fix(infra): switch search connection to AAD auth and add KB RBAC roles

marktayl1 · marktayl1 · commit 456b31043d84 · 2026-06-01T01:14:21.000-07:00
- Change AI Search Foundry connection from ApiKey to AAD with managed identity
- Add Search Service Contributor role for user-assigned MI
- Add Cognitive Services OpenAI User role for Search system MI on AI Services
- Add post-deploy step to seed KB MCP RemoteTool connections
diff --git a/infra/main.bicep b/infra/main.bicep
@@ -87,9 +87,6 @@ param gptImageModelVersion string = '2025-12-16'
 @description('Optional. Version of the Azure OpenAI service to deploy. Defaults to 2024-12-01-preview.')
 param azureopenaiVersion string = '2024-12-01-preview'
 
-@description('Optional. Version of the Azure AI Agent API version. Defaults to 2025-01-01-preview.')
-param azureAiAgentAPIVersion string = '2025-01-01-preview'
-
 @minLength(1)
 @allowed([
   'Standard'
@@ -1348,10 +1345,6 @@ module containerApp 'br/public:avm/res/app/container-app:0.18.1' = {
             name: 'AZURE_OPENAI_ENDPOINT'
             value: 'https://${aiFoundryAiServicesResourceName}.openai.azure.com/'
           }
-          {
-            name: 'AZURE_OPENAI_MODEL_NAME'
-            value: aiFoundryAiServicesModelDeployment.name
-          }
           {
             name: 'AZURE_OPENAI_DEPLOYMENT_NAME'
             value: aiFoundryAiServicesModelDeployment.name
@@ -1392,18 +1385,14 @@ module containerApp 'br/public:avm/res/app/container-app:0.18.1' = {
           //   name: 'AZURE_AI_AGENT_ENDPOINT'
           //   value: aiFoundryAiProjectEndpoint
           // }
-          {
-            name: 'AZURE_AI_AGENT_MODEL_DEPLOYMENT_NAME'
-            value: aiFoundryAiServicesModelDeployment.name
-          }
           {
             name: 'APP_ENV'
             value: 'Prod'
           }
-          {
-            name: 'AZURE_AI_SEARCH_CONNECTION_NAME'
-            value: aiSearchConnectionName
-          }
+          // NOTE: AZURE_AI_SEARCH_CONNECTION_NAME intentionally omitted.
+          // The app defaults to per-KB RemoteTool connection names (e.g.
+          // "macae-retail-customer-kb-mcp") which carry ProjectManagedIdentity
+          // auth required by the KB MCP endpoint.
           {
             name: 'AZURE_AI_SEARCH_ENDPOINT'
             value: searchService.outputs.endpoint
@@ -1412,18 +1401,6 @@ module containerApp 'br/public:avm/res/app/container-app:0.18.1' = {
             name: 'AZURE_COGNITIVE_SERVICES'
             value: 'https://cognitiveservices.azure.com/.default'
           }
-          {
-            name: 'AZURE_BING_CONNECTION_NAME'
-            value: 'binggrnd'
-          }
-          {
-            name: 'BING_CONNECTION_NAME'
-            value: 'binggrnd'
-          }
-          {
-            name: 'REASONING_MODEL_NAME'
-            value: aiFoundryAiServicesReasoningModelDeployment.name
-          }
           {
             name: 'AZURE_OPENAI_IMAGE_DEPLOYMENT'
             value: aiFoundryAiServicesImageModelDeployment.name
@@ -1465,12 +1442,8 @@ module containerApp 'br/public:avm/res/app/container-app:0.18.1' = {
             value: aiFoundryAiProjectEndpoint
           }
           {
-            name: 'AZURE_AI_AGENT_API_VERSION'
-            value: azureAiAgentAPIVersion
-          }
-          {
-            name: 'AZURE_AI_AGENT_PROJECT_CONNECTION_STRING'
-            value: '${aiFoundryAiServicesResourceName}.services.ai.azure.com;${aiFoundryAiServicesSubscriptionId};${aiFoundryAiServicesResourceGroupName};${aiFoundryAiProjectResourceName}'
+            name: 'ORCHESTRATOR_MODEL_NAME'
+            value: aiFoundryAiServicesReasoningModelDeployment.name
           }
           {
             name: 'AZURE_BASIC_LOGGING_LEVEL'
@@ -1825,6 +1798,11 @@ module searchService 'br/public:avm/res/search/search-service:0.11.1' = {
         roleDefinitionIdOrName: 'Search Index Data Contributor'
         principalType: 'ServicePrincipal'
       }
+      {
+        principalId: userAssignedIdentity.outputs.principalId
+        roleDefinitionIdOrName: 'Search Service Contributor'
+        principalType: 'ServicePrincipal'
+      }
       {
         principalId: deployingUserPrincipalId
         roleDefinitionIdOrName: 'Search Index Data Contributor'
@@ -1898,6 +1876,11 @@ module searchServiceIdentity 'br/public:avm/res/search/search-service:0.11.1' =
         roleDefinitionIdOrName: 'Search Index Data Contributor'
         principalType: 'ServicePrincipal'
       }
+      {
+        principalId: userAssignedIdentity.outputs.principalId
+        roleDefinitionIdOrName: 'Search Service Contributor'
+        principalType: 'ServicePrincipal'
+      }
       {
         principalId: deployingUserPrincipalId
         roleDefinitionIdOrName: 'Search Index Data Contributor'
@@ -1941,6 +1924,23 @@ module searchServiceIdentity 'br/public:avm/res/search/search-service:0.11.1' =
   ]
 }
 
+// ========== Search Service MI → AI Services Role Assignment ========== //
+// The Search service system MI needs Cognitive Services OpenAI User on the AI Services account
+// so that Knowledge Base MCP tools can call the model for semantic retrieval.
+resource aiServicesForSearchRole 'Microsoft.CognitiveServices/accounts@2025-06-01' existing = {
+  name: aiFoundryAiServicesResourceName
+}
+
+resource searchServiceOpenAIRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(aiServicesForSearchRole.id, searchServiceName, '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd')
+  scope: aiServicesForSearchRole
+  properties: {
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd') // Cognitive Services OpenAI User
+    principalId: searchServiceIdentity.outputs.systemAssignedMIPrincipalId!
+    principalType: 'ServicePrincipal'
+  }
+}
+
 // ========== Search Service - AI Project Connection ========== //
 
 var aiSearchConnectionName = 'aifp-srch-connection-${solutionSuffix}'
@@ -1954,7 +1954,6 @@ module aiSearchFoundryConnection 'modules/aifp-connections.bicep' = {
     searchServiceResourceId: searchService.outputs.resourceId
     searchServiceLocation: searchService.outputs.location
     searchServiceName: searchService.outputs.name
-    searchApiKey: searchService.outputs.primaryKey
   }
 }
 
@@ -1977,7 +1976,6 @@ output COSMOSDB_ENDPOINT string = 'https://${cosmosDbResourceName}.documents.azu
 output COSMOSDB_DATABASE string = cosmosDbDatabaseName
 output COSMOSDB_CONTAINER string = cosmosDbDatabaseMemoryContainerName
 output AZURE_OPENAI_ENDPOINT string = 'https://${aiFoundryAiServicesResourceName}.openai.azure.com/'
-output AZURE_OPENAI_MODEL_NAME string = aiFoundryAiServicesModelDeployment.name
 output AZURE_OPENAI_DEPLOYMENT_NAME string = aiFoundryAiServicesModelDeployment.name
 output AZURE_OPENAI_RAI_DEPLOYMENT_NAME string = aiFoundryAiServices4_1ModelDeployment.name
 output AZURE_OPENAI_API_VERSION string = azureopenaiVersion
@@ -1987,7 +1985,6 @@ output AZURE_AI_SUBSCRIPTION_ID string = subscription().subscriptionId
 output AZURE_AI_RESOURCE_GROUP string = resourceGroup().name
 output AZURE_AI_PROJECT_NAME string = aiFoundryAiProjectName
 // output APPLICATIONINSIGHTS_CONNECTION_STRING string = applicationInsights.outputs.connectionString
-output AZURE_AI_AGENT_MODEL_DEPLOYMENT_NAME string = aiFoundryAiServicesModelDeployment.name
 // output AZURE_AI_AGENT_ENDPOINT string = aiFoundryAiProjectEndpoint
 output APP_ENV string = 'Prod'
 output AI_FOUNDRY_RESOURCE_ID string = !useExistingAiFoundryAiProject
@@ -1998,17 +1995,15 @@ output AZURE_SEARCH_ENDPOINT string = searchService.outputs.endpoint
 #disable-next-line BCP318
 output AZURE_CLIENT_ID string = userAssignedIdentity!.outputs.clientId
 output AZURE_TENANT_ID string = tenant().tenantId
-output AZURE_AI_SEARCH_CONNECTION_NAME string = aiSearchConnectionName
 output AZURE_COGNITIVE_SERVICES string = 'https://cognitiveservices.azure.com/.default'
-output REASONING_MODEL_NAME string = aiFoundryAiServicesReasoningModelDeployment.name
+output ORCHESTRATOR_MODEL_NAME string = aiFoundryAiServicesReasoningModelDeployment.name
 output MCP_SERVER_NAME string = 'MacaeMcpServer'
 output MCP_SERVER_DESCRIPTION string = 'MCP server with greeting, HR, and planning tools'
 output SUPPORTED_MODELS string = supportedModelsList
 output BACKEND_URL string = 'https://${containerAppResourceName}.${containerAppEnvironment.outputs.defaultDomain}'
 output AZURE_AI_PROJECT_ENDPOINT string = aiFoundryAiProjectEndpoint
 output AZURE_AI_AGENT_ENDPOINT string = aiFoundryAiProjectEndpoint
-output AZURE_AI_AGENT_API_VERSION string = azureAiAgentAPIVersion
-output AZURE_AI_AGENT_PROJECT_CONNECTION_STRING string = '${aiFoundryAiServicesResourceName}.services.ai.azure.com;${aiFoundryAiServicesSubscriptionId};${aiFoundryAiServicesResourceGroupName};${aiFoundryAiProjectResourceName}'
+
 
 
 output AZURE_STORAGE_CONTAINER_NAME_RETAIL_CUSTOMER string = storageContainerNameRetailCustomer
diff --git a/infra/main_custom.bicep b/infra/main_custom.bicep
@@ -82,9 +82,6 @@ param gptImageModelVersion string = '2025-12-16'
 @description('Optional. Version of the Azure OpenAI service to deploy. Defaults to 2025-01-01-preview.')
 param azureopenaiVersion string = '2024-12-01-preview'
 
