Sync plugin files from GitHub-Copilot-for-Azure (run 25212595407)

.github/plugins/azure-skills/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "azure",
   "description": "Microsoft Azure MCP and Skills integration for cloud resource management, deployments, and Azure services. Manage your Azure infrastructure, monitor applications, and deploy resources directly from Claude Code.",
-  "version": "1.1.26",
+  "version": "1.1.27",
   "author": {
     "name": "Microsoft",
     "url": "https://www.microsoft.com"

.github/plugins/azure-skills/.cursor-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "azure",
   "description": "Microsoft Azure MCP and Skills integration for cloud resource management, deployments, and Azure services. Manage your Azure infrastructure, monitor applications, and deploy resources directly from Cursor.",
-  "version": "1.1.26",
+  "version": "1.1.27",
   "author": {
     "name": "Microsoft",
     "url": "https://www.microsoft.com"

.github/plugins/azure-skills/.plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "azure",
   "description": "Microsoft Azure MCP and Skills integration for cloud resource management, deployments, and Azure services. Manage your Azure infrastructure, monitor applications, and deploy resources directly from your development environment.",
-  "version": "1.1.26",
+  "version": "1.1.27",
   "author": {
     "name": "Microsoft",
     "url": "https://www.microsoft.com"

.github/plugins/azure-skills/skills/azure-storage/references/sdk-usage.md

@@ -29,7 +29,6 @@ SDK packages and quick start examples for Azure Storage services.
 All examples use `DefaultAzureCredential` for authentication, which is recommended for **local development only**. In production, use `ManagedIdentityCredential` — see [auth-best-practices.md](auth-best-practices.md). Rust uses `DeveloperToolsCredential` as it doesn't have a `DefaultAzureCredential` equivalent.
 
 **Python** - Upload Blob:
-
 ```python
 from azure.identity import DefaultAzureCredential
 from azure.storage.blob import BlobServiceClient
@@ -41,7 +40,6 @@ blob.upload_blob(b"Hello, Azure Storage!", overwrite=True)
 ```
 
 **JavaScript** - Upload Blob:
-
 ```javascript
 import { DefaultAzureCredential } from "@azure/identity";
 import { BlobServiceClient } from "@azure/storage-blob";
@@ -53,7 +51,6 @@ await blob.uploadData(Buffer.from("Hello, Azure Storage!"));
 ```
 
 **C#** - Upload Blob:
-
 ```csharp
 using Azure.Identity;
 using Azure.Storage.Blobs;
@@ -65,7 +62,6 @@ await blob.UploadAsync(BinaryData.FromString("Hello, Azure Storage!"), overwrite
 ```
 
 **Java** - Upload Blob:
-
 ```java
 import com.azure.identity.*;
 import com.azure.storage.blob.*;
@@ -81,7 +77,6 @@ blob.upload(BinaryData.fromString("Hello, Azure Storage!"), true);
 ```
 
 **Go** - Upload Blob:
-
 ```go
 package main
 
@@ -102,7 +97,6 @@ func main() {
 ```
 
 **Rust** - Upload Blob:
-
 ```rust
 use azure_identity::DeveloperToolsCredential;
 use azure_storage_blob::{BlobClient, BlobClientOptions};
@@ -113,8 +107,8 @@ let blob_client = BlobClient::new(
     "my-container",
     "my-blob.txt",
     Some(credential),
-    None
+    Some(BlobClientOptions::default()),
 )?;
 let data = b"Hello, Azure Storage!";
-blob_client.upload(data.to_vec().into(), None).await?;
+blob_client.upload(None, data.to_vec().into()).await?;
 ```

.github/plugins/azure-skills/skills/microsoft-foundry/SKILL.md

@@ -4,7 +4,7 @@ description: "Deploy, evaluate, and manage Foundry agents end-to-end: Docker bui
 license: MIT
 metadata:
   author: Microsoft
-  version: "1.1.8"
+  version: "1.1.9"
 ---
 
