Feature Request: CLI Support for Agent Infrastructure Provisioning

[aubreyquinn]

Feature Request: CLI Support for Agent Infrastructure Provisioning

Request

Add CLI commands to create the Azure infrastructure required to host an agent, including resource group, managed identity, App Service, and configuration.

Required Azure Resources

#	Resource	Purpose
1	Resource Group	Container for all agent resources
2	User-Assigned Managed Identity	Enables workload identity for the agent
3	Federated Identity Credential (Blueprint)	Links MSI to Blueprint app for workload identity
4	Federated Identity Credential (Presence/Files)	Links MSI to Presence/Files app for workload identity
5	App Service Plan	Hosting plan for the web app (Linux, Basic tier)
6	App Service Web App	Hosts the agent code
7	App Service Configuration	Environment variables and settings

Current Workaround

This workaround is cumbersome because it is manual.

1. Create Resource Group

az group create --name <rg-name> --location <region>

2. Create User-Assigned Managed Identity

az identity create --name <agent-name>-identity --resource-group <rg-name>

3. Add Federated Identity Credential to Blueprint

This links the MSI to the Blueprint app registration for workload identity authentication.

POST https://graph.microsoft.com/beta/applications/<blueprint-object-id>/federatedIdentityCredentials
Content-Type: application/json

{
  "name": "<agent-name>-identity",
  "issuer": "https://login.microsoftonline.com/<tenant-id>/v2.0",
  "subject": "<msi-client-id>",
  "audiences": ["api://AzureADTokenExchange"]
}

4. Add Federated Identity Credential to Presence/Files App

This links the same MSI to the Presence/Files app registration.

POST https://graph.microsoft.com/beta/applications/<presence-files-object-id>/federatedIdentityCredentials
Content-Type: application/json

{
  "name": "<agent-name>-identity",
  "issuer": "https://login.microsoftonline.com/<tenant-id>/v2.0",
  "subject": "<msi-client-id>",
  "audiences": ["api://AzureADTokenExchange"]
}

5. Create App Service Plan

az appservice plan create \
  --name <agent-name>-plan \
  --resource-group <rg-name> \
  --location <region> \
  --sku B1 \
  --is-linux

6. Create App Service Web App

az webapp create \
  --name <agent-name> \
  --resource-group <rg-name> \
  --plan <agent-name>-plan \
  --runtime "NODE:24-lts" \
  --assign-identity <msi-resource-id>

7. Configure Web App Settings

az webapp config set \
  --name <agent-name> \
  --resource-group <rg-name> \
  --always-on true \
  --ftps-state Disabled \
  --min-tls-version 1.2

8. Set App Service Environment Variables

az webapp config appsettings set \
  --name <agent-name> \
  --resource-group <rg-name> \
  --settings \
    connections__serviceConnection__settings__clientId=<blueprint-app-id> \
    connections__serviceConnection__settings__clientSecret=<blueprint-secret> \
    connections__serviceConnection__settings__tenantId=<tenant-id> \
    PRESENCE_CLIENTID=<presence-app-id> \
    PRESENCE_CLIENTSECRET=<presence-secret> \
    PRESENCE_TENANTID=<tenant-id> \
    AI_API_KEY=<ai-api-key> \
    AI_MODEL=<ai-model>

9. Enable Logging

az webapp log config \
  --name <agent-name> \
  --resource-group <rg-name> \
  --application-logging filesystem \
  --level verbose \
  --web-server-logging filesystem

10. Deploy Code from GitHub (Optional)

az webapp deployment source config \
  --name <agent-name> \
  --resource-group <rg-name> \
  --repo-url <github-repo-url> \
  --branch main \
  --manual-integration

App Service Configuration Reference

Setting	Description
connections__serviceConnection__settings__clientId	Blueprint App ID
connections__serviceConnection__settings__clientSecret	Blueprint Client Secret
connections__serviceConnection__settings__tenantId	Entra ID Tenant ID
PRESENCE_CLIENTID	Presence/Files App ID
PRESENCE_CLIENTSECRET	Presence/Files Client Secret
PRESENCE_TENANTID	Entra ID Tenant ID
AI_API_KEY	AI provider API key
AI_MODEL	AI model name

Why This Matters

• 10+ manual commands required to set up infrastructure (mix of CLI and Graph API)
• Each command has multiple parameters that must be coordinated
• MSI resource ID must be retrieved and passed to web app creation
• Two federated credentials needed (Blueprint + Presence/Files apps)
• Settings must reference app IDs and secrets from previous provisioning steps
• Easy to miss a step or misconfigure settings

[joratz]

New resource group, service plan, and web app will be provisioned if create new is selected in a365 config init. If there are specific concerns about these, please follow up and we can discuss further.