This repository contains Bicep scripts for setting up Azure RBAC role assignments for Microsoft Foundry V2 environments as documented in Foundry_V2_RBAC_Role_Assignments_Comprehensive_FULL.md.
This repository is organized into two main deployment categories:
Role assignments for security groups and service principals — each persona is its own self-contained folder:
developer-roles/— Developer roles (12 roles, subscription scope with hub-spoke modules)devlead-roles/— Development Lead roles (+1 role, subscription scope with hub-spoke modules)platform-admin-roles/— Platform Admin roles (+8 roles)agent-publishing-roles/— Agent publishing roles (3 roles)apim-setup-roles/— APIM setup roles (4 roles, one-time)iac-cicd-roles/— IaC/CI-CD service principal roles (5 roles)
Role assignments for managed identities — each identity type is its own self-contained folder:
foundry-project-mi/— Foundry Project Managed Identity (14 roles)function-app-mi/— Function App Managed Identities (11 roles per function, type-based)
Total Coverage: 61 Azure RBAC role assignments across 8 modules
Note: These scripts handle Azure RBAC roles only. Entra ID roles (M365 Administrator, Teams Administrator, App Registration management) and App Roles must be configured separately.
bicep/
├── user-roles/ # Security Group & Service Principal Roles
│ ├── main.bicep # User roles orchestration (optional top-level)
│ ├── main.bicepparam # User roles orchestration parameters
│ ├── README.md # User roles documentation
│ ├── developer-roles/ # Section 2: Developer roles (12)
│ │ ├── main.bicep # Subscription-scoped orchestration
│ │ ├── main.bicepparam # Parameters
│ │ ├── developer-hub-module.bicep # Hub RG roles (Key Vault, Search, AI, etc.)
│ │ ├── developer-spoke-module.bicep # Spoke RG roles (Cosmos, Storage, Web, etc.)
│ │ └── README.md
│ ├── devlead-roles/ # Section 3: Development Lead roles (+1)
│ │ ├── main.bicep # Subscription-scoped orchestration
│ │ ├── main.bicepparam # Parameters
│ │ ├── devlead-hub-module.bicep # Hub RG roles
│ │ ├── devlead-spoke-module.bicep # Spoke RG roles
│ │ └── README.md
│ ├── platform-admin-roles/ # Section 4: Platform Admin roles (+8)
│ │ ├── main.bicep # Resource group scope
│ │ ├── main.bicepparam # Parameters
│ │ └── README.md
│ ├── agent-publishing-roles/ # Section 5: Agent publishing (3)
│ │ ├── main.bicep # Resource group scope
│ │ ├── main.bicepparam # Parameters
│ │ └── README.md
│ ├── apim-setup-roles/ # Section 9: APIM setup (4, one-time)
│ │ ├── main.bicep # Resource group scope
│ │ ├── main.bicepparam # Parameters
│ │ └── README.md
│ └── iac-cicd-roles/ # Section 10: IaC/CI-CD roles (5)
│ ├── main.bicep # Resource group scope
│ ├── main.bicepparam # Parameters
│ └── README.md
│
└── managed-identity-roles/ # Managed Identity Roles
├── foundry-project-mi/ # Section 1: Foundry Project MI (14)
│ ├── main.bicep # Resource group scope
│ ├── main.bicepparam # Parameters
│ └── README.md
└── function-app-mi/ # Section 6: Function App MI (11 per app)
├── main.bicep # Resource group scope
├── main.bicepparam # Parameters
└── README.md
Each folder is a self-contained deployment unit with its own main.bicep and main.bicepparam. Deploy only what you need.
- QUICKSTART.md — Step-by-step deployment guide with examples
- COMPLETENESS.md — Coverage analysis and validation checklist
- User Roles README — Security group and service principal roles
- HUB-SPOKE-ARCHITECTURE.md — Hub-spoke design for developer/devlead roles
- Reference Document — Complete role specifications
- Azure CLI or PowerShell Az module installed
- Bicep CLI installed (
az bicep install) - Permissions: Owner or User Access Administrator role on target scope
- Existing Azure Resources (must exist before deployment):
- Foundry Account and Project
- AI Search service
- APIM instance
- Content Safety resource
- Application Insights
- Log Analytics workspace
- Storage Account
- Azure OpenAI resource
- Key Vault
- Azure Container Registry
- Cosmos DB account
Each module folder contains its own main.bicepparam file. Update the parameter file in the folder you are deploying — no need to edit any .bicep module files.
