Change Azure OpenAI to use CognitiveServicesOpenAIUser role by default (#10293)

eerhardt · web-flow · commit 742cda343bac · 2025-07-09T09:18:35.000-05:00
* Change Azure OpenAI to use CognitiveServicesOpenAIUser role by default

The CognitiveServicesOpenAIContributor role is too permissive as it allows an app to modify deployments (i.e. models). Instead we should be defaulting to CognitiveServicesOpenAIUser which allows the app to do inference, but not modify the resources.

* Fix test to test more than the default.
diff --git a/playground/OpenAIEndToEnd/OpenAIEndToEnd.AppHost/openai-roles.module.bicep b/playground/OpenAIEndToEnd/OpenAIEndToEnd.AppHost/openai-roles.module.bicep
@@ -11,11 +11,11 @@ resource openai 'Microsoft.CognitiveServices/accounts@2024-10-01' existing = {
   name: openai_outputs_name
 }
 
-resource openai_CognitiveServicesOpenAIContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-  name: guid(openai.id, principalId, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a001fd3d-188f-4b5d-821b-7da978bf7442'))
+resource openai_CognitiveServicesOpenAIUser 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(openai.id, principalId, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd'))
   properties: {
     principalId: principalId
-    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a001fd3d-188f-4b5d-821b-7da978bf7442')
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd')
     principalType: principalType
   }
   scope: openai
diff --git a/src/Aspire.Hosting.Azure.CognitiveServices/AzureOpenAIExtensions.cs b/src/Aspire.Hosting.Azure.CognitiveServices/AzureOpenAIExtensions.cs
@@ -97,7 +97,7 @@ public static IResourceBuilder<AzureOpenAIResource> AddAzureOpenAI(this IDistrib
         var resource = new AzureOpenAIResource(name, configureInfrastructure);
         return builder.AddResource(resource)
             .WithDefaultRoleAssignments(CognitiveServicesBuiltInRole.GetBuiltInRoleName,
-                CognitiveServicesBuiltInRole.CognitiveServicesOpenAIContributor);
+                CognitiveServicesBuiltInRole.CognitiveServicesOpenAIUser);
     }
 
 #pragma warning disable CS0618 // Type or member is obsolete
diff --git a/tests/Aspire.Hosting.Azure.Tests/AzureOpenAIExtensionsTests.cs b/tests/Aspire.Hosting.Azure.Tests/AzureOpenAIExtensionsTests.cs
@@ -93,11 +93,11 @@ param principalId string
               name: openai_outputs_name
             }
 
-            resource openai_CognitiveServicesOpenAIContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
-              name: guid(openai.id, principalId, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a001fd3d-188f-4b5d-821b-7da978bf7442'))
+            resource openai_CognitiveServicesOpenAIUser 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+              name: guid(openai.id, principalId, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd'))
               properties: {
                 principalId: principalId
-                roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a001fd3d-188f-4b5d-821b-7da978bf7442')
+                roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd')
                 principalType: principalType
               }
               scope: openai
@@ -106,4 +106,4 @@ param principalId string
         output.WriteLine(openaiRolesManifest.BicepText);
         Assert.Equal(expectedBicep, openaiRolesManifest.BicepText);
     }
-}
+}
diff --git a/tests/Aspire.Hosting.Azure.Tests/RoleAssignmentTests.cs b/tests/Aspire.Hosting.Azure.Tests/RoleAssignmentTests.cs
@@ -54,7 +54,7 @@ public Task OpenAISupport()
                 var openai = builder.AddAzureOpenAI("openai");
 
                 builder.AddProject<Project>("api", launchProfileName: null)
-                    .WithRoleAssignments(openai, CognitiveServicesBuiltInRole.CognitiveServicesOpenAIUser);
+                    .WithRoleAssignments(openai, CognitiveServicesBuiltInRole.CognitiveServicesOpenAIUser, CognitiveServicesBuiltInRole.CognitiveServicesFaceRecognizer);
             });
     }
 
diff --git a/tests/Aspire.Hosting.Azure.Tests/Snapshots/RoleAssignmentTests.OpenAISupport.verified.bicep b/tests/Aspire.Hosting.Azure.Tests/Snapshots/RoleAssignmentTests.OpenAISupport.verified.bicep
@@ -17,4 +17,14 @@ resource openai_CognitiveServicesOpenAIUser 'Microsoft.Authorization/roleAssignm
     principalType: 'ServicePrincipal'
   }
   scope: openai
+}
+
+resource openai_CognitiveServicesFaceRecognizer 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
+  name: guid(openai.id, principalId, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9894cab4-e18a-44aa-828b-cb588cd6f2d7'))
+  properties: {
+    principalId: principalId
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9894cab4-e18a-44aa-828b-cb588cd6f2d7')
+    principalType: 'ServicePrincipal'
+  }
+  scope: openai
 }

