chore: dev to main merge

.github/workflows/azd-template-validation.yml

@@ -1,9 +1,14 @@
 name: AZD Template Validation
-on: 
+on:
   workflow_dispatch:
   push:
     branches:
       - main
+    paths:
+      - 'infra/**'
+      - 'azure.yaml'
+      - 'scripts/**'
+      - '.github/workflows/azure-dev.yml'
 
 permissions:
   contents: read
@@ -16,6 +21,8 @@ jobs:
     name: azd template validation
     steps:
       - uses: actions/checkout@v4
+        with:
+          submodules: recursive
 
       # This postprovision cleanup step (Stage 19) has been removed from azure.yaml because
       # azd down was failing in the pipeline. As a workaround, we are removing this step
@@ -36,6 +43,9 @@ jobs:
           AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }}
           AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TEMP: /tmp
           fabricCapacityMode: 'none'
+          AZURE_PRINCIPAL_ID: ${{ vars.PRINCIPAL_ID || secrets.AZURE_CLIENT_ID }}
+          AZURE_PRINCIPAL_TYPE: 'ServicePrincipal'
       - name: print result
         run: cat ${{ steps.validation.outputs.resultFile }}

.github/workflows/azure-dev.yml

@@ -24,26 +24,73 @@ jobs:
       AZURE_RESOURCE_GROUP: ${{ vars.AZURE_RESOURCE_GROUP }}
       AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }}
       AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
-      AZURE_USER_OBJECT_ID: ''
+      AZURE_PRINCIPAL_TYPE: 'ServicePrincipal'
+      TEMP: /tmp
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
       - name: Install azd
         uses: Azure/setup-azd@v2
+
       - name: Azure Developer CLI Login
         run: |
           azd auth login `
             --client-id "$Env:AZURE_CLIENT_ID" `
             --federated-credential-provider "github" `
-            --tenant-id "$Env:AZURE_TENANT_ID" 
+            --tenant-id "$Env:AZURE_TENANT_ID"
         shell: pwsh
+
       - name: Azure CLI Login
         uses: azure/login@v2
         with:
           client-id: ${{ vars.AZURE_CLIENT_ID }}
           tenant-id: ${{ vars.AZURE_TENANT_ID }}
           subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Resolve Service Principal Object ID
+        run: |
+          # If PRINCIPAL_ID repo variable is set and is a valid GUID, use it directly
+          if [[ "${{ vars.PRINCIPAL_ID }}" =~ ^[0-9a-fA-F-]{36}$ ]]; then
+            echo "Using PRINCIPAL_ID from repo variables"
+            echo "AZURE_PRINCIPAL_ID=${{ vars.PRINCIPAL_ID }}" >> $GITHUB_ENV
+          else
+            # Resolve the Object ID from the Application (Client) ID
+            # Role assignments require the SP Object ID, not the Client/App ID
+            echo "Resolving Service Principal Object ID from Client ID..."
+            SP_OBJECT_ID=$(az ad sp show --id "${{ vars.AZURE_CLIENT_ID }}" --query id -o tsv 2>/dev/null)
+            if [[ -z "$SP_OBJECT_ID" ]]; then
+              echo "::error::Failed to resolve Service Principal Object ID from Client ID: ${{ vars.AZURE_CLIENT_ID }}"
+              exit 1
+            fi
+            echo "Resolved SP Object ID: $SP_OBJECT_ID"
+            echo "AZURE_PRINCIPAL_ID=$SP_OBJECT_ID" >> $GITHUB_ENV
+          fi
+
+      - name: Create Resource Group if needed
+        run: |
+          # Use provided RG name or derive from environment name
+          RESOURCE_GROUP="${AZURE_RESOURCE_GROUP:-rg-${AZURE_ENV_NAME}}"
+          echo "Using resource group: $RESOURCE_GROUP"
+
+          RG_EXISTS=$(az group exists --name "$RESOURCE_GROUP")
+          if [ "$RG_EXISTS" = "false" ]; then
+            echo "Creating resource group: $RESOURCE_GROUP"
+            az group create --name "$RESOURCE_GROUP" --location ${{ vars.AZURE_LOCATION }}
+          else
+            echo "Resource group already exists: $RESOURCE_GROUP"
+          fi
+
+          # Set for subsequent steps
+          echo "RESOURCE_GROUP=$RESOURCE_GROUP" >> $GITHUB_ENV
+
       - name: Provision Infrastructure
+        id: provision-main
         run: azd provision --no-prompt
         env:
-           AZD_INITIAL_ENVIRONMENT_CONFIG: ${{ secrets.AZD_INITIAL_ENVIRONMENT_CONFIG }}
+          AZD_INITIAL_ENVIRONMENT_CONFIG: ${{ secrets.AZD_INITIAL_ENVIRONMENT_CONFIG }}
+          AZURE_PRINCIPAL_TYPE: 'ServicePrincipal'
+          fabricCapacityMode: 'none'
+          fabricWorkspaceMode: 'none'

