microsoft · Roopan-Microsoft · Jun 8, 2026 · Jun 8, 2026 · Jun 8, 2026
@@ -138,10 +138,16 @@ azd auth login --tenant-id <your-tenant-id>
 # Create a new azd environment
 azd env new <environment-name>
 
+# Set your tenant (required when the target subscription is in a non-default tenant)
+azd env set AZURE_TENANT_ID <tenant-id>
+
+# Set the Entra object ID (GUID) of the user/group/SP to grant RBAC
+azd env set AZURE_PRINCIPAL_ID <entra-object-id>
+
 # Set your subscription (if not default)
 azd env set AZURE_SUBSCRIPTION_ID <subscription-id>
 
-# Set your target location
+# Set your target location (optional)
 azd env set AZURE_LOCATION eastus2
 ```
 
@@ -239,6 +245,12 @@ You can reuse existing Azure resources instead of provisioning new ones. Refer t
 
 ### Step 4: Deploy
 
+If you already cloned without submodules, run:
+
+```bash
+git submodule update --init --recursive
+```
+
 Run the deployment command:
 
 ```bash

@@ -235,7 +235,7 @@ param containerAppsList = [
 // Ref: https://learn.microsoft.com/azure/bastion/bastion-entra-id-authentication
 param vmUserName = 'testvmuser'
 param vmAdminPassword = 'Jb!${uniqueString(readEnvironmentVariable('AZURE_ENV_NAME', 'default'), readEnvironmentVariable('AZURE_SUBSCRIPTION_ID', 'sub'))}${guid(readEnvironmentVariable('AZURE_ENV_NAME', 'default'), 'vm-admin-password')}'
-param vmSize = 'Standard_D2s_v4'
+param vmSize = 'Standard_D2s_v5'
 
 // ========================================
 // FABRIC CAPACITY PARAMETERS

@@ -169,6 +169,37 @@ function New-SearchHeaders {
     return $null
 }
 
+function Test-TransientNetworkFailure {
+    param($ErrorRecord)
+
+    $ex = $ErrorRecord.Exception
+    while ($ex) {
+        $typeName = $ex.GetType().FullName
+        if ($typeName -eq 'System.Net.Sockets.SocketException' -or
+            $typeName -eq 'System.Net.Security.AuthenticationException' -or
+            $typeName -eq 'System.IO.IOException' -or
+            $typeName -eq 'System.Net.Http.HttpRequestException' -or
+            $typeName -eq 'System.Net.WebException' -or
+            $typeName -eq 'System.Threading.Tasks.TaskCanceledException' -or
+            $typeName -eq 'System.TimeoutException') {
+
+            $message = "$($ex.Message)"
+            if ($message -match 'SSL|TLS|forcibly closed|connection (was|reset|closed|aborted)|actively refused|timed out|name or service not known|temporary failure in name resolution|no such host') {
+                return $true
+            }
+            # WebException with no Response object is a transport-level failure.
+            if ($typeName -eq 'System.Net.WebException' -and -not $ex.Response) {
+                return $true
+            }
+            if ($typeName -ne 'System.IO.IOException' -and $typeName -ne 'System.Net.Http.HttpRequestException') {
+                return $true
+            }
+        }
+        $ex = $ex.InnerException
+    }
+    return $false
+}
+
 function Invoke-SearchRequest {
     param(
         [string]$Method,
@@ -177,7 +208,9 @@ function Invoke-SearchRequest {
     )
 
     $maxAttempts = 6
-    $delaySeconds = 30
+    $authDelaySeconds = 30
+    $transientBaseDelaySeconds = 5
+    $transientMaxDelaySeconds = 60
 
     for ($attempt = 1; $attempt -le $maxAttempts; $attempt++) {
         $accessToken = Get-SearchAccessToken
@@ -198,8 +231,29 @@ function Invoke-SearchRequest {
             try { $statusCode = $_.Exception.Response.StatusCode.value__ } catch { }
 
             if (($statusCode -eq 401 -or $statusCode -eq 403) -and $attempt -lt $maxAttempts) {
-                Write-Warning "Search request denied (HTTP $statusCode). Waiting ${delaySeconds}s for RBAC propagation (attempt $attempt of $maxAttempts)."
-                Start-Sleep -Seconds $delaySeconds
+                Write-Warning "Search request denied (HTTP $statusCode). Waiting ${authDelaySeconds}s for RBAC propagation (attempt $attempt of $maxAttempts)."
+                Start-Sleep -Seconds $authDelaySeconds
+                continue
+            }
+
+            $isTransientHttp = ($statusCode -ge 500 -and $statusCode -lt 600) -or $statusCode -eq 408 -or $statusCode -eq 429
+            $isTransientNetwork = Test-TransientNetworkFailure -ErrorRecord $_
+
+            if (($isTransientHttp -or $isTransientNetwork) -and $attempt -lt $maxAttempts) {
+                $backoff = [Math]::Min($transientMaxDelaySeconds, $transientBaseDelaySeconds * [Math]::Pow(2, $attempt - 1))
+                $jitter = Get-Random -Minimum 0 -Maximum 3
+                $delay = [int]($backoff + $jitter)
+
+                $retryAfter = $null
+                try { $retryAfter = $_.Exception.Response.Headers['Retry-After'] } catch { }
+                if ($retryAfter) {
+                    $parsed = 0
+                    if ([int]::TryParse("$retryAfter", [ref]$parsed) -and $parsed -gt 0) { $delay = [Math]::Min($transientMaxDelaySeconds, $parsed) }
+                }
+
+                $reason = if ($isTransientHttp) { "HTTP $statusCode" } else { "transient network error: $($_.Exception.Message)" }
+                Write-Warning "Search request failed with $reason. Retrying in ${delay}s (attempt $attempt of $maxAttempts)."
+                Start-Sleep -Seconds $delay
                 continue
             }