Original file line number	Diff line number	Diff line change
`@@ -11,11 +11,11 @@ resource openai 'Microsoft.CognitiveServices/accounts@2024-10-01' existing = {`
`11`	`11`	`name: openai_outputs_name`
`12`	`12`	`}`
`13`	`13`
`14`		`-resource openai_CognitiveServicesOpenAIContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = {`
`15`		`- name: guid(openai.id, principalId, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a001fd3d-188f-4b5d-821b-7da978bf7442'))`
	`14`	`+resource openai_CognitiveServicesOpenAIUser 'Microsoft.Authorization/roleAssignments@2022-04-01' = {`
	`15`	`+ name: guid(openai.id, principalId, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd'))`
`16`	`16`	`properties: {`
`17`	`17`	`principalId: principalId`
`18`		`- roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a001fd3d-188f-4b5d-821b-7da978bf7442')`
	`18`	`+ roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd')`
`19`	`19`	`principalType: principalType`
`20`	`20`	`}`
`21`	`21`	`scope: openai`
Original file line number	Diff line number	Diff line change
`@@ -97,7 +97,7 @@ public static IResourceBuilder<AzureOpenAIResource> AddAzureOpenAI(this IDistrib`
`97`	`97`	`var resource = new AzureOpenAIResource(name, configureInfrastructure);`
`98`	`98`	`return builder.AddResource(resource)`
`99`	`99`	`.WithDefaultRoleAssignments(CognitiveServicesBuiltInRole.GetBuiltInRoleName,`
`100`		`- CognitiveServicesBuiltInRole.CognitiveServicesOpenAIContributor);`
	`100`	`+ CognitiveServicesBuiltInRole.CognitiveServicesOpenAIUser);`
`101`	`101`	`}`
`102`	`102`
`103`	`103`	`#pragma warning disable CS0618 // Type or member is obsolete`
Original file line number	Diff line number	Diff line change
`@@ -93,11 +93,11 @@ param principalId string`
`93`	`93`	`name: openai_outputs_name`
`94`	`94`	`}`
`95`	`95`
`96`		`- resource openai_CognitiveServicesOpenAIContributor 'Microsoft.Authorization/roleAssignments@2022-04-01' = {`
`97`		`- name: guid(openai.id, principalId, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a001fd3d-188f-4b5d-821b-7da978bf7442'))`
	`96`	`+ resource openai_CognitiveServicesOpenAIUser 'Microsoft.Authorization/roleAssignments@2022-04-01' = {`
	`97`	`+ name: guid(openai.id, principalId, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd'))`
`98`	`98`	`properties: {`
`99`	`99`	`principalId: principalId`
`100`		`- roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a001fd3d-188f-4b5d-821b-7da978bf7442')`
	`100`	`+ roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd')`
`101`	`101`	`principalType: principalType`
`102`	`102`	`}`
`103`	`103`	`scope: openai`
`@@ -106,4 +106,4 @@ param principalId string`
`106`	`106`	`output.WriteLine(openaiRolesManifest.BicepText);`
`107`	`107`	`Assert.Equal(expectedBicep, openaiRolesManifest.BicepText);`
`108`	`108`	`}`
`109`		`-}`
	`109`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ public Task OpenAISupport()`
`54`	`54`	`var openai = builder.AddAzureOpenAI("openai");`
`55`	`55`
`56`	`56`	`builder.AddProject<Project>("api", launchProfileName: null)`
`57`		`- .WithRoleAssignments(openai, CognitiveServicesBuiltInRole.CognitiveServicesOpenAIUser);`
	`57`	`+ .WithRoleAssignments(openai, CognitiveServicesBuiltInRole.CognitiveServicesOpenAIUser, CognitiveServicesBuiltInRole.CognitiveServicesFaceRecognizer);`
`58`	`58`	`});`
`59`	`59`	`}`
`60`	`60`