|
| 1 | +--- |
| 2 | +title: "Breaking change - AddAzureOpenAI defaults to CognitiveServicesOpenAIUser instead of CognitiveServicesOpenAIContributor" |
| 3 | +description: "Learn about the breaking change in .NET Aspire 9.4 where AddAzureOpenAI defaults to a lower privilege role." |
| 4 | +ms.date: 7/11/2025 |
| 5 | +ai-usage: ai-assisted |
| 6 | +ms.custom: https://github.com/dotnet/docs-aspire/issues/3936 |
| 7 | +--- |
| 8 | + |
| 9 | +# AddAzureOpenAI defaults to CognitiveServicesOpenAIUser instead of CognitiveServicesOpenAIContributor |
| 10 | + |
| 11 | +In .NET Aspire 9.4, the default role assigned to applications using `AddAzureOpenAI` was changed from `CognitiveServicesOpenAIContributor` to `CognitiveServicesOpenAIUser`. This change improves security by assigning a lower privilege role by default, ensuring applications only have the permissions necessary for inference tasks. |
| 12 | + |
| 13 | +## Version introduced |
| 14 | + |
| 15 | +.NET Aspire 9.4 |
| 16 | + |
| 17 | +## Previous behavior |
| 18 | + |
| 19 | +Previously, applications referencing an Azure OpenAI account were assigned as the `CognitiveServicesOpenAIContributor` role by default. This role allowed applications to manage OpenAI deployments, which is a higher privilege than typically required for inference tasks. |
| 20 | + |
| 21 | +## New behavior |
| 22 | + |
| 23 | +Applications referencing an Azure OpenAI account are now assigned the `CognitiveServicesOpenAIUser` role by default. This role provides permissions for inference tasks without allowing management of OpenAI deployments. If higher privileges are required, you can configure the necessary roles using the `WithRoleAssignments` API. |
| 24 | + |
| 25 | +Example: |
| 26 | + |
| 27 | +```csharp |
| 28 | +using Azure.Provisioning.CognitiveServices; |
| 29 | + |
| 30 | +var openai = builder.AddAzureOpenAI("openai"); |
| 31 | + |
| 32 | +builder.AddProject<Projects.ApiService>("api") |
| 33 | + .WithRoleAssignments(openai, CognitiveServicesBuiltInRole.CognitiveServicesOpenAIContributor); |
| 34 | +``` |
| 35 | + |
| 36 | +## Type of breaking change |
| 37 | + |
| 38 | +This is a [behavioral change](../categories.md#behavioral-change). |
| 39 | + |
| 40 | +## Reason for change |
| 41 | + |
| 42 | +The `CognitiveServicesOpenAIContributor` role provides excessive privileges for most applications, as managing OpenAI deployments isn't typically required. Assigning the `CognitiveServicesOpenAIUser` role by default enhances security by limiting permissions to inference tasks. For applications requiring higher privileges, roles can be explicitly configured using the <xref:Aspire.Hosting.AzureOpenAIExtensions.WithRoleAssignments*> API. |
| 43 | + |
| 44 | +For more information, see [GitHub PR #10293](https://github.com/dotnet/aspire/pull/10293). |
| 45 | + |
| 46 | +## Recommended action |
| 47 | + |
| 48 | +If your application requires higher privileges than the `CognitiveServicesOpenAIUser` role, explicitly configure the necessary roles using the `WithRoleAssignments` API. See the [New behavior](#new-behavior) section for an example of how to do this. |
| 49 | + |
| 50 | +## Affected APIs |
| 51 | + |
| 52 | +- `Aspire.Hosting.AzureOpenAIExtensions.AddAzureOpenAI` |
0 commit comments