Example: bicep/managed-identity-roles/foundry-project-mi/main.bicepparam
param aiSearchName = 'YOUR_AI_SEARCH_NAME'
param apimName = 'YOUR_APIM_NAME'
param contentSafetyName = 'YOUR_CONTENT_SAFETY_NAME'
param appInsightsName = 'YOUR_APP_INSIGHTS_NAME'
param logAnalyticsWorkspaceName = 'YOUR_LOG_ANALYTICS_WORKSPACE_NAME'
param storageAccountName = 'yourstorageaccount' // lowercase, no special chars, max 24 chars
param openAIName = 'YOUR_OPENAI_NAME'
param keyVaultName = 'your-keyvault-name' // 3-24 chars, alphanumeric and hyphens
param acrName = 'youracrname' // 5-50 chars, alphanumeric only
param cosmosDbAccountName = 'your-cosmosdb-account' // lowercase with hyphensResource Naming Constraints:
- Storage Account: lowercase, no special chars, max 24 chars
- Key Vault: 3-24 chars, alphanumeric and hyphens
- Azure Container Registry: 5-50 chars, alphanumeric only
- Cosmos DB: lowercase with hyphens
Developer and Dev Lead roles use a hub-spoke architecture and must be deployed at subscription scope:
# Azure CLI
az deployment sub create \
--location eastus \
--template-file bicep/user-roles/developer-roles/main.bicep \
--parameters bicep/user-roles/developer-roles/main.bicepparam# Platform Admin roles
az deployment group create \
--resource-group YOUR_HUB_RG \
--template-file bicep/user-roles/platform-admin-roles/main.bicep \
--parameters bicep/user-roles/platform-admin-roles/main.bicepparam
# IaC/CI-CD roles
az deployment group create \
--resource-group YOUR_HUB_RG \
--template-file bicep/user-roles/iac-cicd-roles/main.bicep \
--parameters bicep/user-roles/iac-cicd-roles/main.bicepparam# Foundry Project MI roles
az deployment group create \
--resource-group YOUR_HUB_RG \
--template-file bicep/managed-identity-roles/foundry-project-mi/main.bicep \
--parameters bicep/managed-identity-roles/foundry-project-mi/main.bicepparam
# Function App MI roles (repeat per function app, adjusting parameters)
az deployment sub create \
--location eastus \
--template-file bicep/managed-identity-roles/function-app-mi/main.bicep \
--parameters bicep/managed-identity-roles/function-app-mi/main.bicepparamSee QUICKSTART.md for a complete step-by-step guide.
- Navigate to the relevant module folder under
bicep/user-roles/ - Edit
main.bicepparamwith your security group or service principal Object IDs - Deploy the module using the commands above
Get Security Group Object IDs:
az ad group show --group "GROUP_NAME" --query id -o tsvGet Service Principal Object IDs:
az ad sp show --id APP_ID --query id -o tsv- Navigate to the relevant module folder under
bicep/managed-identity-roles/ - Edit
main.bicepparamwith managed identity Principal IDs and resource names - Deploy the module using the commands above
Get Managed Identity Principal IDs:
# For System-Assigned MI
az resource show --ids RESOURCE_ID --query identity.principalId -o tsv
# For User-Assigned MI
az identity show --resource-group RG --name MI_NAME --query principalId -o tsvThe user roles support a three-tier persona model with cumulative privileges:
- Developers (12 roles) — Basic development and testing
- Development Leads (13 roles) — All developer roles + Azure AI Project Contributor
- Platform Admins (21 roles) — All roles + infrastructure management + Azure AI Account Owner
Deployment Strategy:
- Option A: Deploy each persona module with the corresponding group's Object ID
- Option B: Add Dev Leads to the Developer group and Admins to both groups in Entra ID
Developer and Dev Lead modules deploy across two resource groups:
- Hub RG — Shared resources: Key Vault, AI Search, Application Insights, Log Analytics, APIM, Foundry Project
- Spoke RG — Application resources: Cosmos DB, Storage, Web Apps, Function Apps, Logic Apps
These modules require az deployment sub create (subscription scope) because they assign roles across multiple resource groups.
