azure-prepare: add App Service ACR managed identity role assignment and compute quota guidance

[Copilot]

The MvcMovie90 brownfield dotnet integration test timed out (31m 34s) because azure-prepare consumed the entire window resolving two mid-deployment failures — leaving no time to invoke azure-validate or azure-deploy.

Root causes

1. Missing AcrPull role assignment — generated Bicep for App Service + ACR did not grant the managed identity permission to pull images, requiring manual az role assignment create mid-deployment
2. No App Service compute quota check — standardBSFamily cores quota was exhausted in eastus2 (17/17), triggering an unplanned region switch to westus2

Changes

• services/app-service/bicep.md — New "Docker Container Deployment with ACR (Managed Identity)" section with complete Bicep pattern: AcrPull role assignment scoped to the registry, acrUseManagedIdentityCreds: true in siteConfig, and system-assigned identity wired end-to-end

resource acrPullRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(webApp.id, containerRegistry.id, 'acrpull')
  scope: containerRegistry
  properties: {
    roleDefinitionId: subscriptionResourceId(
      'Microsoft.Authorization/roleDefinitions',
      '7f951dda-4ed3-4680-a7ca-43fe172d538d'  // AcrPull
    )
    principalId: webApp.identity.principalId
    principalType: 'ServicePrincipal'
  }
}

• resources-limits-quotas.md — Added App Service / App Service Plan row to the Service Patterns quota table, explicitly calling out standardBSFamily as the quota resource name for B/S/P SKUs; added to Quick Reference Limits
• region-availability.md — Added quota check callout under App Service noting B/S/P plans consume standardBSFamily cores and must be verified before provisioning
• azure-prepare/SKILL.md — Version bump 1.1.6 → 1.1.7

[fanyang-mono]

@copilot why did azure-prepare handle deployment related issues? I would expect it to invoke azure-deploy which has AcrPull related information, so the agent won't struggle to figure it out.

[Copilot]

@copilot why did azure-prepare handle deployment related issues? I would expect it to invoke azure-deploy which has AcrPull related information, so the agent won't struggle to figure it out.

Good question. The two failures happened before azure-prepare could hand off to azure-validate → azure-deploy:

1. Quota failure mid-preparation: azure-prepare's "Confirm Azure Context" phase (Phase 2, Step 2) hit the standardBSFamily core limit in eastus2 (17/17), requiring an unplanned region switch. This alone burned ~10 minutes.

2. ACR auth failure during provisioning: Once azure-prepare ran azd provision to generate the infrastructure, the App Service couldn't pull from ACR because the Bicep template didn't include the AcrPull role assignment. azure-prepare then spent the remaining time on manual az role assignment create remediation — work that should never have been needed.

Both failures happened in azure-prepare's own execution window before it could update the plan to Ready for Validation and invoke azure-validate. That's why azure-deploy (and its AcrPull error recovery in errors.md) was never reached — the handoff never happened.

My fixes are preventive:

• AcrPull in Bicep (app-service/bicep.md): The generated infrastructure now includes the role assignment from the start, so azure-prepare completes cleanly without ACR auth surprises.
• standardBSFamily quota guidance: azure-prepare now knows to check App Service compute quota during the planning phase, preventing mid-deployment region switches.

azure-deploy's AcrPull error recovery in errors.md remains as a fallback — it covers Container Apps specifically. My fix extends the preventive coverage to App Service.

[Copilot]

Pull request overview

Updates the azure-prepare skill documentation to prevent mid-deployment failures/timeouts by documenting (1) required ACR pull RBAC for App Service managed identity deployments and (2) a preflight quota check for App Service Plan cores.

Changes:

• Added an App Service + ACR (managed identity) Bicep pattern including an AcrPull role assignment and acrUseManagedIdentityCreds: true.
• Documented App Service Plan core quota guidance (standardBSFamily) in quotas and region availability references.
• Bumped azure-prepare skill version 1.1.6 → 1.1.7.

Show a summary per file

File	Description
plugin/skills/azure-prepare/SKILL.md	Version bump to reflect documentation updates.
plugin/skills/azure-prepare/references/services/app-service/bicep.md	Adds managed-identity ACR pull role-assignment pattern for App Service containers.
plugin/skills/azure-prepare/references/resources-limits-quotas.md	Adds App Service quota guidance and quick-reference entry for standardBSFamily.
plugin/skills/azure-prepare/references/region-availability.md	Adds App Service quota-check callout pointing to quotas reference.