azure.yaml

@@ -2,6 +2,7 @@ name: deploy-your-ai-application-in-production
 
 requiredVersions:
   azd: ">=1.15.0 != 1.23.9"
+  bicep: '>= 0.33.0'
 
 infra:
   provider: "bicep"

docs/ACCESSING_PRIVATE_RESOURCES.md

@@ -18,9 +18,9 @@ azd env get-values | grep jumpVm
 
 # Or in Azure Portal:
 # 1. Navigate to your resource group
-# 2. Find the VM (usually named like "vm-jump-<env>")
+# 2. Find the VM resource created for the jump box
 # 3. Click "Connect" → "Bastion"
-# 4. Enter the username and password (auto-generated during deployment)
+# 4. Enter the username and password you set via VM_ADMIN_USERNAME / VM_ADMIN_PASSWORD
 ```
 
 ### 2. From Jump VM, Access Private Services
@@ -169,7 +169,13 @@ You can configure services without private endpoints by modifying individual ser
 
 ### Jump VM credentials unknown
 
-Credentials are auto-generated during deployment. To reset:
+If you did not set the credentials before deployment, use the top-layer defaults or reset them:
+
+- Username: `VM_ADMIN_USERNAME` environment variable, or `vmUserName` in [infra/main.bicepparam](../infra/main.bicepparam)
+- Default username when unset: `testvmuser`
+- Password: `VM_ADMIN_PASSWORD` environment variable, or `vmAdminPassword` in [infra/main.bicepparam](../infra/main.bicepparam)
+
+To reset:
 
 ```bash
 az vm user update \

docs/deploy_app_from_foundry.md

@@ -24,7 +24,7 @@ Since all resources are deployed with private endpoints, you must access Microso
 2. Navigate to your resource group
 3. Select the **Jump VM** (Windows Virtual Machine)
 4. Click **Connect** → **Bastion**
-5. Enter the VM credentials (set during deployment)
+5. Enter the VM credentials you configured in the top layer (`VM_ADMIN_USERNAME` / `VM_ADMIN_PASSWORD`, or [infra/main.bicepparam](../infra/main.bicepparam))
 6. Once connected, open a browser and navigate to [Microsoft Foundry](https://ai.azure.com)
 
 ### 2. Configure Your Playground

docs/deploymentguide.md

@@ -202,8 +202,22 @@ Edit `infra/main.bicepparam` or set environment variables:
 | `postgreSqlNetworkIsolation` | PostgreSQL private networking toggle (defaults to `networkIsolation`) | `networkIsolation` |
 | `useExistingVNet` | Reuse an existing VNet | `false` |
 | `existingVnetResourceId` | Existing VNet resource ID (when `useExistingVNet=true`) | `` |
-| `vmUserName` | Jump box VM admin username | `` |
-| `vmAdminPassword` | Jump box VM admin password | (prompted) |
+| `vmUserName` | Jump box VM admin username | `VM_ADMIN_USERNAME` env var or `testvmuser` |
+| `vmAdminPassword` | Jump box VM admin password | `VM_ADMIN_PASSWORD` env var |
+
+For network-isolated deployments, set the VM credentials before running `azd up`:
+
+```powershell
+azd env set VM_ADMIN_USERNAME "youradminuser"
+azd env set VM_ADMIN_PASSWORD "Use-A-Strong-Password-Here!"
+```
+
+If you prefer source-controlled defaults, set them in [infra/main.bicepparam](../infra/main.bicepparam) instead:
+
+```bicep
+param vmUserName = 'youradminuser'
+param vmAdminPassword = 'Use-A-Strong-Password-Here!'
+```
 
 </details>
 

docs/post_deployment_steps.md

@@ -209,9 +209,10 @@ For network-isolated deployments, use Azure Bastion to access resources:
 
    ![Image showing bastion blade](../img/provisioning/checkNetworkIsolation7.png)
 
