This guide provides complete instructions for deploying the AI Application in Production accelerator to your Azure subscription.
To deploy this solution accelerator, ensure you have access to an Azure subscription with the necessary permissions.
| Permission | Required For | Scope |
|---|---|---|
| Owner or Contributor + User Access Administrator | Creating resources and role assignments | Subscription or Resource Group |
| Application Administrator (Azure AD) | Creating app registrations (if needed) | Tenant |
Note: The deployment creates Managed Identities and assigns roles automatically, which requires elevated permissions.
Temp files: Post-provision scripts write helper
.envfiles to your OS temp directory (handled automatically). No manual creation ofC:\tmpis needed on Windows.
| Tool | Minimum Version | Installation |
|---|---|---|
| Azure CLI | 2.61.0+ | Install Azure CLI |
| Azure Developer CLI (azd) | 1.15.0+ | Install azd |
| Git | Latest | Install Git |
| PowerShell | 7.0+ | Install PowerShell |
Windows shell requirement: Preprovision runs with PowerShell (
pwsh). Use PowerShell 7+ sopwshis on PATH.
| Resource | Requirement |
|---|---|
| Microsoft Fabric | Access to create F8 capacity and workspace, OR existing Fabric capacity ID |
| Microsoft Purview | Existing tenant-level Purview account resource ID |
Purview requirement: The identity running
azdmust have Purview Collection Admin (or equivalent) on the target collection. If the collection cannot be created or resolved, scan automation will skip collection assignment.
Check Azure Products by Region to ensure the following services are available in your target region:
- Microsoft Foundry
- Azure OpenAI Service
- Azure AI Search
- Microsoft Fabric
- Azure Bastion
Recommended Region: EastUS2 (tested and validated)
Pick from the options below to see step-by-step instructions.
 |
 |
|---|
Deploy in GitHub Codespaces
- Click the Open in GitHub Codespaces button above
- Accept the default values on the create Codespaces page
- Wait for the environment to build (this may take several minutes)
- Open a terminal window if not already open
- Continue with Deployment Steps below
Deploy in VS Code Dev Containers
- Ensure you have Docker Desktop running
- Click the Open in Dev Containers button above
- VS Code will prompt to reopen in a container—accept this
- Wait for the container to build and start
- Continue with Deployment Steps below
Deploy from Local Environment
If you're not using Codespaces or Dev Containers:
-
Clone the repository with submodules:
git clone --recurse-submodules https://github.com/microsoft/Deploy-Your-AI-Application-In-Production.git cd Deploy-Your-AI-Application-In-Production -
If you already cloned without submodules:
git submodule update --init --recursive
-
Ensure all required tools are installed (see Required Tools)
-
Continue with Deployment Steps below
Note (Windows): Run
azd upfrom PowerShell 7+ so thepwshpreprovision hook can execute.
# Login to Azure
azd auth login
# Verify your subscription
az account showIf you need to specify a tenant:
azd auth login --tenant-id <your-tenant-id># Create a new azd environment
azd env new <environment-name>
# Set your subscription (if not default)
azd env set AZURE_SUBSCRIPTION_ID <subscription-id>
# Set your target location
azd env set AZURE_LOCATION eastus2Important: The values currently checked into
infra/main.bicepparamrepresent an opinionated end-to-end path for provisioning this accelerator, including AI Landing Zone infrastructure, Fabric-related automation, PostgreSQL options, and postprovision hooks. They are not guaranteed to be the right settings for every deployment.Before you run
azd up, verify the feature flags and automation inputs you are inheriting from:
infra/main.bicepparam- the AI Landing Zone submodule deployment that runs in preprovision
azure.yamlpostprovision hooks and their prerequisites- service-specific settings such as Fabric, Purview, network isolation, PostgreSQL mirroring mode, and Azure-services firewall access
If your goal is not the full end-to-end accelerator flow, change the flags first instead of treating the current defaults as universally safe.
Security note (PostgreSQL mirroring): The mirroring prep script requires VNet access when Key Vault and PostgreSQL are private. If you need to demo mirroring end-to-end from a non-VNet machine, temporarily open access to both Key Vault and PostgreSQL before running the script and lock them down afterward. See docs/postgresql_mirroring.md.
