NirajC-Microsoft
diff --git a/‎.github/workflows/azure-dev.yml‎
Lines changed: 36 additions & 38 deletions b/‎.github/workflows/azure-dev.yml‎
Lines changed: 36 additions & 38 deletions
diff --git a/‎README.md‎
Lines changed: 2 additions & 0 deletions b/‎README.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎azure.yaml‎
Lines changed: 1 addition & 1 deletion b/‎azure.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/DeploymentGuide.md‎
Lines changed: 2 additions & 1 deletion b/‎docs/DeploymentGuide.md‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎infra/main.bicep‎
Lines changed: 35 additions & 19 deletions b/‎infra/main.bicep‎
Lines changed: 35 additions & 19 deletions
@@ -1,39 +1,37 @@
-name: Azure Template Validation
-on:
-  push:
-    branches:
-      - main
-      - dev
-  workflow_dispatch:
-
-permissions:
-  contents: read
-  id-token: write
-  pull-requests: write
-
-jobs:
-  template_validation_job:
+name: Azure Template Validation 
+on: 
+    workflow_dispatch:
+    push:
+        branches:
+            - main
+permissions: 
+  contents: read 
+  id-token: write 
+  pull-requests: write 
+jobs: 
+  template_validation_job: 
+    runs-on: ubuntu-latest 
     environment: production
-    runs-on: ubuntu-latest
-    name: Template validation
-
-    steps:
-      # Step 1: Checkout the code from your repository
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      # Step 2: Validate the Azure template using microsoft/template-validation-action
-      - name: Validate Azure Template
-        uses: microsoft/template-validation-action@v0.3.5
-        id: validation
-        env:
-          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
-          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
-          AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-          AZURE_ENV_NAME: ${{ secrets.AZURE_ENV_NAME }}
-          AZURE_LOCATION: ${{ secrets.AZURE_LOCATION }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      # Step 3: Print the result of the validation
-      - name: Print result
-        run: cat ${{ steps.validation.outputs.resultFile }}
+    name: Template validation 
+    steps: 
+      # Step 1: Checkout the code from your repository 
+      - name: Checkout code 
+        uses: actions/checkout@v4 
+      # Step 2: Validate the Azure template using microsoft/template-validation-action 
+      - name: Validate Azure Template 
+        uses: microsoft/template-validation-action@v0.4.2
+        id: validation 
+        with: 
+            useDevContainer: false
+            validateTests: ''
+        env: 
+          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} 
+          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} 
+          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} 
+          AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} 
+          AZURE_ENV_NAME: ${{ secrets.AZURE_ENV_NAME }} 
+          AZURE_LOCATION: ${{ secrets.AZURE_LOCATION }} 
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 
+      # Step 3: Print the result of the validation 
+      - name: Print result 
+        run: cat ${{ steps.validation.outputs.resultFile }} 
@@ -63,6 +63,8 @@ Quick deploy
 ### How to install or deploy
 Follow the quick deploy steps on the deployment guide to deploy this solution to your own Azure subscription.
 
+> **Note:** This solution accelerator requires **Azure Developer CLI (azd) version 1.18.0 or higher**. Please ensure you have the latest version installed before proceeding with deployment. [Download azd here](https://learn.microsoft.com/en-us/azure/developer/azure-developer-cli/install-azd).
+
 [Click here to launch the deployment guide](./docs/DeploymentGuide.md)
 <br/><br/>
 
 
@@ -3,7 +3,7 @@
 name: build-your-own-copilot-solution-accelerator
 
 requiredVersions:
-  azd: ">= 1.15.0"
+  azd: ">= 1.18.0"
 
 metadata:
   template: build-your-own-copilot-solution-accelerator@1.0
 
@@ -111,7 +111,7 @@ If you're not using one of the above options for opening the project, then you'l
 
 1. Make sure the following tools are installed:
     - [PowerShell](https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell?view=powershell-7.5) <small>(v7.0+)</small> - available for Windows, macOS, and Linux.
-    - [Azure Developer CLI (azd)](https://aka.ms/install-azd) <small>(v1.15.0+)</small> - version
+    - [Azure Developer CLI (azd)](https://aka.ms/install-azd) <small>(v1.18.0+)</small> - version
     - [Python 3.9 to 3.11](https://www.python.org/downloads/)
     - [Docker Desktop](https://www.docker.com/products/docker-desktop/)
     - [Git](https://git-scm.com/downloads)
@@ -213,6 +213,7 @@ Once you've opened the project in [Codespaces](#github-codespaces), [Dev Contain
     ```shell
     azd up
     ```
+    > **Note:** This solution accelerator requires **Azure Developer CLI (azd) version 1.18.0 or higher**. Please ensure you have the latest version installed before proceeding with deployment. [Download azd here](https://learn.microsoft.com/en-us/azure/developer/azure-developer-cli/install-azd).
 
 3. Provide an `azd` environment name (e.g., "byocaapp").
 4. Select a subscription from your Azure account and choose a location that has quota for all the resources. 
 
@@ -53,9 +53,6 @@ param embeddingModel string = 'text-embedding-ada-002'
 @description('Optional. Capacity of the Embedding Model deployment')
 param embeddingDeploymentCapacity int = 80
 
-// @description('Fabric Workspace Id if you have one, else leave it empty. ')
-// param fabricWorkspaceId string
-
 //restricting to these regions because assistants api for gpt-4o-mini is available only in these regions
 @allowed([
   'australiaeast'
@@ -68,8 +65,6 @@ param embeddingDeploymentCapacity int = 80
   'westus'
   'westus3'
 ])
-// @description('Azure OpenAI Location')
-// param AzureOpenAILocation string = 'eastus2'
 @metadata({
   azd: {
     type: 'location'
@@ -174,12 +169,10 @@ param vmSize string?
 
 @description('Optional. Admin username for the Jumpbox Virtual Machine. Set to custom value if enablePrivateNetworking is true.')
 @secure()
-//param vmAdminUsername string = take(newGuid(), 20)
 param vmAdminUsername string?
 
 @description('Optional. Admin password for the Jumpbox Virtual Machine. Set to custom value if enablePrivateNetworking is true.')
 @secure()
-//param vmAdminPassword string = newGuid()
 param vmAdminPassword string?
 
 var functionAppSqlPrompt = '''Generate a valid T-SQL query to find {query} for tables and columns provided below:
@@ -264,14 +257,6 @@ var cosmosDbHaLocation = cosmosDbZoneRedundantHaRegionPairs[resourceGroup().loca
 
 // Extracts subscription, resource group, and workspace name from the resource ID when using an existing Log Analytics workspace
 var useExistingLogAnalytics = !empty(existingLogAnalyticsWorkspaceId)
-var existingLawSubscription = useExistingLogAnalytics ? split(existingLogAnalyticsWorkspaceId, '/')[2] : ''
-var existingLawResourceGroup = useExistingLogAnalytics ? split(existingLogAnalyticsWorkspaceId, '/')[4] : ''
-var existingLawName = useExistingLogAnalytics ? split(existingLogAnalyticsWorkspaceId, '/')[8] : ''
-
-resource existingLogAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2020-08-01' existing = if (useExistingLogAnalytics) {
-  name: existingLawName
-  scope: resourceGroup(existingLawSubscription, existingLawResourceGroup)
-}
 
 var logAnalyticsWorkspaceResourceId = useExistingLogAnalytics  ? existingLogAnalyticsWorkspaceId  : logAnalyticsWorkspace!.outputs.resourceId
 
@@ -388,6 +373,19 @@ module userAssignedIdentity 'br/public:avm/res/managed-identity/user-assigned-id
   }
 }
 
