Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,8 @@ a365 create-instance enable-notifications
### Deploy & Cleanup
```bash
a365 deploy # Full build and deploy
a365 deploy app # Deploy application binaries to the configured Azure App Service
a365 deploy mcp # Update Agent365 Tool permissions
a365 deploy --restart # Skip build, deploy existing publish folder (quick iteration)
a365 deploy --inspect # Pause before deployment to verify package contents
a365 deploy --restart --inspect # Combine flags for quick redeploy with inspection
Expand All @@ -110,6 +112,8 @@ a365 cleanup

**Deploy Options Explained:**
- **Default** (`a365 deploy`): Full build pipeline - platform detection, environment validation, build, manifest creation, packaging, and deployment
- **app**: Deploy application binaries to the configured Azure App Service
- **mcp**: Update Agent365 Tool permissions
- **`--restart`**: Skip all build steps and start from compressing the existing `publish/` folder. Perfect for quick iteration when you've manually modified files in the publish directory (e.g., tweaking `requirements.txt`, `.deployment`, or other config files)
- **`--inspect`**: Pause before deployment to review the publish folder and ZIP contents. Useful for verifying package structure before uploading to Azure
- **`--verbose`**: Enable detailed logging for all build and deployment steps
Expand Down
2 changes: 1 addition & 1 deletion docs/commands/config-init.md
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,7 @@ Uses:

```bash
# Deploy your agent to Azure
a365 deploy
a365 deploy app
```

Uses:
Expand Down
192 changes: 192 additions & 0 deletions docs/commands/deploy.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,192 @@
# Agent365 CLI – Deploy Command Guide

> **Command**: `a365 deploy`
> **Purpose**: Deploy your application to Azure App Service **and** update Agent365 Tool (MCP) permissions in one run. Subcommands let you run either phase independently.
---

## TL;DR

```bash
# Full two-phase deploy (App binaries, then MCP permissions)
a365 deploy

# App-only deploy
a365 deploy app

# MCP-only permissions update
a365 deploy mcp

# Common flags
a365 deploy app --restart # reuse existing publish/ (skip build)
a365 deploy app --inspect # pause to review publish/ and zip
a365 deploy --dry-run # print actions, no changes
a365 deploy --verbose # detailed logs
```

---

## What the command actually does

### Default (`a365 deploy`)
Runs **two phases sequentially**:

**Step 1 — App Binaries**
1. Load `a365.config.json` (+ dynamic state from generated config).
2. **Azure preflight**
- Validates Azure CLI auth + subscription context (`ValidateAllAsync`).
- Ensures target Web App exists via `az webapp show`.
3. Build/package via `DeploymentService.DeployAsync(...)` (supports `--inspect` and `--restart`).
4. Log success/failure.

**Step 2 — MCP Permissions**
1. Re-load config (same path).
2. Read required scopes from `deploymentProjectPath/toolingManifest.json`.
3. Apply **in order**:
- **OAuth2 grant**: `ReplaceOauth2PermissionGrantAsync`
- **Inheritable permissions**: `SetInheritablePermissionsAsync`
- **Admin consent (agent identity)**: `ReplaceOauth2PermissionGrantAsync`
4. Log success/failure.

---

## Subcommands & Flags

### `a365 deploy` (default, two-phase)
- **Options**: `--config|-c`, `--verbose|-v`, `--dry-run`, `--inspect`, `--restart`
- **Behavior**: Runs **App** then **MCP**, prints “Part 1…” and “Part 2…” sections (even on `--dry-run`).

### `a365 deploy app` (app-only)
- **Options**: `--config|-c`, `--verbose|-v`, `--dry-run`, `--inspect`, `--restart`
- **Behavior**: Only runs the App phase (includes the same Azure validations and Web App existence check).

### `a365 deploy mcp` (MCP-only)
- **Options**: `--config|-c`, `--verbose|-v`, `--dry-run`
- **Behavior**: Only runs the MCP permissions sequence (no `--inspect` or `--restart` here).

---

## Preflight Checks

- **Azure auth & subscription**: Validated via `ValidateAllAsync(subscriptionId)`.
If invalid, deployment is stopped with a clear error.
- **Web App existence**: `az webapp show --resource-group <rg> --name <app> --subscription <sub>` must succeed before app deploy proceeds.

---

## Configuration Inputs

- **`a365.config.json`** (user-maintained) and **`a365.generated.config.json`** (dynamic state)
- **Tooling scopes**: Read from `<deploymentProjectPath>/toolingManifest.json` during the MCP phase
- `--config` defaults to `a365.config.json` in the current directory

> The CLI also keeps **global** copies of config/state in:
> - Windows: `%LocalAppData%\Microsoft.Agents.A365.DevTools.Cli`
> - Linux/macOS: `$HOME/.config/Microsoft.Agents.A365.DevTools.Cli`
---

## Flags (behavior details)

- `--restart`
Skip a fresh build and start from compressing the **existing** `publish/` folder. If `publish/` is missing, the deploy fails with guidance to run a full deploy.

- `--inspect`
Pause before upload so you can inspect `publish/` and the generated ZIP. (App phase only.)

- `--dry-run`
Print everything that would happen. The default command shows **two sections**:
- *Part 1 — Deploy application binaries* (target RG/app, config path)
- *Part 2 — Deploy/update Agent 365 Tool permissions* (the three MCP steps)
No changes are made.

- `--verbose`
Enables detailed logging in both phases.

---

## MCP Permission Update Flow (exact order)

When running `a365 deploy` or `a365 deploy mcp`:

1. **OAuth2 permission grant**
`ReplaceOauth2PermissionGrantAsync(tenant, blueprintSp, mcpPlatformSp, scopes)`

2. **Inheritable permissions**
`SetInheritablePermissionsAsync(tenant, agentBlueprintAppId, mcpResourceAppId, scopes)`

3. **Admin consent** (agent identity → MCP platform)
`ReplaceOauth2PermissionGrantAsync(tenant, agenticAppSpObjectId, mcpPlatformResourceSpObjectId, scopes)`

> All scopes are sourced from `toolingManifest.json` in your project root.
---

## Typical Flows

### Full two-phase deploy with visibility
```bash
a365 deploy --verbose
```

### Quick iteration (reuse last build)
```bash
a365 deploy app --restart
```

### MCP only (permissions/scopes refresh)
```bash
a365 deploy mcp --verbose
```

### Validate everything without changing anything
```bash
a365 deploy app --dry-run --inspect
```

---

## Troubleshooting

- **“Not logged into Azure” or wrong subscription**
Fix with `az login --tenant <TENANT_ID>` and `az account set --subscription <SUBSCRIPTION_ID>`.

- **Web App not found**
Ensure `a365 setup` has been run or correct `webAppName`/`resourceGroup` are in `a365.config.json`.

- **Permissions update fails**
- Confirm `AgentBlueprintId`, `AgenticAppId`, and environment are set in config.
- Ensure your account has rights to manage service principals and grants.
- Verify `toolingManifest.json` exists and contains valid scopes.

- **`--restart` fails**
Run a full build once (no `--restart`) to produce `publish/`.

---

## Logs

**CLI logs**
- Windows: `%LocalAppData%\Microsoft.Agents.A365.DevTools.Cli\logs\`
- Linux/macOS: `~/.config/a365/logs/`

Tail latest deploy logs:
```powershell
# Windows
Get-Content $env:LOCALAPPDATA\Microsoft.Agents.A365.DevTools.Cli\logs\a365.deploy.log -Tail 80
```

