Problem
When deploying a hosted agent, the azure.ai.agents extension assigns the Azure AI User role to each hosted agent's per-agent managed identity in the post-deploy step. This client-side role assignment is now redundant: the Microsoft Foundry service grants the per-agent identity its required permissions internally.
The redundant assignment also fails noisily when the deploying user lacks Microsoft.Authorization/roleAssignments/write, blocking otherwise-successful deploys for users who only hold data-plane roles (e.g. Foundry User).
Additional impact
The remote.agent-identity-roles doctor check enumerated ARM role assignments for each agent identity. Since the service no longer creates those assignments, the check folded every agent into a false aggregate failure and reported problems that do not exist.
Proposed fix
- Remove the client-side per-agent-identity
Azure AI User role assignment from the post-deploy handler.
- Remove the now-false
remote.agent-identity-roles doctor check.
This mirrors the equivalent change already made in the Foundry service tooling (microsoft/Skylight#4910).
Problem
When deploying a hosted agent, the
azure.ai.agentsextension assigns theAzure AI Userrole to each hosted agent's per-agent managed identity in the post-deploy step. This client-side role assignment is now redundant: the Microsoft Foundry service grants the per-agent identity its required permissions internally.The redundant assignment also fails noisily when the deploying user lacks
Microsoft.Authorization/roleAssignments/write, blocking otherwise-successful deploys for users who only hold data-plane roles (e.g.Foundry User).Additional impact
The
remote.agent-identity-rolesdoctor check enumerated ARM role assignments for each agent identity. Since the service no longer creates those assignments, the check folded every agent into a false aggregate failure and reported problems that do not exist.Proposed fix
Azure AI Userrole assignment from the post-deploy handler.remote.agent-identity-rolesdoctor check.This mirrors the equivalent change already made in the Foundry service tooling (microsoft/Skylight#4910).