Skip to content

Add post-deployment guidance for ASP.NET Core + EF + SQL with managed identity#959

Merged
tmeschter merged 11 commits intomainfrom
copilot/automate-app-service-access
Mar 2, 2026
Merged

Add post-deployment guidance for ASP.NET Core + EF + SQL with managed identity#959
tmeschter merged 11 commits intomainfrom
copilot/automate-app-service-access

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Feb 18, 2026
edited
Loading

Implementation Plan: ASP.NET Core + EF Core + SQL Post-Deployment

Phase 1: Documentation Structure ✅

  • Create post-deployment reference documentation
    • Create post-deployment.md with ASP.NET + SQL patterns
    • Create sql-managed-identity.md with SQL permission grant scripts
    • Create ef-migrations.md with EF Core migration patterns

Phase 2: Verification Updates ✅

  • Update verify.md to include post-deployment steps
    • Add SQL database access verification
    • Add EF migrations verification
    • Add endpoint health check verification

Phase 3: Recipe Enhancement ✅

  • Update azure-deploy/references/recipes/azd/README.md
    • Add post-deployment workflow step
    • Link to new post-deployment documentation

Phase 4: Testing ✅

  • Add trigger test cases for post-deployment scenarios
  • Update snapshots for new keywords (cli, identity, sql)
  • Update main SKILL.md with post-deployment step
  • All tests passing

Phase 5: Validation ✅

  • Manual verification of documentation flow
  • Review all file additions for completeness
  • CodeQL security scan (0 issues found)
  • Store memory for future reference

Phase 6: Optimization ✅

  • Compact ef-migrations.md (404→137 lines, 66% reduction)
  • Compact sql-managed-identity.md (289→112 lines, 61% reduction)

Phase 7: Code Review Fixes ✅

  • Fix test regex to use word boundaries
  • Make SQL role assignment truly idempotent
  • Remove || true error suppression
  • Fix variable consistency across documentation
  • Fix cross-directory reference (create sql-entra-auth.md)
  • Simplify variable assignments (remove redundant echo)

Summary

Successfully implemented comprehensive post-deployment documentation for the azure-deploy skill. All documentation optimized for token limits while maintaining clarity and completeness. Addressed all code review feedback for production-ready idempotent scripts.

Original prompt

This section details on the original issue you should resolve

<issue_title>azure-deploy: Automatically grant App Service managed identity access to SQL Database and apply EF migrations</issue_title>
<issue_description>## Summary

After a successful azd up deployment of an ASP.NET Core app with Entity Framework Core and Azure SQL Database using Entra-only authentication, the app fails with HTTP 500 because:

  1. The App Service's system-assigned managed identity has no permissions on the SQL database
  2. EF Core migrations have not been applied — the database has no application tables

These are predictable post-provisioning steps that the azure-deploy skill should handle automatically.

Current Behavior

After azd up completes successfully, the deployed app crashes on startup with:

Login failed for user '<token-identified principal>'.
Error Number: 18456

The user must manually:

  1. Get an access token for the database
  2. Run CREATE USER [app-name] FROM EXTERNAL PROVIDER and grant db_datareader, db_datawriter, db_ddladmin roles
  3. Generate and apply EF migration SQL (dotnet ef migrations script --idempotent)
  4. Restart the App Service

Expected Behavior

The azure-deploy skill should include post-provisioning steps that:

  1. Detect that the architecture includes App Service + Azure SQL with managed identity
  2. Grant the App Service's managed identity database access using the Entra admin credentials
  3. Detect EF Core migrations in the project and apply them to the Azure SQL database
  4. Verify the deployed endpoint returns a successful HTTP status code

This could be implemented as an azd post-provision hook or as explicit steps in the deploy recipe.

