During the prompt-agent quickstart video, cloud eval graders failed with PermissionDenied / AuthenticationError: Principal does not have access until the caller had Cognitive Services OpenAI User on the backing AI Services account/resource group.
Today the tutorial and �gentops-eval skill document/preflight this, and v0.3.6 makes the CLI warning clearer when propagation causes partial grader execution errors. Doctor should also detect the missing data-plane RBAC before an eval run.
Suggested scope:
- Resolve the backing AI Services account from AZURE_AI_FOUNDRY_PROJECT_ENDPOINT / project_endpoint using the existing Azure resource discovery patterns.
- Check whether the signed-in principal has Cognitive Services OpenAI User (or another role with the required OpenAI data action) at account or resource-group scope.
- Emit a Doctor finding with a concrete �z role assignment create remediation.
- Keep Doctor read-only; do not mutate RBAC.
- Mock Azure SDK/CLI interactions in tests.
During the prompt-agent quickstart video, cloud eval graders failed with PermissionDenied / AuthenticationError: Principal does not have access until the caller had Cognitive Services OpenAI User on the backing AI Services account/resource group.
Today the tutorial and �gentops-eval skill document/preflight this, and v0.3.6 makes the CLI warning clearer when propagation causes partial grader execution errors. Doctor should also detect the missing data-plane RBAC before an eval run.
Suggested scope: