-side role assignment logic, which is now redundant.
Background
The VS Code extension (Skylight) has already removed this logic:
Changes needed in azd
| File |
Current behavior |
Action |
internal/project/agent_identity_rbac.go |
Postdeploy assigns "Azure AI User" to each agent MI |
Remove (or convert to verify-only) |
internal/project/developer_rbac_check.go |
Predeploy checks developer has roleAssignments/write |
Remove this specific check |
internal/cmd/listen.go |
Postdeploy calls EnsureAgentIdentityRBAC() |
Remove call |
resources/scaffold/base/modules/ai-search-conn.bicep |
Assigns Search roles to Project MI |
Remove role assignment resources |
internal/cmd/doctor/checks_agent_identity_roles.go |
Diagnoses agent MI role assignments |
Remove or make info-only |
Impact
- Faster deploy (no RBAC polling/propagation wait)
- Lower permission requirements for developers (no longer need
roleAssignments/write)
- Fewer transient failures from RBAC propagation delays
Summary
The Foundry service now automatically assigns required roles to per-agent managed identities on agent creation. The azd agents extension should remove its client-side role assignment logic, which is now redundant.
Background
The VS Code extension (Skylight) has already removed this logic:
Changes needed in azd
internal/project/agent_identity_rbac.gointernal/project/developer_rbac_check.goroleAssignments/writeinternal/cmd/listen.goEnsureAgentIdentityRBAC()resources/scaffold/base/modules/ai-search-conn.bicepinternal/cmd/doctor/checks_agent_identity_roles.goImpact
roleAssignments/write)