Skip to content

Stop assigning Azure AI User role to per-agent managed identity after deploy #8940

Description

@m5i-work

Problem

When deploying a hosted agent, the azure.ai.agents extension assigns the Azure AI User role to each hosted agent's per-agent managed identity in the post-deploy step. This client-side role assignment is now redundant: the Microsoft Foundry service grants the per-agent identity its required permissions internally.

The redundant assignment also fails noisily when the deploying user lacks Microsoft.Authorization/roleAssignments/write, blocking otherwise-successful deploys for users who only hold data-plane roles (e.g. Foundry User).

Additional impact

The remote.agent-identity-roles doctor check enumerated ARM role assignments for each agent identity. Since the service no longer creates those assignments, the check folded every agent into a false aggregate failure and reported problems that do not exist.

Proposed fix

  • Remove the client-side per-agent-identity Azure AI User role assignment from the post-deploy handler.
  • Remove the now-false remote.agent-identity-roles doctor check.

This mirrors the equivalent change already made in the Foundry service tooling (microsoft/Skylight#4910).

Metadata

Metadata

Assignees

Labels

area/extensionsExtensions (general)area/securitySecurity, permissions, RBACbugSomething isn't workingext-agentsazure.ai.agents extension

Type

Fields

No fields configured for Bug.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions