Merge pull request #851 from microsoft/PSL-US-43670

Prajwal-Microsoft · web-flow · commit 78ac4fe5e35b · 2026-05-19T15:38:00.000Z
refactor: Updated Foundry Roles name
diff --git a/docs/LocalDevelopmentSetup.md b/docs/LocalDevelopmentSetup.md
@@ -441,22 +441,22 @@ az role assignment create `
   --scope "/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.Storage/storageAccounts/<storage>"
 ```
 
-### Azure AI User Access Denied
+### Foundry User Access Denied
 
-The local dev script assigns the Azure AI User role automatically. If you still encounter issues, add manually:
+The local dev script assigns the Foundry User role automatically. If you still encounter issues, add manually:
 
 ```bash
 # Linux/macOS
 az role assignment create \
-  --role "Azure AI User" \
+  --role "Foundry User" \
   --assignee $(az ad signed-in-user show --query id -o tsv) \
   --scope /subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.CognitiveServices/accounts/<ai-foundry-account>
 ```
 
 ```powershell
 # Windows PowerShell
 az role assignment create `
-  --role "Azure AI User" `
+  --role "Foundry User" `
   --assignee (az ad signed-in-user show --query id -o tsv) `
   --scope "/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.CognitiveServices/accounts/<ai-foundry-account>"
 ```
diff --git a/infra/main.bicep b/infra/main.bicep
@@ -618,7 +618,7 @@ module aiFoundryAiServices 'br/public:avm/res/cognitive-services/account:0.14.2'
     }
     roleAssignments: [
       {
-        roleDefinitionIdOrName: '53ca6127-db72-4b80-b1b0-d745d6d5456d' // Azure AI User
+        roleDefinitionIdOrName: '53ca6127-db72-4b80-b1b0-d745d6d5456d' // Foundry User
         principalId: userAssignedIdentity.outputs.principalId
         principalType: 'ServicePrincipal'
       }
@@ -633,7 +633,7 @@ module aiFoundryAiServices 'br/public:avm/res/cognitive-services/account:0.14.2'
         principalType: 'ServicePrincipal'
       }
       {
-        roleDefinitionIdOrName: '53ca6127-db72-4b80-b1b0-d745d6d5456d' // Azure AI User for deployer
+        roleDefinitionIdOrName: '53ca6127-db72-4b80-b1b0-d745d6d5456d' // Foundry User for deployer
         principalId: deployer().objectId
       }
     ]
diff --git a/infra/main_custom.bicep b/infra/main_custom.bicep
@@ -658,7 +658,7 @@ module aiFoundryAiServices 'br/public:avm/res/cognitive-services/account:0.14.2'
     }
     roleAssignments: [
       {
-        roleDefinitionIdOrName: '53ca6127-db72-4b80-b1b0-d745d6d5456d' // Azure AI User
+        roleDefinitionIdOrName: '53ca6127-db72-4b80-b1b0-d745d6d5456d' // Foundry User
         principalId: userAssignedIdentity.outputs.principalId
         principalType: 'ServicePrincipal'
       }
@@ -673,7 +673,7 @@ module aiFoundryAiServices 'br/public:avm/res/cognitive-services/account:0.14.2'
         principalType: 'ServicePrincipal'
       }
       {
-        roleDefinitionIdOrName: '53ca6127-db72-4b80-b1b0-d745d6d5456d' // Azure AI User for deployer
+        roleDefinitionIdOrName: '53ca6127-db72-4b80-b1b0-d745d6d5456d' // Foundry User for deployer
         principalId: deployer().objectId
       }
     ]
diff --git a/infra/modules/deploy_foundry_role_assignment.bicep b/infra/modules/deploy_foundry_role_assignment.bicep
@@ -23,7 +23,7 @@ param principalType string = 'ServicePrincipal'
 
 // ========== Role Definitions ========== //
 
-// Azure AI User role - for AI Foundry project access (used by AIProjectClient for image generation)
+// Foundry User role - for AI Foundry project access (used by AIProjectClient for image generation)
 resource azureAiUserRole 'Microsoft.Authorization/roleDefinitions@2022-04-01' existing = {
   name: '53ca6127-db72-4b80-b1b0-d745d6d5456d'
 }
@@ -48,7 +48,7 @@ resource existingAiProject 'Microsoft.CognitiveServices/accounts/projects@2025-1
 
 // ========== Role Assignments ========== //
 
-// Azure AI User role assignment - same as reference accelerator
+// Foundry User role assignment - same as reference accelerator
 // Required for AIProjectClient (used for image generation in Foundry mode)
 resource assignAzureAiUserRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
   name: guid(existingAiServices.id, principalId, azureAiUserRole.id)
diff --git a/scripts/local_dev.ps1 b/scripts/local_dev.ps1
@@ -102,7 +102,7 @@ function Ensure-AzureLogin {
 }
 
 function Ensure-AzureAIUserRole {
-    Write-Info "Checking Azure AI User role..."
+    Write-Info "Checking Foundry User role..."
     
     # Get env vars
     $existingProjectId = $null
@@ -135,15 +135,15 @@ function Ensure-AzureAIUserRole {
     $existing = az role assignment list --assignee $signedUserId --role $roleId --scope $scope --query "[0].id" -o tsv 2>$null
     
     if ($existing) {
-        Write-Success "Azure AI User role already assigned."
+        Write-Success "Foundry User role already assigned."
     } else {
-        Write-Info "Assigning Azure AI User role..."
+        Write-Info "Assigning Foundry User role..."
         az role assignment create --assignee $signedUserId --role $roleId --scope $scope --output none 2>$null
         if ($LASTEXITCODE -ne 0) {
-            Write-Error "Failed to assign Azure AI User role."
+            Write-Error "Failed to assign Foundry User role."
             exit 1
         }
-        Write-Success "Azure AI User role assigned."
+        Write-Success "Foundry User role assigned."
     }
 }
 
diff --git a/scripts/local_dev.sh b/scripts/local_dev.sh
@@ -100,7 +100,7 @@ ensure_azure_login() {
 }
 
 ensure_azure_ai_user_role() {
-    print_info "Checking Azure AI User role..."
+    print_info "Checking Foundry User role..."
     
     local existing_project_id=""
     local foundry_resource_id=""
@@ -131,14 +131,14 @@ ensure_azure_ai_user_role() {
     existing=$(MSYS_NO_PATHCONV=1 az role assignment list --assignee "$signed_user_id" --role "$role_id" --scope "$scope" --query "[0].id" -o tsv 2>/dev/null)
     
     if [ -n "$existing" ]; then
-        print_success "Azure AI User role already assigned."
+        print_success "Foundry User role already assigned."
     else
-        print_info "Assigning Azure AI User role..."
+        print_info "Assigning Foundry User role..."
         if ! MSYS_NO_PATHCONV=1 az role assignment create --assignee "$signed_user_id" --role "$role_id" --scope "$scope" --output none 2>/dev/null; then
-            print_error "Failed to assign Azure AI User role."
+            print_error "Failed to assign Foundry User role."
             exit 1
         fi
-        print_success "Azure AI User role assigned."
+        print_success "Foundry User role assigned."
     fi
 }
 

Original file line number	Diff line number	Diff line change
`@@ -618,7 +618,7 @@ module aiFoundryAiServices 'br/public:avm/res/cognitive-services/account:0.14.2'`
`618`	`618`	`}`
`619`	`619`	`roleAssignments: [`
`620`	`620`	`{`
`621`		`- roleDefinitionIdOrName: '53ca6127-db72-4b80-b1b0-d745d6d5456d' // Azure AI User`
	`621`	`+ roleDefinitionIdOrName: '53ca6127-db72-4b80-b1b0-d745d6d5456d' // Foundry User`
`622`	`622`	`principalId: userAssignedIdentity.outputs.principalId`
`623`	`623`	`principalType: 'ServicePrincipal'`
`624`	`624`	`}`
`@@ -633,7 +633,7 @@ module aiFoundryAiServices 'br/public:avm/res/cognitive-services/account:0.14.2'`
`633`	`633`	`principalType: 'ServicePrincipal'`
`634`	`634`	`}`
`635`	`635`	`{`
`636`		`- roleDefinitionIdOrName: '53ca6127-db72-4b80-b1b0-d745d6d5456d' // Azure AI User for deployer`
	`636`	`+ roleDefinitionIdOrName: '53ca6127-db72-4b80-b1b0-d745d6d5456d' // Foundry User for deployer`
`637`	`637`	`principalId: deployer().objectId`
`638`	`638`	`}`
`639`	`639`	`]`
Original file line number	Diff line number	Diff line change
`@@ -658,7 +658,7 @@ module aiFoundryAiServices 'br/public:avm/res/cognitive-services/account:0.14.2'`
`658`	`658`	`}`
`659`	`659`	`roleAssignments: [`
`660`	`660`	`{`
`661`		`- roleDefinitionIdOrName: '53ca6127-db72-4b80-b1b0-d745d6d5456d' // Azure AI User`
	`661`	`+ roleDefinitionIdOrName: '53ca6127-db72-4b80-b1b0-d745d6d5456d' // Foundry User`
`662`	`662`	`principalId: userAssignedIdentity.outputs.principalId`
`663`	`663`	`principalType: 'ServicePrincipal'`
`664`	`664`	`}`
`@@ -673,7 +673,7 @@ module aiFoundryAiServices 'br/public:avm/res/cognitive-services/account:0.14.2'`
`673`	`673`	`principalType: 'ServicePrincipal'`
`674`	`674`	`}`
`675`	`675`	`{`
`676`		`- roleDefinitionIdOrName: '53ca6127-db72-4b80-b1b0-d745d6d5456d' // Azure AI User for deployer`
	`676`	`+ roleDefinitionIdOrName: '53ca6127-db72-4b80-b1b0-d745d6d5456d' // Foundry User for deployer`
`677`	`677`	`principalId: deployer().objectId`
`678`	`678`	`}`
`679`	`679`	`]`
Original file line number	Diff line number	Diff line change
`@@ -102,7 +102,7 @@ function Ensure-AzureLogin {`
`102`	`102`	`}`
`103`	`103`
`104`	`104`	`function Ensure-AzureAIUserRole {`
`105`		`- Write-Info "Checking Azure AI User role..."`
	`105`	`+ Write-Info "Checking Foundry User role..."`
`106`	`106`
`107`	`107`	`# Get env vars`
`108`	`108`	`$existingProjectId = $null`
`@@ -135,15 +135,15 @@ function Ensure-AzureAIUserRole {`
`135`	`135`	`$existing = az role assignment list --assignee $signedUserId --role $roleId --scope $scope --query "[0].id" -o tsv 2>$null`
`136`	`136`
`137`	`137`	`if ($existing) {`
`138`		`- Write-Success "Azure AI User role already assigned."`
	`138`	`+ Write-Success "Foundry User role already assigned."`
`139`	`139`	`} else {`
`140`		`- Write-Info "Assigning Azure AI User role..."`
	`140`	`+ Write-Info "Assigning Foundry User role..."`
`141`	`141`	`az role assignment create --assignee $signedUserId --role $roleId --scope $scope --output none 2>$null`
`142`	`142`	`if ($LASTEXITCODE -ne 0) {`
`143`		`- Write-Error "Failed to assign Azure AI User role."`
	`143`	`+ Write-Error "Failed to assign Foundry User role."`
`144`	`144`	`exit 1`
`145`	`145`	`}`
`146`		`- Write-Success "Azure AI User role assigned."`
	`146`	`+ Write-Success "Foundry User role assigned."`
`147`	`147`	`}`
`148`	`148`	`}`
`149`	`149`