Steps to Reproduce

  1. Deploy an ASP.NET Core + EF Core app to App Service with Azure SQL (Entra-only auth)
  2. azd up succeeds but the app returns HTTP 500
  3. Manual SQL commands are needed to create the managed identity user and apply migrations

Suggested Fix

  • Add a post-provision hook template that grants managed identity SQL access
  • Detect EF Core projects (look for Migrations/ folder or Microsoft.EntityFrameworkCore references) and auto-apply migrations
  • Add endpoint verification to the deploy verification steps in verify.md</issue_description>

Comments on the Issue (you are @copilot in this section)

@tmeschter Note that this was an ASP.NET Core app deployed to an app service, along with an Azure SQL Server for a database.

We might need some dotnet-specific guidance around Entity Framework, similar to our NodeJS guidance.</comment_new>

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 2 commits February 18, 2026 22:00
@kvenkatrajan
Add post-deployment documentation for ASP.NET Core + EF + SQL
a66f592 
Co-authored-by: kvenkatrajan <102772054+kvenkatrajan@users.noreply.github.com>
@kvenkatrajan
Add tests for post-deployment documentation and update snapshots
ebf803b 
Co-authored-by: kvenkatrajan <102772054+kvenkatrajan@users.noreply.github.com>
Copilot AI changed the title [WIP] Add automatic access grant for managed identity on SQL Database Add post-deployment guidance for ASP.NET Core + EF + SQL with managed identity Feb 18, 2026
kvenkatrajan
kvenkatrajan reviewed Feb 18, 2026
View reviewed changes
Comment thread plugin/skills/azure-deploy/references/recipes/azd/ef-migrations.md Outdated
@kvenkatrajan
Compact ef-migrations.md from 404 to 137 lines (66% reduction)
9f3a79b 
Co-authored-by: kvenkatrajan <102772054+kvenkatrajan@users.noreply.github.com>
@kvenkatrajan
Compact sql-managed-identity.md from 289 to 112 lines (61% reduction)
bbc2f9a 
Co-authored-by: kvenkatrajan <102772054+kvenkatrajan@users.noreply.github.com>
This was referenced Feb 20, 2026
Closed
Closed
Closed
tmeschter
tmeschter previously approved these changes Feb 26, 2026
View reviewed changes
@tmeschter tmeschter marked this pull request as ready for review February 26, 2026 23:39
Copilot AI review requested due to automatic review settings February 26, 2026 23:39
Copilot AI reviewed Feb 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds post-deployment documentation and verification guidance for ASP.NET Core + EF Core + Azure SQL deployments (managed identity / Entra auth), and updates skill references + tests accordingly.

Changes:

  • Added new post-deployment docs for managed identity SQL access and EF Core migrations
  • Expanded verify.md and recipe README to include post-deploy workflow and references
  • Updated unit tests and trigger keyword snapshot to reflect new post-deployment support

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
tests/azure-deploy/unit.test.ts Adds assertions that the skill content mentions post-deploy and SQL/EF migration guidance
tests/azure-deploy/snapshots/triggers.test.ts.snap Updates trigger keyword snapshot to include “sql”
plugin/skills/azure-deploy/references/recipes/azd/verify.md Adds stepwise verification including health check, SQL access, schema checks, and links
plugin/skills/azure-deploy/references/recipes/azd/sql-managed-identity.md New guide with SQL grant scripts, hook automation, verification, troubleshooting
plugin/skills/azure-deploy/references/recipes/azd/post-deployment.md New consolidated post-deployment workflow guide and references
plugin/skills/azure-deploy/references/recipes/azd/ef-migrations.md New EF Core migrations deployment patterns and troubleshooting
plugin/skills/azure-deploy/references/recipes/azd/README.md Adds “Post-Deploy” step and references the new docs
plugin/skills/azure-deploy/SKILL.md Adds post-deploy step to the skill flow and links to docs

Comment thread tests/azure-deploy/unit.test.ts Outdated
Comment thread plugin/skills/azure-deploy/references/recipes/azd/sql-managed-identity.md
Comment thread plugin/skills/azure-deploy/references/recipes/azd/sql-managed-identity.md
Comment thread plugin/skills/azure-deploy/references/recipes/azd/sql-managed-identity.md
Comment thread plugin/skills/azure-deploy/references/recipes/azd/post-deployment.md Outdated
Comment thread plugin/skills/azure-deploy/references/recipes/azd/ef-migrations.md Outdated
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Feb 26, 2026
edited
Loading