Required Parameters
Edit infra/main.bicepparam or set environment variables:
| Parameter | Description | Example |
|---|---|---|
purviewAccountResourceId |
Resource ID of existing Purview account | /subscriptions/.../Microsoft.Purview/accounts/... |
purviewCollectionName |
Optional. Purview collection name to create or resolve for scans. If blank, scripts create collection-<env name>. |
ai-prod-collection |
fabricCapacityPreset |
Fabric capacity preset: create, byo, or none |
create |
fabricWorkspacePreset |
Fabric workspace preset: create, byo, or none |
create |
fabricCapacitySku |
Fabric capacity SKU (only used when fabricCapacityPreset=create) |
F8 (default) |
fabricCapacityAdmins |
Fabric capacity admin principals (UPN emails or Entra object IDs) (required when fabricCapacityPreset=create) |
["user@contoso.com"] |
fabricCapacityResourceId |
Existing Fabric capacity ARM resource ID (required when fabricCapacityPreset=byo) |
/subscriptions/.../providers/Microsoft.Fabric/capacities/... |
fabricWorkspaceId |
Existing Fabric workspace ID (GUID) (required when fabricWorkspacePreset=byo) |
00000000-0000-0000-0000-000000000000 |
fabricWorkspaceName |
Existing Fabric workspace name (used when fabricWorkspacePreset=byo) |
my-existing-workspace |
# Example: Set Purview account
# (Edit infra/main.bicepparam)
# param purviewAccountResourceId = "/subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.Purview/accounts/<account-name>"
# Example: Set Purview collection (optional)
# (Edit infra/main.bicepparam)
# param purviewCollectionName = "ai-prod-collection"
# Leave blank to auto-create collection-<env name>
# Example: Disable all Fabric automation
# (Edit infra/main.bicepparam)
# var fabricCapacityPreset = 'none'
# var fabricWorkspacePreset = 'none'Optional Parameters
| Parameter | Description | Default |
|---|---|---|
networkIsolation |
Enable network isolation | false |
postgreSqlNetworkIsolation |
PostgreSQL private networking toggle (defaults to networkIsolation) |
networkIsolation |
useExistingVNet |
Reuse an existing VNet | false |
existingVnetResourceId |
Existing VNet resource ID (when useExistingVNet=true) |
`` |
vmUserName |
Jump box VM admin username | `` |
vmAdminPassword |
Jump box VM admin password | (prompted) |
Quota Recommendations
By default, the GPT model capacity in deployment is set to 30k tokens.
We recommend increasing the capacity to 100k tokens, if available, for optimal performance.
To check and adjust quota settings, follow the Quota Check Guide.
Reusing Existing Resources
Log Analytics Workspace: See Parameter Guide for Log Analytics reuse guidance.
Run the deployment command:
azd upThis command will:
- Run pre-provision hooks (deploy AI Landing Zone submodule)
- Deploy Fabric capacity and supporting infrastructure (~30-40 minutes)
- Run post-provision hooks (configure Fabric, Purview, Search RBAC)
Note: The entire deployment typically takes 45-60 minutes.
You'll see output like:
Provisioning Azure resources (azd provision)
...
Running postprovision hooks
✓ Fabric capacity validation
✓ Fabric domain creation
✓ Fabric workspace creation
✓ Lakehouse creation (bronze, silver, gold)
✓ Purview registration
✓ OneLake indexing setup
✓ Microsoft Foundry RBAC configuration
After successful deployment, verify all components:
# Check deployed resources
az resource list --resource-group rg-<environment-name> --output tableThen follow the Post Deployment Steps to validate:
- Fabric capacity is Active
- Lakehouses are created
- AI Search index exists
- Foundry playground is accessible
- Navigate to app.fabric.microsoft.com
- Open your workspace → bronze lakehouse
- Upload PDF documents to
Files/documents/ - The OneLake indexer will automatically index new content
- Navigate to ai.azure.com
- Open your Microsoft Foundry project
- Go to Playgrounds → Chat
- Click Add your data → Select your Search index
- Test with a sample query
See Deploy App from Foundry for instructions on publishing the chat experience to Azure App Service.
Fabric Capacity is Paused
If the Fabric capacity shows as "Paused":
# Resume the capacity
az fabric capacity resume --capacity-name <name> --resource-group <rg>Post-Provision Hooks Failed
To re-run all post-provision hooks:
azd hooks run postprovisionTo run a specific script:
eval $(azd env get-values)
pwsh ./scripts/automationScripts/<script-name>.ps1AI Search Connection Fails in Foundry
Verify RBAC roles are assigned:
SEARCH_ID=$(az search service show --name <search-name> --resource-group <rg> --query id -o tsv)
az role assignment list --scope $SEARCH_ID --output tableRe-run RBAC setup if needed:
eval $(azd env get-values)
pwsh ./scripts/automationScripts/OneLakeIndex/06_setup_ai_foundry_search_rbac.ps1Template Spec Size Limit Error
If you see a 4MB limit error, ensure you're using the latest version of the submodule:
cd submodules/ai-landing-zone
git pull origin main
cd ../..
azd upFor more troubleshooting steps, see Troubleshooting.
To delete all deployed resources:
azd downNote: This will delete all resources in the resource group. Fabric capacity and Purview (if external) will not be affected.
To also purge soft-deleted resources:
azd down --purgeAfter deployment:
- Verify Deployment - Confirm all components are working
- Upload Documents - Add your PDFs to the Fabric bronze lakehouse
- Test the Playground - Chat with your indexed data
- Publish the App - Deploy to Azure App Service
- Enable DSPM - Configure governance insights
- Required Roles & Scopes
- Parameter Guide - includes model deployment configuration
- Accessing Private Resources