 # Microsoft Foundry Skill
@@ -32,19 +32,31 @@ This skill includes specialized sub-skills for specific workflows. **Use these i
 | **eval-datasets** | Harvest production traces into evaluation datasets, manage dataset versions and splits, track evaluation metrics over time, detect regressions, and maintain full lineage from trace to deployment. Use for: create dataset from traces, dataset versioning, evaluation trending, regression detection, dataset comparison, eval lineage. | [eval-datasets](foundry-agent/eval-datasets/eval-datasets.md) |
 | **project/create** | Creating a new Azure AI Foundry project for hosting agents and models. Use when onboarding to Foundry or setting up new infrastructure. | [project/create/create-foundry-project.md](project/create/create-foundry-project.md) |
 | **resource/create** | Creating Azure AI Services multi-service resource (Foundry resource) using Azure CLI. Use when manually provisioning AI Services resources with granular control. | [resource/create/create-foundry-resource.md](resource/create/create-foundry-resource.md) |
+| **private-network** | Answer questions about Foundry network isolation **and** deploy Foundry with VNet isolation (BYO VNet, Managed VNet, hybrid). Covers architecture concepts, template selection, deployment, and post-deployment validation. | [resource/private-network/private-network.md](resource/private-network/private-network.md) |
 | **models/deploy-model** | Unified model deployment with intelligent routing. Handles quick preset deployments, fully customized deployments (version/SKU/capacity/RAI), and capacity discovery across regions. Routes to sub-skills: `preset` (quick deploy), `customize` (full control), `capacity` (find availability). | [models/deploy-model/SKILL.md](models/deploy-model/SKILL.md) |
 | **quota** | Managing quotas and capacity for Microsoft Foundry resources. Use when checking quota usage, troubleshooting deployment failures due to insufficient quota, requesting quota increases, or planning capacity. | [quota/quota.md](quota/quota.md) |
 | **rbac** | Managing RBAC permissions, role assignments, managed identities, and service principals for Microsoft Foundry resources. Use for access control, auditing permissions, and CI/CD setup. | [rbac/rbac.md](rbac/rbac.md) |
 
-> 💡 **Tip:** For a complete onboarding flow: `project/create` → agent workflows (`deploy` → `invoke`).
+> 💡 **Tip:** For a complete onboarding flow: `project/create` (public) or `private-network` (VNet isolation) → `models/deploy-model` → agent workflows (`create` → `deploy` → `invoke`).
 
 > 💡 **Model Deployment:** Use `models/deploy-model` for all deployment scenarios — it intelligently routes between quick preset deployment, customized deployment with full control, and capacity discovery across regions.
 
 > 💡 **Prompt Optimization:** For requests like "optimize my prompt" or "improve my agent instructions," load [observe](foundry-agent/observe/observe.md) and use the `prompt_optimize` MCP tool through that eval-driven workflow.
 
+## Infrastructure Lifecycle
+
+Match user intent to the correct infrastructure workflow.
+
+| User Intent | Workflow |
+|-------------|---------|
+| "Create Foundry" / "Set up Foundry" (ambiguous) | Use `AskUserQuestion`: (a) just an AI Services resource, (b) a project with public access, or (c) a project with network isolation? Route: (a) → [resource/create](resource/create/create-foundry-resource.md), (b) → [project/create](project/create/create-foundry-project.md), (c) → [private-network](resource/private-network/private-network.md) |
+| Set up Foundry with VNet isolation | [private-network](resource/private-network/private-network.md) |
+| Create a Foundry project (public) | [project/create](project/create/create-foundry-project.md) |
+| Create a bare Foundry resource | [resource/create](resource/create/create-foundry-resource.md) |
+
 ## Agent Development Lifecycle
 
-Match user intent to the correct workflow. Read each sub-skill in order before executing.
+Match user intent to the correct agent workflow. Read each sub-skill in order before executing.
 
 | User Intent | Workflow (read in order) |
 |-------------|------------------------|
@@ -79,7 +91,6 @@ Every agent source folder should keep Foundry-specific state under `.foundry/`:
 ## Agent: Setup References
 
 - [Standard Agent Setup](references/standard-agent-setup.md) - Standard capability-host setup with customer-managed data, search, and AI Services resources.
-- [Private Network Standard Agent Setup](references/private-network-standard-agent-setup.md) - Standard setup with VNet isolation and private endpoints.
 