🔍 Token Analysis Report

@github-copilot-for-azure/scripts@1.0.0 tokens
node --import tsx src/tokens/cli.ts compare --base origin/main --head HEAD --markdown

fatal: path 'plugin/skills/azure-deploy/references/recipes/azd/ef-migrations.md' exists on disk, but not in 'origin/main'
fatal: path 'plugin/skills/azure-deploy/references/recipes/azd/post-deployment.md' exists on disk, but not in 'origin/main'
fatal: path 'plugin/skills/azure-deploy/references/recipes/azd/sql-entra-auth.md' exists on disk, but not in 'origin/main'
fatal: path 'plugin/skills/azure-deploy/references/recipes/azd/sql-managed-identity.md' exists on disk, but not in 'origin/main'

📊 Token Change Report

Comparing origin/mainHEAD

Summary

Metric Value
📈 Total Change +4,600 tokens (+249%)
Before 1,847 tokens
After 6,447 tokens
Files Changed 7

Changed Files

File Before After Change
plugin/skills/azure-deploy/references/recipes/azd/ef-migrations.md - 1,318 +1318
plugin/skills/azure-deploy/references/recipes/azd/sql-managed-identity.md - 1,190 +1190
plugin/skills/azure-deploy/references/recipes/azd/post-deployment.md - 878 +878
plugin/skills/azure-deploy/references/recipes/azd/verify.md 80 647 +567 (+709%)
plugin/skills/azure-deploy/references/recipes/azd/sql-entra-auth.md - 527 +527
plugin/skills/azure-deploy/SKILL.md 1,068 1,142 +74 (+7%)
plugin/skills/azure-deploy/references/recipes/azd/README.md 699 745 +46 (+7%)

@github-copilot-for-azure/scripts@1.0.0 tokens
node --import tsx src/tokens/cli.ts check --markdown

