Microsoft Agent Framework製エージェントからMicrosoft Foundryにアクセスする

Azure Functions (Durable Functions) にデプロイした Microsoft Agent Framework 製のエージェントから、マネージド ID を使用して Microsoft Foundry にアクセスします。

サンプルコード

使うコードは GitHub で公開されているサンプルをベースに使用します。

github.com

using Azure.AI.Projects;
using Azure.Identity;

using Microsoft.Agents.AI;
using Microsoft.Agents.AI.Hosting.AzureFunctions;
using Microsoft.Azure.Functions.Worker;
using Microsoft.Azure.Functions.Worker.Builder;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;

var builder = FunctionsApplication.CreateBuilder(args);

var endpoint = builder.Configuration["AZURE_OPENAI_ENDPOINT"]
    ?? throw new InvalidOperationException("Set AZURE_OPENAI_ENDPOINT");
var deploymentName = builder.Configuration["AZURE_OPENAI_DEPLOYMENT_NAME"] ?? "gpt-4o-mini";

AIProjectClient aiProjectClient = new(new Uri(endpoint), new DefaultAzureCredential());

AIAgent agent = aiProjectClient
    .AsAIAgent(
        model: deploymentName,
        instructions: "You are a friendly assistant. Keep your answers brief.",
        name: "HelloAgent");

builder.ConfigureFunctionsWebApplication();

builder.Services
    .AddApplicationInsightsTelemetryWorkerService()
    .ConfigureFunctionsApplicationInsights();

builder.ConfigureDurableAgents(options =>
    options.AddAIAgent(agent, timeToLive: TimeSpan.FromHours(1)));

builder.Build().Run();

ロールの割り当て

Microsoft Foundry の Azure AI User ロールに Azure Functions のマネージド ID を割り当てます。

Azure AI User ロールの構成

{
  "id": "/subscriptions/1df1e3be-e3ae-4e0e-8c9a-742b8d0b8dfd/providers/Microsoft.Authorization/roleDefinitions/53ca6127-db72-4b80-b1b0-d745d6d5456d",
  "properties": {
    "roleName": "Azure AI User",
    "description": "Grants reader access to AI projects, reader access to AI accounts, and data actions for an AI project.",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Authorization/*/read",
          "Microsoft.CognitiveServices/*/read",
          "Microsoft.CognitiveServices/accounts/listkeys/action",
          "Microsoft.Insights/alertRules/read",
          "Microsoft.Insights/diagnosticSettings/read",
          "Microsoft.Insights/logDefinitions/read",
          "Microsoft.Insights/metricdefinitions/read",
          "Microsoft.Insights/metrics/read",
          "Microsoft.ResourceHealth/availabilityStatuses/read",
          "Microsoft.Resources/deployments/*",
          "Microsoft.Resources/subscriptions/operationresults/read",
          "Microsoft.Resources/subscriptions/read",
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.Support/*"
        ],
        "notActions": [],
        "dataActions": [
          "Microsoft.CognitiveServices/*"
        ],
        "notDataActions": []
      }
    ]
  }
}

ロール名の変更

ただし、ロール名は今後「Azure AI ~」から「Foundry ~」に変更される予定です。

learn.microsoft.com

The Foundry RBAC roles were recently renamed. Foundry User, Foundry Owner, Foundry Account Owner, and Foundry Project Manager were previously named Azure AI User, Azure AI Owner, Azure AI Account Owner, and Azure AI Project Manager. You might still see the previous names in some places while the rename rolls out. The role IDs and core permissions are unchanged by the rename.

まだ私の環境では名前変更がロールアウトされていません。そのうち変更されるのでしょう。