```bash
# Linux/Mac
tail -80 ~/.config/a365/logs/a365.deploy.log
```

**App Service logs**
Use Log Stream in the Azure Portal for runtime stdout/stderr.

---

## Related

- [`a365 setup`](./setup.md) — provision resources and register the messaging endpoint
- [`a365 create-instance`](./create-instance.md) — create agent identity/user and licenses
- [`a365 config init`](./config-init.md) — initialize configuration

---
Original file line number Diff line number Diff line change
Expand Up @@ -113,25 +113,25 @@ public static Command CreateCommand(ILogger<CreateInstanceCommand> logger, IConf
logger.LogInformation(" Agent User ID: {AgenticUserId}", instanceConfig.AgenticUserId ?? "(not set)");
logger.LogInformation(" Agent User Principal Name: {AgentUserPrincipalName}", instanceConfig.AgentUserPrincipalName ?? "(not set)");

// Step 4: Admin consent for MCP scopes (oauth2PermissionGrants)
logger.LogInformation("Step 5/5: Granting MCP scopes to Agent Identity via oauth2PermissionGrants");
// Admin consent for MCP scopes (oauth2PermissionGrants)
logger.LogInformation("Granting MCP scopes to Agent Identity via oauth2PermissionGrants");

var manifestPath = Path.Combine(instanceConfig.DeploymentProjectPath ?? string.Empty, "ToolingManifest.json");
var scopesForAgent = await ManifestHelper.GetRequiredScopesAsync(manifestPath);

// clientId must be the *service principal objectId* of the agent identity app
var agentIdentitySpObjectId = await graphApiService.LookupServicePrincipalByAppIdAsync(
// clientId must be the *service principal objectId* of the agentic app
var agenticAppSpObjectId = await graphApiService.LookupServicePrincipalByAppIdAsync(
instanceConfig.TenantId,
instanceConfig.AgenticAppId ?? string.Empty
) ?? throw new InvalidOperationException($"Service Principal not found for agent identity appId {instanceConfig.AgenticAppId}");
) ?? throw new InvalidOperationException($"Service Principal not found for agentic app Id {instanceConfig.AgenticAppId}");

var resourceAppId = ConfigConstants.GetAgent365ToolsResourceAppId(instanceConfig.Environment);
var Agent365ToolsResourceSpObjectId = await graphApiService.LookupServicePrincipalByAppIdAsync(instanceConfig.TenantId, resourceAppId)
?? throw new InvalidOperationException("Agent 365 Tools Service Principal not found for appId " + resourceAppId);

var response = await graphApiService.CreateOrUpdateOauth2PermissionGrantAsync(
instanceConfig.TenantId,
agentIdentitySpObjectId,
agenticAppSpObjectId,
Agent365ToolsResourceSpObjectId,
scopesForAgent
);
Expand All @@ -154,7 +154,7 @@ public static Command CreateCommand(ILogger<CreateInstanceCommand> logger, IConf
// Grant oauth2PermissionGrants: *agent identity SP* -> Messaging Bot API SP
var botApiGrantOk = await graphApiService.CreateOrUpdateOauth2PermissionGrantAsync(
instanceConfig.TenantId,
agentIdentitySpObjectId,
agenticAppSpObjectId,
botApiResourceSpObjectId,
new[] { "Authorization.ReadWrite", "user_impersonation" });

Expand Down
Loading
Loading