📊 Token Limit Check Report

Checked: 448 files
Exceeded: 133 files

⚠️ Files Exceeding Token Limits

File Tokens Limit Over By
.github/skills/file-test-bug/SKILL.md 628 500 +128
.github/skills/sensei/README.md 3530 1000 +2530
.github/skills/sensei/SKILL.md 2382 500 +1882
.github/skills/sensei/references/EXAMPLES.md 3707 1000 +2707
.github/skills/sensei/references/LOOP.md 4181 1000 +3181
.github/skills/sensei/references/SCORING.md 3927 1000 +2927
.github/skills/sensei/references/TOKEN-INTEGRATION.md 1094 1000 +94
.github/skills/skill-authoring/SKILL.md 817 500 +317
plugin/skills/appinsights-instrumentation/SKILL.md 965 500 +465
plugin/skills/azure-ai/SKILL.md 846 500 +346
plugin/skills/azure-ai/references/auth-best-practices.md 1543 1000 +543
plugin/skills/azure-aigateway/SKILL.md 1294 500 +794
plugin/skills/azure-aigateway/references/auth-best-practices.md 1543 1000 +543
plugin/skills/azure-aigateway/references/patterns.md 1696 1000 +696
plugin/skills/azure-aigateway/references/policies.md 2342 1000 +1342
plugin/skills/azure-aigateway/references/troubleshooting.md 1971 1000 +971
plugin/skills/azure-cloud-migrate/references/services/functions/assessment.md 1601 1000 +601
plugin/skills/azure-cloud-migrate/references/services/functions/code-migration.md 1515 1000 +515
plugin/skills/azure-cloud-migrate/references/services/functions/lambda-to-functions.md 2600 1000 +1600
plugin/skills/azure-cloud-migrate/references/services/functions/runtimes/csharp.md 1403 1000 +403
plugin/skills/azure-cloud-migrate/references/services/functions/runtimes/java.md 1638 1000 +638
plugin/skills/azure-cloud-migrate/references/services/functions/runtimes/javascript.md 2181 1000 +1181
plugin/skills/azure-cloud-migrate/references/services/functions/runtimes/powershell.md 1261 1000 +261
plugin/skills/azure-cloud-migrate/references/services/functions/runtimes/python.md 1632 1000 +632
plugin/skills/azure-compliance/SKILL.md 1250 500 +750
plugin/skills/azure-compliance/references/auth-best-practices.md 1543 1000 +543
plugin/skills/azure-compliance/references/azqr-recommendations.md 1447 1000 +447
plugin/skills/azure-compliance/references/azqr-remediation-patterns.md 1987 1000 +987
plugin/skills/azure-compliance/references/azure-keyvault-expiration-audit.md 1286 1000 +286
plugin/skills/azure-compliance/references/azure-quick-review.md 1268 1000 +268
plugin/skills/azure-compute/SKILL.md 2631 500 +2131
plugin/skills/azure-compute/references/retail-prices-api.md 1609 1000 +609
plugin/skills/azure-compute/references/vm-families.md 1234 1000 +234
plugin/skills/azure-compute/references/vmss-guide.md 1621 1000 +621
plugin/skills/azure-cost-optimization/SKILL.md 3468 500 +2968
plugin/skills/azure-cost-optimization/references/auth-best-practices.md 1543 1000 +543
plugin/skills/azure-deploy/SKILL.md 1142 500 +642
plugin/skills/azure-deploy/references/auth-best-practices.md 1543 1000 +543
plugin/skills/azure-deploy/references/pre-deploy-checklist.md 1195 1000 +195
plugin/skills/azure-deploy/references/recipes/azd/ef-migrations.md 1318 1000 +318
plugin/skills/azure-deploy/references/recipes/azd/errors.md 1212 1000 +212
plugin/skills/azure-deploy/references/recipes/azd/sql-managed-identity.md 1190 1000 +190
plugin/skills/azure-deploy/references/troubleshooting.md 1527 1000 +527
plugin/skills/azure-diagnostics/SKILL.md 1077 500 +577
plugin/skills/azure-hosted-copilot-sdk/SKILL.md 671 500 +171
plugin/skills/azure-hosted-copilot-sdk/references/auth-best-practices.md 1543 1000 +543
plugin/skills/azure-hosted-copilot-sdk/references/azure-model-config.md 1151 1000 +151
plugin/skills/azure-kusto/SKILL.md 2175 500 +1675
plugin/skills/azure-messaging/SKILL.md 867 500 +367
plugin/skills/azure-messaging/references/auth-best-practices.md 1543 1000 +543
plugin/skills/azure-messaging/references/service-troubleshooting.md 1044 1000 +44
plugin/skills/azure-observability/SKILL.md 1048 500 +548
plugin/skills/azure-observability/references/auth-best-practices.md 1543 1000 +543
plugin/skills/azure-prepare/SKILL.md 1897 500 +1397
plugin/skills/azure-prepare/references/analyze.md 1038 1000 +38
plugin/skills/azure-prepare/references/apim.md 1453 1000 +453
plugin/skills/azure-prepare/references/aspire.md 2735 1000 +1735
plugin/skills/azure-prepare/references/auth-best-practices.md 1543 1000 +543
plugin/skills/azure-prepare/references/azure-context.md 1019 1000 +19
plugin/skills/azure-prepare/references/plan-template.md 1063 1000 +63
plugin/skills/azure-prepare/references/recipes/azd/aspire.md 1584 1000 +584
plugin/skills/azure-prepare/references/recipes/azd/azure-yaml.md 1803 1000 +803
plugin/skills/azure-prepare/references/recipes/azd/terraform.md 2924 1000 +1924
plugin/skills/azure-prepare/references/research.md 1784 1000 +784
plugin/skills/azure-prepare/references/runtimes/nodejs.md 1508 1000 +508
plugin/skills/azure-prepare/references/security.md 2092 1000 +1092
plugin/skills/azure-prepare/references/services/functions/bicep.md 2132 1000 +1132
plugin/skills/azure-prepare/references/services/functions/templates/SPEC-composable-templates.md 6187 1000 +5187
plugin/skills/azure-prepare/references/services/functions/templates/recipes/README.md 1354 1000 +354
plugin/skills/azure-prepare/references/services/functions/templates/recipes/common/nodejs-entry-point.md 1034 1000 +34
plugin/skills/azure-prepare/references/services/functions/templates/recipes/common/uami-bindings.md 1223 1000 +223