Copilot's findings

Comments suppressed due to low confidence (1)

plugin/skills/azure-prepare/references/resources-limits-quotas.md:202

• This quota bullet uses az quota list --scope .../Microsoft.Compute/locations/{region}, where ... is not a valid scope and can lead to copy/paste errors. Suggest switching to an explicit scope placeholder consistent with the CLI reference above (e.g., /subscriptions/{id}/providers/Microsoft.Compute/locations/{region}) and/or referencing that section instead of repeating an incomplete command.

- App Service Plan cores: varies per region (quota resource name: `standardBSFamily` for B/S/P SKUs — check with `az quota list --scope .../Microsoft.Compute/locations/{region}` and filter for `standard*Family`)

• Files reviewed: 4/4 changed files
• Comments generated: 1

[github-actions]

Details

# 🔍 Token Analysis Report

@github-copilot-for-azure/scripts@1.0.0 tokens
node --import tsx src/tokens/cli.ts compare --base origin/main --head HEAD --markdown

📊 Token Change Report

Comparing origin/main → HEAD

Summary

Metric	Value
📈 Total Change	+785 tokens (+12%)
Before	6,824 tokens
After	7,609 tokens
Files Changed	3

Changed Files

File	Before	After	Change
plugin/skills/azure-prepare/references/services/app-service/bicep.md	301	884	+583 (+194%)
plugin/skills/azure-prepare/references/resources-limits-quotas.md	3,322	3,468	+146 (+4%)
plugin/skills/azure-prepare/references/region-availability.md	434	490	+56 (+13%)

@github-copilot-for-azure/scripts@1.0.0 tokens
node --import tsx src/tokens/cli.ts check --markdown