-4. Enter the VM admin credentials (set during deployment) and click **Connect**
-   - Admin username: `vmUserName` in [infra/main.bicep](../infra/main.bicep)
-   - Admin password: `vmAdminPassword` in [infra/main.bicepparam](../infra/main.bicepparam) (defaults to the `VM_ADMIN_PASSWORD` environment variable)
+4. Enter the VM admin credentials and click **Connect**
+   - Admin username: `vmUserName` in [infra/main.bicepparam](../infra/main.bicepparam) or the `VM_ADMIN_USERNAME` environment variable
+   - Admin password: `vmAdminPassword` in [infra/main.bicepparam](../infra/main.bicepparam) or the `VM_ADMIN_PASSWORD` environment variable
+   - If `vmUserName` is not set in the top layer, the effective default is `testvmuser`
    - If you do not have them, reset the password in **Azure Portal** → **Virtual machine** → **Reset password**.
 
    ![Image showing bastion login](../img/provisioning/checkNetworkIsolation8.png)

docs/quota_check.md

@@ -1,64 +1,97 @@
 # Check Quota Availability Before Deployment
 
-Before deploying the accelerator, **ensure sufficient quota availability** for the required model.
-> **We recommend increasing the capacity to 100k tokens for optimal performance.**
+Before deploying the accelerator, **ensure sufficient quota availability** for the required AI models and Fabric capacity.
+> **The default capacities match the deployment parameters in `infra/main.bicepparam`.**
 
 ## Login if you have not done so already
 ```
 az login
 ```
 
 ## 📌 Default Models & Capacities:
+These match the `modelDeploymentList` in the Bicep parameters:
 ```
-gpt-4o:150, gpt-4o-mini:150, gpt-4:150, text-embedding-3-small:100
+gpt-4.1-mini:40:GlobalStandard, text-embedding-3-large:40:Standard
 ```
+
 ## 📌 Default Regions:
 ```
-eastus, uksouth, eastus2, northcentralus, swedencentral, westus, westus2, southcentralus, canadacentral, australiaeast, japaneast, norwayeast
+eastus, eastus2, swedencentral, uksouth, westus, westus2, southcentralus, canadacentral, australiaeast, japaneast, norwayeast
 ```
+
+## 📌 Optional: Fabric Capacity Check
+The accelerator also deploys a **Microsoft Fabric F8** capacity. Pass `--check-fabric` (bash) or `-CheckFabric` (PowerShell) to verify Fabric SKU availability.
+
 ## Usage Scenarios:
 - No parameters passed → Default models and capacities will be checked in default regions.
 - Only model(s) provided → The script will check for those models in the default regions.
 - Only region(s) provided → The script will check default models in the specified regions.
 - Both models and regions provided → The script will check those models in the specified regions.
 - `--verbose` passed → Enables detailed logging output for debugging and traceability.
+- `--check-fabric` passed → Also checks Microsoft Fabric capacity availability.
 
-## **Input Formats**
-> Use the --models, --regions, and --verbose options for parameter handling:
+## **Input Formats — Bash**
+> Use the --models, --regions, --verbose, and --check-fabric options for parameter handling:
 
-✔️ Run without parameters to check default models & regions without verbose logging:
-   ```
-  ./quota_check.sh
+✔️ Run without parameters to check default models & regions:
+   ```sh
+   ./quota_check.sh
    ```
 ✔️ Enable verbose logging:
-   ```
-  ./quota_check.sh --verbose
+   ```sh
+   ./quota_check.sh --verbose
    ```
 ✔️ Check specific model(s) in default regions:
-  ```
-  ./quota_check.sh --models gpt-4o:150,text-embedding-3-small:100
+  ```sh
+  ./quota_check.sh --models gpt-4.1-mini:40:GlobalStandard,text-embedding-3-large:40:Standard
   ```
 ✔️ Check default models in specific region(s):
-  ```
-./quota_check.sh --regions eastus,westus
-  ```
-✔️ Passing Both models and regions:  
-  ```
-  ./quota_check.sh --models gpt-4o:150 --regions eastus,westus2
+  ```sh
+  ./quota_check.sh --regions eastus,westus
   ```
 ✔️ All parameters combined:
+  ```sh
+  ./quota_check.sh --models gpt-4.1-mini:40 --regions eastus,westus --verbose
+  ```
+✔️ Also check Fabric capacity availability:
+  ```sh
+  ./quota_check.sh --check-fabric --verbose
   ```
- ./quota_check.sh --models gpt-4:150,text-embedding-3-small:100 --regions eastus,westus --verbose
+
+## **Input Formats — PowerShell**
+> Use the -Models, -Regions, -Verbose, and -CheckFabric parameters:
+
+✔️ Run without parameters:
+   ```powershell
+   .\quota_check.ps1
+   ```
+✔️ Check specific model(s):
+  ```powershell
+  .\quota_check.ps1 -Models "gpt-4.1-mini:40:GlobalStandard,text-embedding-3-large:40:Standard"
   ```
-✔️ Multiple models with single region:
+✔️ Check specific region(s):
+  ```powershell
+  .\quota_check.ps1 -Regions "eastus,westus2"
   ```
- ./quota_check.sh --models gpt-4:150,text-embedding-3-small:100 --regions eastus2 --verbose
+✔️ All parameters combined:
+  ```powershell
+  .\quota_check.ps1 -Models "gpt-4.1-mini:40" -Regions "eastus,westus" -CheckFabric -Verbose
   ```
 