See HUB-SPOKE-ARCHITECTURE.md for details.
Managed identity roles for function apps are tailored by type:
CustomAgent— Agents called via Foundry/APIMDataIngest— RAG index creation and data processingApplicationBackend— Backend services calling agentsMCPServer— Model Context Protocol tool serversAll— All available roles (dev environments)
- Developer/DevLead roles: Subscription scope (hub-spoke, deployed across two RGs)
- Function App MI roles: Subscription scope (hub-spoke, deployed across two RGs)
- Platform Admin/APIM/IaC roles: Resource group scope
- Foundry Project MI roles: Resource group scope
- Project-specific roles: Require Foundry Project resource ID
Cosmos DB uses SQL RBAC (not Azure RBAC). The scripts use Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments for the built-in Data Contributor role.
The following are NOT included in these Bicep scripts:
-
Entra ID Roles (Sections 5b, 11):
- Microsoft 365 Administrator
- Teams Administrator
- App Registration Owner assignments
-
App Roles (Sections 7, 8):
- Function App App Registration and App Roles
- MCP Server App Registration and App Roles
- App Role assignments to managed identities
-
APIM Configuration:
- APIM policies and API configurations
- APIM Named Values for secrets
- APIM products and subscriptions
-
OAuth Configuration (Section 8c):
- Foundry Managed OAuth connections
- Custom OAuth provider configurations
These must be configured manually or through other automation tools.
After deployment, verify role assignments:
# List role assignments for a principal
az role assignment list --assignee YOUR_PRINCIPAL_ID --output table
# List role assignments in a resource group
az role assignment list --resource-group YOUR_RG --output table
# List role assignments for a specific resource
az role assignment list --scope /subscriptions/SUB_ID/resourceGroups/RG/providers/RESOURCE_TYPE/RESOURCE_NAME --output table-
Role assignment already exists: Bicep will fail if a role assignment with the same GUID already exists. Delete the existing assignment or use a different scope.
-
Insufficient permissions: Ensure you have
User Access AdministratororOwnerrole on the target scope. -
Resource not found: Verify all resource names in the parameter files match your actual resources.
-
Principal not found: Ensure all Object IDs and Principal IDs are correct and the identities exist in your tenant.
-
Subscription scope error for developer/devlead roles: These modules target subscription scope — use
az deployment sub create, notaz deployment group create.
Test any module before deploying:
# Resource group scope (most modules)
az deployment group what-if \
--resource-group YOUR_RG \
--template-file bicep/user-roles/platform-admin-roles/main.bicep \
--parameters bicep/user-roles/platform-admin-roles/main.bicepparam
# Subscription scope (developer-roles, devlead-roles)
az deployment sub what-if \
--location eastus \
--template-file bicep/user-roles/developer-roles/main.bicep \
--parameters bicep/user-roles/developer-roles/main.bicepparam-
Use ABAC Conditions: Consider adding ABAC (Attribute-Based Access Control) conditions to the RBAC Administrator role for least-privilege.
-
Scope to Specific Resources: In production, scope Key Vault roles to specific secrets rather than the entire vault.
-
Disable Local Auth: Set
disableLocalAuth = trueon Foundry resources to enforce Entra ID authentication. -
Regular Audits: Periodically review role assignments and remove unused ones.
-
Separate Environments: Use different resource groups and parameter files for dev, staging, and production.
When adding new role assignments, follow the Bicep best practices and maintain consistency with the existing structure. Each role category belongs in its own subfolder with main.bicep, main.bicepparam, and README.md.
See Foundry_V2_RBAC_Role_Assignments_Comprehensive_FULL.md for detailed role descriptions, purposes, and notes.