-@description('Optional. Version of the Azure AI Agent API version. Defaults to 2025-01-01-preview.')
-param azureAiAgentAPIVersion string = '2025-01-01-preview'
-
 @minLength(1)
 @allowed([
   'Standard'
@@ -1349,10 +1346,6 @@ module containerApp 'br/public:avm/res/app/container-app:0.18.1' = {
             name: 'AZURE_OPENAI_ENDPOINT'
             value: 'https://${aiFoundryAiServicesResourceName}.openai.azure.com/'
           }
-          {
-            name: 'AZURE_OPENAI_MODEL_NAME'
-            value: aiFoundryAiServicesModelDeployment.name
-          }
           {
             name: 'AZURE_OPENAI_DEPLOYMENT_NAME'
             value: aiFoundryAiServicesModelDeployment.name
@@ -1393,18 +1386,14 @@ module containerApp 'br/public:avm/res/app/container-app:0.18.1' = {
           //   name: 'AZURE_AI_AGENT_ENDPOINT'
           //   value: aiFoundryAiProjectEndpoint
           // }
-          {
-            name: 'AZURE_AI_AGENT_MODEL_DEPLOYMENT_NAME'
-            value: aiFoundryAiServicesModelDeployment.name
-          }
           {
             name: 'APP_ENV'
             value: 'Prod'
           }
-          {
-            name: 'AZURE_AI_SEARCH_CONNECTION_NAME'
-            value: aiSearchConnectionName
-          }
+          // NOTE: AZURE_AI_SEARCH_CONNECTION_NAME intentionally omitted.
+          // The app defaults to per-KB RemoteTool connection names (e.g.
+          // "macae-retail-customer-kb-mcp") which carry ProjectManagedIdentity
+          // auth required by the KB MCP endpoint.
           {
             name: 'AZURE_AI_SEARCH_ENDPOINT'
             value: searchService.outputs.endpoint
@@ -1413,18 +1402,6 @@ module containerApp 'br/public:avm/res/app/container-app:0.18.1' = {
             name: 'AZURE_COGNITIVE_SERVICES'
             value: 'https://cognitiveservices.azure.com/.default'
           }
-          {
-            name: 'AZURE_BING_CONNECTION_NAME'
-            value: 'binggrnd'
-          }
-          {
-            name: 'BING_CONNECTION_NAME'
-            value: 'binggrnd'
-          }
-          {
-            name: 'REASONING_MODEL_NAME'
-            value: aiFoundryAiServicesReasoningModelDeployment.name
-          }
           {
             name: 'MCP_SERVER_ENDPOINT'
             value: 'https://${containerAppMcp.outputs.fqdn}/mcp'
@@ -1474,12 +1451,8 @@ module containerApp 'br/public:avm/res/app/container-app:0.18.1' = {
             value: aiFoundryAiProjectEndpoint
           }
           {
-            name: 'AZURE_AI_AGENT_API_VERSION'
-            value: azureAiAgentAPIVersion
-          }
-          {
-            name: 'AZURE_AI_AGENT_PROJECT_CONNECTION_STRING'
-            value: '${aiFoundryAiServicesResourceName}.services.ai.azure.com;${aiFoundryAiServicesSubscriptionId};${aiFoundryAiServicesResourceGroupName};${aiFoundryAiProjectResourceName}'
+            name: 'ORCHESTRATOR_MODEL_NAME'
+            value: aiFoundryAiServicesReasoningModelDeployment.name
           }
            {