+// ========== SQL Operations User Assigned Identity ========== //
+// Dedicated identity for backend SQL operations with limited permissions (db_datareader, db_datawriter)
+var sqlUserAssignedIdentityResourceName = 'id-sql-${solutionSuffix}'
+module sqlUserAssignedIdentity 'br/public:avm/res/managed-identity/user-assigned-identity:0.4.1' = {
+  name: take('avm.res.managed-identity.user-assigned-identity.${sqlUserAssignedIdentityResourceName}', 64)
+  params: {
+    name: sqlUserAssignedIdentityResourceName
+    location: solutionLocation
+    tags: tags
+    enableTelemetry: enableTelemetry
+  }
+}
+
 // ========== Network Module ========== //
 module network 'modules/network.bicep' = if (enablePrivateNetworking) {
   name: take('network-${solutionSuffix}-deployment', 64)
@@ -450,7 +448,7 @@ var aiRelatedDnsZoneIndices = [
 @batchSize(5)
 module avmPrivateDnsZones 'br/public:avm/res/network/private-dns-zone:0.7.1' = [
   for (zone, i) in privateDnsZones: if (enablePrivateNetworking && (empty(existingFoundryProjectResourceId) || !contains(aiRelatedDnsZoneIndices, i))) {
-    name: 'dns-zone-${i}'
+    name: 'avm.res.network.private-dns-zone.${split(zone, '.')[1]}'
     params: {
       name: zone
       tags: tags
@@ -509,6 +507,11 @@ module keyvault 'br/public:avm/res/key-vault/vault:0.12.1' = {
         principalType: 'ServicePrincipal'
         roleDefinitionIdOrName: 'Key Vault Administrator'
       }
+      {
+        principalId: sqlUserAssignedIdentity.outputs.principalId
+        principalType: 'ServicePrincipal'
+        roleDefinitionIdOrName: 'Key Vault Secrets User'
+      }
     ]
     secrets: [
         {
@@ -896,7 +899,11 @@ module sqlDBModule 'br/public:avm/res/sql/server:0.20.1' = {
     connectionPolicy: 'Redirect'
     databases: [
       {
-        availabilityZone: enableRedundancy ? 1 : -1
+        zoneRedundant: enableRedundancy
+        // When enableRedundancy is true (zoneRedundant=true), set availabilityZone to -1
+        // to let Azure automatically manage zone placement across multiple zones.
+        // When enableRedundancy is false, also use -1 (no specific zone assignment).
+        availabilityZone: -1
         collation: 'SQL_Latin1_General_CP1_CI_AS'
         diagnosticSettings: enableMonitoring
           ? [{ workspaceResourceId: logAnalyticsWorkspaceResourceId }]
@@ -988,7 +995,7 @@ module webSite 'modules/web-sites.bicep' = {
     name: webSiteResourceName
     tags: tags
     location: solutionLocation
-    managedIdentities: { userAssignedResourceIds: [userAssignedIdentity!.outputs.resourceId] }
+    managedIdentities: { userAssignedResourceIds: [userAssignedIdentity!.outputs.resourceId, sqlUserAssignedIdentity!.outputs.resourceId] }
     kind: 'app,linux,container'
     serverFarmResourceId: webServerFarm.?outputs.resourceId
     siteConfig: {
@@ -1035,7 +1042,7 @@ module webSite 'modules/web-sites.bicep' = {
           AZURE_COSMOSDB_CONVERSATIONS_CONTAINER: collectionName
           AZURE_COSMOSDB_DATABASE: cosmosDbDatabaseName
           AZURE_COSMOSDB_ENABLE_FEEDBACK: azureCosmosDbEnableFeedback
-          SQLDB_USER_MID: userAssignedIdentity.outputs.clientId
+          SQLDB_USER_MID: sqlUserAssignedIdentity.outputs.clientId
           AZURE_AI_SEARCH_ENDPOINT: 'https://${aiSearchName}.search.windows.net'
           AZURE_SQL_SYSTEM_PROMPT: functionAppSqlPrompt
           AZURE_CALL_TRANSCRIPT_SYSTEM_PROMPT: functionAppCallTranscriptSystemPrompt
@@ -1226,6 +1233,12 @@ output MANAGEDIDENTITY_WEBAPP_NAME string = userAssignedIdentity.outputs.name
 
 @description('Client ID of the managed identity used by the web app.')
 output MANAGEDIDENTITY_WEBAPP_CLIENTID string = userAssignedIdentity.outputs.clientId
+
+@description('Name of the managed identity used for SQL database operations.')
+output MANAGEDIDENTITY_SQL_NAME string = sqlUserAssignedIdentity.outputs.name
+
+@description('Client ID of the managed identity used for SQL database operations.')
+output MANAGEDIDENTITY_SQL_CLIENTID string = sqlUserAssignedIdentity.outputs.clientId
 @description('Name of the AI Search service.')
 output AI_SEARCH_SERVICE_NAME string = aiSearchName 
 
@@ -1367,3 +1380,6 @@ output USE_AI_PROJECT_CLIENT string = useAIProjectClientFlag
 
 @description('Indicates whether the internal stream should be used.')
 output USE_INTERNAL_STREAM string = useInternalStream
+
+@description('The client ID of the managed identity.')
+output AZURE_CLIENT_ID string = userAssignedIdentity.outputs.clientId