Authorization API Post-Deployment Configuration
Complete these steps after running azd up to finalize Authorization API configuration.
Prerequisites
- Deployment completed successfully
- App Configuration access configured (see Prerequisites)
- Authorization API app registration created (see Pre-Deployment Setup)
Update App Configuration Settings
Step 1: Access App Configuration
- Sign in to Azure Portal
- Navigate to your deployment resource group
- Select the App Configuration resource
- Select Configuration explorer
Step 2: Update Authorization Scope
- Search for
authorizationin the filter - Find
FoundationaLLM:APIs:AuthorizationAPI:APIScope - Click Edit
- Set value to:
api://FoundationaLLM-Authorization - Click Apply
Verify Configuration
Check App Configuration Values
Verify these authorization-related settings:
| Key | Expected Value |
|---|---|
FoundationaLLM:APIs:AuthorizationAPI:APIScope |
api://FoundationaLLM-Authorization |
FoundationaLLM:APIs:AuthorizationAPI:APIUrl |
Your Authorization API URL |
Configure Initial Role Assignments
After authorization is configured, set up initial RBAC:
Assign Admin Role
The deployment administrator needs the Owner role:
- Navigate to Management Portal
- Go to Security > Role Assignments
- Create assignment:
- Principal: Your admin user/group
- Role: Owner
- Scope:
/instances/{instanceId}
Or via Management API:
POST /instances/{instanceId}/providers/FoundationaLLM.Authorization/roleAssignments
Content-Type: application/json
Authorization: Bearer <token>
{
"name": "admin-assignment",
"principal_id": "<admin-object-id>",
"principal_type": "User",
"role_definition_id": "/providers/FoundationaLLM.Authorization/roleDefinitions/1301f8d4-3bea-4880-945f-315dbd2ddb46",
"scope": "/instances/{instanceId}"
}
Verify Authorization
Test that authorization is working:
- Sign in to Management Portal
- Navigate to any resource
- Verify you can perform expected operations
Run MS Graph Roles Script
The Authorization API requires MS Graph permissions for user lookups:
cd deploy/quick-start # or deploy/standard
../common/scripts/Set-FllmGraphRoles.ps1 -resourceGroupName <resource-group>
Requirement: User running script must be Global Administrator or have Privileged Role Administrator role.
Troubleshooting
| Issue | Solution |
|---|---|
| Authorization denied | Verify role assignments exist |
| User lookup fails | Run MS Graph roles script |
| Invalid scope | Check APIScope value in App Configuration |
| 403 Forbidden | Verify user has appropriate role for action |
Check Authorization API Logs
AKS:
kubectl logs deployment/authorization-api -n fllm --tail=100
Verify Role Assignments
Query existing assignments:
GET /instances/{instanceId}/providers/FoundationaLLM.Authorization/roleAssignments
Authorization: Bearer <token>
Next Steps
- Review Role Definitions
- Configure Role Assignments
- Set up Agent-Level Permissions