             name: 'AZURE_DEV_COLLECT_TELEMETRY'
@@ -1899,7 +1872,6 @@ module aiSearchFoundryConnection 'modules/aifp-connections.bicep' = {
     searchServiceResourceId: searchService.outputs.resourceId
     searchServiceLocation: searchService.outputs.location
     searchServiceName: searchService.outputs.name
-    searchApiKey: searchService.outputs.primaryKey
   }
 }
 
@@ -1976,7 +1948,6 @@ output COSMOSDB_ENDPOINT string = 'https://${cosmosDbResourceName}.documents.azu
 output COSMOSDB_DATABASE string = cosmosDbDatabaseName
 output COSMOSDB_CONTAINER string = cosmosDbDatabaseMemoryContainerName
 output AZURE_OPENAI_ENDPOINT string = 'https://${aiFoundryAiServicesResourceName}.openai.azure.com/'
-output AZURE_OPENAI_MODEL_NAME string = aiFoundryAiServicesModelDeployment.name
 output AZURE_OPENAI_DEPLOYMENT_NAME string = aiFoundryAiServicesModelDeployment.name
 output AZURE_OPENAI_RAI_DEPLOYMENT_NAME string = aiFoundryAiServices4_1ModelDeployment.name
 output AZURE_OPENAI_API_VERSION string = azureopenaiVersion
@@ -1987,7 +1958,6 @@ output AZURE_AI_RESOURCE_GROUP string = resourceGroup().name
 output AZURE_AI_PROJECT_NAME string = aiFoundryAiProjectName
 output AZURE_AI_MODEL_DEPLOYMENT_NAME string = aiFoundryAiServicesModelDeployment.name
 // output APPLICATIONINSIGHTS_CONNECTION_STRING string = applicationInsights.outputs.connectionString
-output AZURE_AI_AGENT_MODEL_DEPLOYMENT_NAME string = aiFoundryAiServicesModelDeployment.name
 // output AZURE_AI_AGENT_ENDPOINT string = aiFoundryAiProjectEndpoint
 output APP_ENV string = 'Prod'
 output AI_FOUNDRY_RESOURCE_ID string = !useExistingAiFoundryAiProject
@@ -1998,18 +1968,15 @@ output AZURE_SEARCH_ENDPOINT string = searchService.outputs.endpoint
 #disable-next-line BCP318
 output AZURE_CLIENT_ID string = userAssignedIdentity!.outputs.clientId
 output AZURE_TENANT_ID string = tenant().tenantId
-output AZURE_AI_SEARCH_CONNECTION_NAME string = aiSearchConnectionName
 output AZURE_COGNITIVE_SERVICES string = 'https://cognitiveservices.azure.com/.default'
-output REASONING_MODEL_NAME string = aiFoundryAiServicesReasoningModelDeployment.name
+output ORCHESTRATOR_MODEL_NAME string = aiFoundryAiServicesReasoningModelDeployment.name
 output MCP_SERVER_NAME string = 'MacaeMcpServer'
 output MCP_SERVER_DESCRIPTION string = 'MCP server with greeting, HR, and planning tools'
 output SUPPORTED_MODELS string = supportedModelsList
 output AZURE_AI_SEARCH_API_KEY string = '<Deployed-Search-ApiKey>'
 output BACKEND_URL string = 'https://${containerApp.outputs.fqdn}'
 output AZURE_AI_PROJECT_ENDPOINT string = aiFoundryAiProjectEndpoint
 output AZURE_AI_AGENT_ENDPOINT string = aiFoundryAiProjectEndpoint
-output AZURE_AI_AGENT_API_VERSION string = azureAiAgentAPIVersion
-output AZURE_AI_AGENT_PROJECT_CONNECTION_STRING string = '${aiFoundryAiServicesResourceName}.services.ai.azure.com;${aiFoundryAiServicesSubscriptionId};${aiFoundryAiServicesResourceGroupName};${aiFoundryAiProjectResourceName}'
 output AZURE_DEV_COLLECT_TELEMETRY  string = 'no'
 