📊 Token Limit Check Report

Checked: 536 files
Exceeded: 75 files

⚠️ Files Exceeding Token Limits

File	Tokens	Limit	Over By
.github/skills/analyze-test-run/SKILL.md	2471	500	+1971
.github/skills/file-test-bug/SKILL.md	628	500	+128
.github/skills/sensei/README.md	3531	2000	+1531
.github/skills/sensei/SKILL.md	3026	500	+2526
.github/skills/sensei/references/EXAMPLES.md	3701	2000	+1701
.github/skills/sensei/references/LOOP.md	4181	2000	+2181
.github/skills/sensei/references/SCORING.md	4200	2000	+2200
.github/skills/skill-authoring/SKILL.md	839	500	+339
plugin/skills/appinsights-instrumentation/SKILL.md	908	500	+408
plugin/skills/azure-ai/SKILL.md	817	500	+317
plugin/skills/azure-aigateway/SKILL.md	1258	500	+758
plugin/skills/azure-aigateway/references/policies.md	2342	2000	+342
plugin/skills/azure-cloud-migrate/references/services/functions/lambda-to-functions.md	2600	2000	+600
plugin/skills/azure-cloud-migrate/references/services/functions/runtimes/javascript.md	2181	2000	+181
plugin/skills/azure-compliance/SKILL.md	1185	500	+685
plugin/skills/azure-compute/SKILL.md	755	500	+255
plugin/skills/azure-compute/workflows/vm-recommender/vm-recommender.md	2393	2000	+393
plugin/skills/azure-compute/workflows/vm-troubleshooter/references/cannot-connect-to-vm.md	7308	2000	+5308
plugin/skills/azure-cost/SKILL.md	1861	500	+1361
plugin/skills/azure-deploy/SKILL.md	1643	500	+1143
plugin/skills/azure-deploy/references/pre-deploy-checklist.md	2204	2000	+204
plugin/skills/azure-deploy/references/recipes/azd/ef-migrations.md	2006	2000	+6
plugin/skills/azure-deploy/references/recipes/azd/errors.md	3429	2000	+1429
plugin/skills/azure-deploy/references/troubleshooting.md	2038	2000	+38
plugin/skills/azure-diagnostics/SKILL.md	1132	500	+632
plugin/skills/azure-diagnostics/aks-troubleshooting/networking.md	2147	2000	+147
plugin/skills/azure-diagnostics/aks-troubleshooting/node-issues.md	2003	2000	+3
plugin/skills/azure-enterprise-infra-planner/SKILL.md	991	500	+491
plugin/skills/azure-enterprise-infra-planner/references/constraints/compute-apps.md	2022	2000	+22
plugin/skills/azure-hosted-copilot-sdk/SKILL.md	966	500	+466
plugin/skills/azure-kubernetes/SKILL.md	2266	500	+1766
plugin/skills/azure-kusto/SKILL.md	2149	500	+1649
plugin/skills/azure-messaging/SKILL.md	967	500	+467
plugin/skills/azure-prepare/SKILL.md	2767	500	+2267
plugin/skills/azure-prepare/references/aspire.md	4003	2000	+2003
plugin/skills/azure-prepare/references/plan-template.md	2559	2000	+559
plugin/skills/azure-prepare/references/recipes/azd/aspire.md	2367	2000	+367
plugin/skills/azure-prepare/references/recipes/azd/terraform.md	3012	2000	+1012
plugin/skills/azure-prepare/references/research.md	2217	2000	+217
plugin/skills/azure-prepare/references/resources-limits-quotas.md	3468	2000	+1468
plugin/skills/azure-prepare/references/security.md	2133	2000	+133
plugin/skills/azure-prepare/references/services/functions/bicep.md	3065	2000	+1065
plugin/skills/azure-prepare/references/services/functions/templates/SPEC-composable-templates.md	6187	2000	+4187
plugin/skills/azure-prepare/references/services/functions/templates/recipes/composition.md	4649	2000	+2649
plugin/skills/azure-prepare/references/services/functions/terraform.md	3358	2000	+1358
plugin/skills/azure-quotas/SKILL.md	3445	500	+2945
plugin/skills/azure-quotas/references/commands.md	2644	2000	+644
plugin/skills/azure-resource-lookup/SKILL.md	1288	500	+788
plugin/skills/azure-resource-visualizer/SKILL.md	2054	500	+1554
plugin/skills/azure-storage/SKILL.md	1180	500	+680
plugin/skills/azure-upgrade/SKILL.md	1001	500	+501
plugin/skills/azure-upgrade/references/services/functions/automation.md	3463	2000	+1463
plugin/skills/azure-upgrade/references/services/functions/consumption-to-flex.md	2773	2000	+773
plugin/skills/azure-validate/SKILL.md	906	500	+406
plugin/skills/entra-app-registration/SKILL.md	2067	500	+1567
plugin/skills/entra-app-registration/references/api-permissions.md	2545	2000	+545
plugin/skills/entra-app-registration/references/cli-commands.md	2211	2000	+211
plugin/skills/entra-app-registration/references/console-app-example.md	2752	2000	+752
plugin/skills/entra-app-registration/references/oauth-flows.md	2375	2000	+375
plugin/skills/microsoft-foundry/SKILL.md	2870	500	+2370
plugin/skills/microsoft-foundry/foundry-agent/create/create.md	3016	2000	+1016
plugin/skills/microsoft-foundry/foundry-agent/deploy/deploy.md	5511	2000	+3511
plugin/skills/microsoft-foundry/foundry-agent/eval-datasets/eval-datasets.md	2342	2000	+342
plugin/skills/microsoft-foundry/foundry-agent/eval-datasets/references/trace-to-dataset.md	4268	2000	+2268
plugin/skills/microsoft-foundry/foundry-agent/observe/observe.md	2547	2000	+547
plugin/skills/microsoft-foundry/foundry-agent/trace/references/kql-templates.md	2701	2000	+701
plugin/skills/microsoft-foundry/models/deploy-model/SKILL.md	1640	500	+1140
plugin/skills/microsoft-foundry/models/deploy-model/capacity/SKILL.md	1739	500	+1239
plugin/skills/microsoft-foundry/models/deploy-model/customize/SKILL.md	2235	500	+1735
plugin/skills/microsoft-foundry/models/deploy-model/customize/references/customize-workflow.md	3335	2000	+1335
plugin/skills/microsoft-foundry/models/deploy-model/preset/SKILL.md	1226	500	+726
plugin/skills/microsoft-foundry/models/deploy-model/preset/references/preset-workflow.md	5534	2000	+3534
plugin/skills/microsoft-foundry/quota/quota.md	2288	2000	+288
plugin/skills/microsoft-foundry/quota/references/capacity-planning.md	2080	2000	+80
plugin/skills/microsoft-foundry/references/sdk/foundry-sdk-py.md	2162	2000	+162

Consider moving content to references/ subdirectories.

---

Automated token analysis. See skill authoring guidelines for best practices.