 ## Agent: Project Context Resolution
 

.github/plugins/azure-skills/skills/microsoft-foundry/resource/private-network/private-network.md

@@ -0,0 +1,126 @@
+---
+name: private-network
+description: "Answer questions about and deploy Microsoft Foundry with network isolation. Covers BYO VNet, Managed VNet, hybrid patterns, private endpoints, and Bicep deployment. WHEN: 'Foundry networking', 'BYO VNet vs managed VNet', 'deploy Foundry in private VNet', 'private endpoints for Foundry'. DO NOT USE FOR: generic Azure networking without Foundry."
+license: MIT
+allowed-tools: Read, Write, Bash, AskUserQuestion, microsoft_docs_search, microsoft_docs_fetch
+---
+
+# Microsoft Foundry Private Networking
+
+## Quick Reference
+
+| Property | Value |
+|----------|-------|
+| **Best for** | Foundry with VNet isolation, private endpoints, subnet delegation, APIM + Foundry, VPN/Bastion access |
+| **Tools** | Azure CLI |
+| **MCP Tools** | `AskUserQuestion` - ask user questions; `microsoft_docs_search` - verify facts before presenting; `microsoft_docs_fetch` - fetch full Learn pages for validation |
+| **Workflow** | Ground in Learn → Gather → Plan → Scaffold → Validate → Deploy → Test |
+
+### Key Documentation
+
+| Topic | URL |
+|-------|-----|
+| Network isolation | https://learn.microsoft.com/azure/ai-foundry/how-to/configure-private-link |
+| Agent Service VNet | https://learn.microsoft.com/azure/ai-services/agents/how-to/virtual-networks |
+| Managed VNet | https://learn.microsoft.com/azure/ai-foundry/how-to/configure-managed-network |
+| Feature limitations | https://learn.microsoft.com/azure/foundry/how-to/configure-private-link#foundry-feature-limitations |
+
+## When to Use
+
+- User asks about Foundry networking, private endpoints, or VNet isolation
+- User asks about BYO VNet, Managed VNet, or hybrid patterns
+- User wants to deploy Foundry agents in a private network
+- User needs APIM integration with private Foundry agents
+
+**Do NOT use for:**
+- Public Foundry setup without VNet → use [project/create](../../project/create/create-foundry-project.md)
+- Bare Foundry resource without networking → use [resource/create](../create/create-foundry-resource.md)
+
+---
+
+## Step 0 — Ground in Microsoft Learn
+Use `microsoft_docs_fetch` to get docs from Key Documentation sources.
+Use `microsoft_docs_search` to verify any technical fact before presenting it to the user. If Learn contradicts a reference file, **Learn wins**. Cite the URL. If Learn doesn't cover it, say so — do not invent facts, limits, flags, or compatibility claims.
+
+---
+
+## End-to-End Deployment Workflow
+
+> **Important:** All following steps are mandatory. Communicate the plan with the user before acting.
+
+## Step 1 — Gather Requirements
+
+Read [references/intake.md](references/intake.md). One pass, three tiers:
+- **Tier 1 (Core):** Subscription, VNet model, agents, region, RG, VNet — determine approach at the end
+- **Tier 2 (Architecture):** DNS, topology, NSG, on-prem, identity, BYO resources
+- **Tier 3 (Enterprise):** Model, client access, auth, policies, monitoring
+
+Determine the approach (official template / adapt closest / extend user’s IaC) at the end of Tier 1. Continue through Tiers 2–3.
+
+---
+
+## Step 2 — Plan Generation
+
+Use the confirmed requirements from [references/intake.md](references/intake.md).
+
+**OFFICIAL path:** Load the template's README from its GitHub URL (via [references/template-index.md](references/template-index.md)). Run `microsoft_docs_search` for its prerequisites. Present a deployment plan using the user's actual values.
+
+**ADAPT path:** Load the closest template's README. Present a deployment plan highlighting what will be modified from the base template.
+
+**EXTEND path:** Load [references/custom-template-adaptation.md](references/custom-template-adaptation.md). Read the user's existing template. Follow the gap analysis framework to present what's covered, what's missing, and any issues. Get approval before modifying.
+
+Get confirmation before proceeding.
+
+---
+
+## Step 3 — Scaffold & Parameterize
+
+Read [references/scaffold.md](references/scaffold.md).
+
+---
+
+## Step 4 — Pre-Deployment Validation
+
+Catch blockers **before** deploying. These checks apply to all paths.
+
+**Sovereign cloud:** Run `az cloud show --query name -o tsv`. If `AzureUSGovernment` or `AzureChinaCloud`, check whether the templates being used (official or user-provided) handle sovereign cloud endpoints. Official templates hardcode `core.windows.net` and Azure Public AAD endpoints.
+
+**RBAC:** Verify deploying identity has Owner, or Contributor + User Access Administrator.
+
+**Policy:** Run `az deployment group what-if`. Fix any violations before deploying.
+
+**Quota:**
+
+```bash
+az cognitiveservices account list-skus --location <region> --kind AIServices -o table
+```
+
+**Provider Registrations:** `Microsoft.CognitiveServices`, `Microsoft.DocumentDB`, `Microsoft.Search`, `Microsoft.Network`.
+
+**Feature Flags:** For Managed VNet — verify `AI.ManagedVnetPreview` is registered.
+
+> Do NOT deploy until all pre-flight checks pass.
+
+---
+
+## Step 5 — Deploy & Track
+
+**OFFICIAL / ADAPT path:** Read [references/deploy.md](references/deploy.md) for deployment command, monitoring, and error recovery.
+
+**EXTEND path:** Deploy using the user's existing deployment workflow (their CLI commands, pipeline, or CI/CD). The monitoring and error recovery guidance in [references/deploy.md](references/deploy.md) still applies.
+
+---
+
+## Step 6 — Test & Validate
+
+Read [references/post-deployment-validation.md](references/post-deployment-validation.md). These checks apply to all paths — PE verification, RBAC audit, `publicNetworkAccess` audit, and end-to-end agent test work regardless of how the infrastructure was deployed.
+
+If any test fails, run `microsoft_docs_search` for the error before attempting remediation.
+
+---
+
+## Error Handling
+
+> ⚠️ **Critical retry rule:** If a deployment fails after the capability host step starts, the agent subnet gets a `legionservicelink` that cannot be removed. On retry, always use a **new VNet name** — never reuse the same agent subnet. See [references/deploy.md](references/deploy.md).
+
+For all other errors, check `microsoft_docs_search` for current remediation before acting.