 // Container Registry Outputs
diff --git a/infra/modules/aifp-connections.bicep b/infra/modules/aifp-connections.bicep
@@ -1,21 +1,24 @@
+// ========================================================================
+// Base AI Search connection (CognitiveSearch / AAD).
+// Per-KB RemoteTool connections (ProjectManagedIdentity) are created by
+// infra/scripts/seed_kb_connections.py at post-deploy time because the KB
+// names are dynamic and depend on selected content packs.
+// ========================================================================
+
 param aifSearchConnectionName string
 param searchServiceName string
 param searchServiceResourceId string
 param searchServiceLocation string
 param aiFoundryName string
 param aiFoundryProjectName string
-@secure()
-param searchApiKey string
 
 resource aiSearchFoundryConnection 'Microsoft.CognitiveServices/accounts/projects/connections@2025-04-01-preview' = {
   name: '${aiFoundryName}/${aiFoundryProjectName}/${aifSearchConnectionName}'
   properties: {
     category: 'CognitiveSearch'
     target: 'https://${searchServiceName}.search.windows.net'
-    authType: 'ApiKey'
-    credentials: {
-      key: searchApiKey
-    }
+    authType: 'AAD'
+    useWorkspaceManagedIdentity: true
     isSharedToAll: true
     metadata: {
       ApiType: 'Azure'
diff --git a/infra/scripts/post_deploy.ps1 b/infra/scripts/post_deploy.ps1
@@ -464,6 +464,22 @@ if ($selectedDataPacks.Count -gt 0) {
     } else {
         Write-Host "  Knowledge bases seeded successfully."
     }
+
+    # ──────────────────────────────────────────────────────────────────────────
+    # 9. Create RemoteTool connections for KB MCP endpoints
+    # ──────────────────────────────────────────────────────────────────────────
+
+    Write-Host "`n── Step 5: Creating KB MCP RemoteTool connections ──" -ForegroundColor Green
+
+    $env:AZURE_AI_SEARCH_ENDPOINT = $searchEndpoint
+    $env:AZURE_AI_PROJECT_ENDPOINT = $projectEndpoint
+    $process = Start-Process -FilePath $pythonCmd -ArgumentList "infra/scripts/seed_kb_connections.py" -Wait -NoNewWindow -PassThru
+    if ($process.ExitCode -ne 0) {
+        Write-Host "  ERROR: KB connection provisioning failed. Run 'python infra/scripts/seed_kb_connections.py' manually." -ForegroundColor Red
+        $script:hasErrors = $true
+    } else {
+        Write-Host "  KB MCP connections created successfully."
+    }
 } else {
     Write-Host "`n  Selected use case has no datasets to deploy — skipping blob/index/KB steps."
 }
diff --git a/infra/scripts/seed_kb_connections.py b/infra/scripts/seed_kb_connections.py