plugin/skills/azure-prepare/references/services/functions/templates/recipes/composition.md 4564 1000 +3564
plugin/skills/azure-prepare/references/services/functions/templates/recipes/cosmosdb/README.md 1467 1000 +467
plugin/skills/azure-prepare/references/services/functions/templates/recipes/durable/README.md 1149 1000 +149
plugin/skills/azure-prepare/references/services/functions/templates/recipes/eventhubs/README.md 1403 1000 +403
plugin/skills/azure-prepare/references/services/functions/templates/recipes/mcp/source/java.md 1312 1000 +312
plugin/skills/azure-prepare/references/services/functions/templates/recipes/mcp/source/python.md 1207 1000 +207
plugin/skills/azure-prepare/references/services/functions/templates/recipes/mcp/source/typescript.md 1138 1000 +138
plugin/skills/azure-prepare/references/services/functions/templates/recipes/servicebus/README.md 1171 1000 +171
plugin/skills/azure-prepare/references/services/functions/templates/recipes/servicebus/source/dotnet.md 1280 1000 +280
plugin/skills/azure-prepare/references/services/functions/templates/recipes/servicebus/source/java.md 1016 1000 +16
plugin/skills/azure-prepare/references/services/functions/templates/recipes/sql/source/java.md 1009 1000 +9
plugin/skills/azure-prepare/references/services/functions/templates/recipes/sql/source/python.md 1080 1000 +80
plugin/skills/azure-prepare/references/services/functions/terraform.md 2545 1000 +1545
plugin/skills/azure-prepare/references/services/service-bus/patterns.md 1122 1000 +122
plugin/skills/azure-resource-lookup/SKILL.md 1389 500 +889
plugin/skills/azure-resource-lookup/references/azure-resource-graph.md 1307 1000 +307
plugin/skills/azure-resource-visualizer/SKILL.md 2105 500 +1605
plugin/skills/azure-storage/SKILL.md 1180 500 +680
plugin/skills/azure-storage/references/auth-best-practices.md 1543 1000 +543
plugin/skills/azure-storage/references/sdk-usage.md 1135 1000 +135
plugin/skills/azure-validate/SKILL.md 761 500 +261
plugin/skills/azure-validate/references/recipes/azd/README.md 1191 1000 +191
plugin/skills/entra-app-registration/SKILL.md 2068 500 +1568
plugin/skills/entra-app-registration/references/api-permissions.md 2545 1000 +1545
plugin/skills/entra-app-registration/references/auth-best-practices.md 1543 1000 +543
plugin/skills/entra-app-registration/references/cli-commands.md 2211 1000 +1211
plugin/skills/entra-app-registration/references/console-app-example.md 2752 1000 +1752
plugin/skills/entra-app-registration/references/first-app-registration.md 1846 1000 +846
plugin/skills/entra-app-registration/references/oauth-flows.md 2375 1000 +1375
plugin/skills/entra-app-registration/references/troubleshooting.md 1896 1000 +896
plugin/skills/microsoft-foundry/SKILL.md 1948 500 +1448
plugin/skills/microsoft-foundry/foundry-agent/create/create.md 3016 1000 +2016
plugin/skills/microsoft-foundry/foundry-agent/create/references/agentframework.md 1300 1000 +300
plugin/skills/microsoft-foundry/foundry-agent/create/references/tool-memory.md 1204 1000 +204
plugin/skills/microsoft-foundry/foundry-agent/deploy/deploy.md 4005 1000 +3005
plugin/skills/microsoft-foundry/foundry-agent/invoke/invoke.md 1273 1000 +273
plugin/skills/microsoft-foundry/foundry-agent/trace/references/kql-templates.md 1913 1000 +913
plugin/skills/microsoft-foundry/foundry-agent/trace/references/search-traces.md 1366 1000 +366
plugin/skills/microsoft-foundry/foundry-agent/trace/trace.md 1265 1000 +265
plugin/skills/microsoft-foundry/foundry-agent/troubleshoot/troubleshoot.md 1299 1000 +299
plugin/skills/microsoft-foundry/models/deploy-model/SKILL.md 1640 500 +1140
plugin/skills/microsoft-foundry/models/deploy-model/capacity/SKILL.md 1739 500 +1239
plugin/skills/microsoft-foundry/models/deploy-model/customize/EXAMPLES.md 1091 1000 +91
plugin/skills/microsoft-foundry/models/deploy-model/customize/SKILL.md 2235 500 +1735
plugin/skills/microsoft-foundry/models/deploy-model/customize/references/customize-workflow.md 3335 1000 +2335
plugin/skills/microsoft-foundry/models/deploy-model/preset/SKILL.md 1226 500 +726
plugin/skills/microsoft-foundry/models/deploy-model/preset/references/preset-workflow.md 5534 1000 +4534
plugin/skills/microsoft-foundry/models/deploy-model/preset/references/workflow.md 1315 1000 +315
plugin/skills/microsoft-foundry/project/create/create-foundry-project.md 1346 1000 +346
plugin/skills/microsoft-foundry/quota/quota.md 2129 1000 +1129
plugin/skills/microsoft-foundry/quota/references/capacity-planning.md 1968 1000 +968
plugin/skills/microsoft-foundry/quota/references/error-resolution.md 1141 1000 +141
plugin/skills/microsoft-foundry/quota/references/optimization.md 1846 1000 +846
plugin/skills/microsoft-foundry/quota/references/ptu-guide.md 1473 1000 +473
plugin/skills/microsoft-foundry/quota/references/troubleshooting.md 1807 1000 +807
plugin/skills/microsoft-foundry/quota/references/workflows.md 1614 1000 +614
plugin/skills/microsoft-foundry/rbac/rbac.md 1752 1000 +752
plugin/skills/microsoft-foundry/references/auth-best-practices.md 1543 1000 +543
plugin/skills/microsoft-foundry/references/sdk/foundry-sdk-py.md 2060 1000 +1060
plugin/skills/microsoft-foundry/resource/create/create-foundry-resource.md 1489 1000 +489
plugin/skills/microsoft-foundry/resource/create/references/workflows.md 1637 1000 +637
.github/agents/SkillCreator.agent.md 1044 1000 +44