.github/plugins/azure-skills/skills/microsoft-foundry/resource/private-network/references/custom-template-adaptation.md

@@ -0,0 +1,26 @@
+# Custom Template Adaptation
+
+For the EXTEND path — when the user has existing Bicep or Terraform templates.
+
+## Instructions
+
+1. **Read** the user's existing template files. Understand the resource graph: what's defined, how resources reference each other, what naming conventions are used.
+
+2. **Analyze** the template against the user's requirements (from [intake.md](intake.md)) and the Foundry private networking documentation validated in the intake step. Identify:
+   - Resources already present and correctly configured
+   - Resources present but misconfigured (wrong settings, missing properties)
+   - Resources missing entirely
+   - Dependency or wiring issues (e.g., PEs referencing wrong subnet, DNS zones not linked)
+
+3. **Present** findings to the user as a gap analysis table: resource, status (✅ present / ⚠️ misconfigured / ❌ missing), and what needs to change. Include any issues found.
+
+4. **Propose** an end-to-end plan to address all gaps — ordered by dependency. Explain what will be added, what will be modified, and why. Never overwrite existing modules — add alongside and reference existing resources.
+
+5. **Wait** for user approval before making any changes.
+
+6. **Implement** the approved changes. After implementation, the flow continues to Step 4 (Pre-Deployment Validation) in the main workflow.
+
+## Retry Safety
+
+> ⚠️ If a deployment fails after the capability host step starts, Azure Container Apps leaves a `legionservicelink` service association on the agent subnet that **cannot be removed**. On retry, use a **new subnet or new VNet** — never reuse the same agent subnet.
+