 ## **Sample Output**
 The final table lists regions with available quota. You can select any of these regions for deployment.
 
-![quota-check-output](../img/Documentation/quota-check-output.png)
+```
+╔══════════════════════════════════════════════════════════════╗
+║                     QUOTA CHECK SUMMARY                    ║
+╚══════════════════════════════════════════════════════════════╝
+
+Region                gpt-4.1-mini                  text-embedding-3-large        Status
+──────────────────────────────────────────────────────────────────────────────────────────
+eastus                ✅ 200/240 (need 40)           ✅ 120/200 (need 40)           ✅ PASS
+eastus2               ❌ 10/240 (need 40)            ✅ 50/200 (need 40)            ❌ FAIL
+swedencentral         ✅ 100/240 (need 40)           ✅ 80/200 (need 40)            ✅ PASS
+```
 
 ---
 ## **If using Azure Portal and Cloud Shell**
@@ -74,22 +107,33 @@ The final table lists regions with available quota. You can select any of these
     chmod +x quota_check.sh
     ./quota_check.sh
     ```
-    - Refer to [Input Formats](#input-formats) for detailed commands.
+    - Refer to [Input Formats — Bash](#input-formats--bash) for detailed commands.
 
 ## **If using VS Code or Codespaces**
+
+### Option 1: Bash (Linux, macOS, Git Bash, WSL, Cloud Shell)
 1. Open the terminal in VS Code or Codespaces.
-2. Use a terminal that can run bash. This is only for the quota check script; deployment uses PowerShell.
+2. Use a terminal that can run bash.
   ![git_bash](../img/provisioning/git_bash.png)
-3. Navigate to the `scripts` folder where the script files are located and make the script as executable:
+3. Navigate to the `scripts` folder and make the script executable:
    ```sh
     cd scripts
     chmod +x quota_check.sh
     ```
-4. Run the appropriate script based on your requirement:  
-
-   **To check quota for the deployment**  
-
+4. Run the script:
     ```sh
     ./quota_check.sh
     ```
-   - Refer to [Input Formats](#input-formats) for detailed commands.
+   - Refer to [Input Formats — Bash](#input-formats--bash) for detailed commands.
+
+### Option 2: PowerShell (Windows, Linux, macOS)
+1. Open a PowerShell terminal in VS Code.
+2. Navigate to the `scripts` folder:
+   ```powershell
+   cd scripts
+   ```
+3. Run the script:
+   ```powershell
+   .\quota_check.ps1
+   ```
+   - Refer to [Input Formats — PowerShell](#input-formats--powershell) for detailed commands.

infra/main.bicepparam

@@ -9,7 +9,7 @@ param location = readEnvironmentVariable('AZURE_LOCATION', '')
 param cosmosLocation = readEnvironmentVariable('AZURE_COSMOS_LOCATION', '')
 // Entra object ID of the identity to grant RBAC (user, group, service principal, or UAI). Set this if Graph lookup is blocked.
 param principalId = readEnvironmentVariable('AZURE_PRINCIPAL_ID', '')
-param principalType = 'User'
+param principalType = readEnvironmentVariable('AZURE_PRINCIPAL_TYPE', 'User')
 
 // ========================================
 // OPTIONAL INPUTS (Existing Resources)
@@ -204,7 +204,8 @@ param containerAppsList = [
   }
 ]
 
-param vmAdminPassword = readEnvironmentVariable('VM_ADMIN_PASSWORD', '$(secretOrRandomPassword)')
+param vmUserName = readEnvironmentVariable('VM_ADMIN_USERNAME', 'testvmuser')
+param vmAdminPassword = readEnvironmentVariable('VM_ADMIN_PASSWORD', 'JumpboxAdminP@ssw0rd1234!')
 param vmSize = 'Standard_D2s_v4'
 
 // ========================================