Consider moving content to references/ subdirectories.

Automated token analysis. See skill authoring guidelines for best practices.

tmeschter
tmeschter reviewed Feb 26, 2026
View reviewed changes
Comment thread plugin/skills/azure-deploy/references/recipes/azd/sql-managed-identity.md Outdated
@tmeschter
Fix SQL idempotency, error handling, and cross-directory references
0e246c0 
Co-authored-by: tmeschter <10506730+tmeschter@users.noreply.github.com>
tmeschter
tmeschter previously approved these changes Feb 27, 2026
View reviewed changes
@fanyang-mono
Copy link
Copy Markdown
Contributor

fanyang-mono commented Mar 2, 2026

I wonder if an integration test should be added for such scenario as well?

@tmeschter tmeschter merged commit 717b54f into main Mar 2, 2026
11 checks passed
@tmeschter tmeschter deleted the copilot/automate-app-service-access branch March 2, 2026 22:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kvenkatrajan kvenkatrajan kvenkatrajan left review comments

Copilot code review Copilot Copilot left review comments

@JasonYeMSFT JasonYeMSFT JasonYeMSFT approved these changes

@tmeschter tmeschter tmeschter left review comments

Assignees

@kvenkatrajan kvenkatrajan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

azure-deploy: Automatically grant App Service managed identity access to SQL Database and apply EF migrations

6 participants

@fanyang-mono @tmeschter @JasonYeMSFT @kvenkatrajan