Lab name
Automate evaluations of generative AI applications
What happened?
Summary
While completing Lab 04, I encountered four issues in the authentication setup instructions that caused workflow failures. Each issue is documented below with the exact error, root cause, and suggested fix. All fixes were verified working.
Issue 1: az ad sp create-for-rbac contradicts the OIDC setup that follows
What step on the page were you trying to complete?
Exercise: 04
Task: Automate with GitHub Actions
Step: 1 — Configure Azure authentication
What is the error you have?
No explicit error, but the instructions are contradictory — az ad sp create-for-rbac generates a client secret (password), yet the very next steps configure OIDC federated credentials which do not use a password.
Description of issue, possible causes, and attempted workarounds:
The instructions tell the user to save appId, tenant, and password from az ad sp create-for-rbac. This implies client secret authentication, but the federated credential steps that follow are for OIDC/passwordless authentication. The password is never used and creates confusion about which auth method is being configured.
Fix: Replace with the explicit two-step approach that matches the OIDC flow:
az ad app create --display-name "github-actions-genaiops"
az ad sp create --id <appId>
Remove all references to saving a password.
Issue 2: Wrong role causes PermissionDenied on dataset upload
What step on the page were you trying to complete?
Exercise: 04
Task: Automate with GitHub Actions
Step: 1 — Configure Azure authentication (role assignment)
What is the error you have?
PermissionDenied: The principal lacks the required data action
`Microsoft.CognitiveServices/accounts/AIServices/assets/write`
to perform POST /api/projects/{projectName}/datasets/{name}/versions/{version}/startPendingUpload
Description of issue, possible causes, and attempted workarounds:
The instructions assign Azure AI User, but this role does not include the AIServices/assets/write data action required to upload evaluation datasets. The GitHub Actions workflow fails at the dataset upload step.
Additionally, the Troubleshooting section contradicts the main instructions by stating Azure AI Developer alone is not sufficient — in practice, Azure AI Developer scoped to the CognitiveServices account is sufficient for this lab.
Fix: Change the role assignment to Azure AI Developer:
az role assignment create \
--assignee "<appId>" \
--role "Azure AI Developer" \
--scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.CognitiveServices/accounts/<ai-account-name>"
Issue 3: No guidance on tenant mismatch causes silent failure
What step on the page were you trying to complete?
Exercise: 04
Task: Automate with GitHub Actions
Step: 3 — Test the workflow manually
What is the error you have?
AADSTS70025: The client has no configured federated identity credentials
or
No subscriptions found for ***
Description of issue, possible causes, and attempted workarounds:
If the user's Azure CLI session is authenticated to a different tenant than the one that owns their subscription (common in enterprise or multi-tenant accounts), the app registration is silently created in the wrong tenant. The federated credentials exist but Azure cannot find them at login time because the app and the subscription live in different tenants.
This scenario is not mentioned anywhere in the lab. The only way to diagnose it is to run az ad app show --id <appId> --query appOwnerOrganizationId and compare the result against the tenant ID of the subscription.
Fix: Add a tenant alignment warning before the app creation step:
⚠️ Important — Tenant alignment
Before creating the app registration, confirm your CLI session is in the same tenant as your subscription:
az account list --all --output table
az login --tenant <tenant-id>
az account set --subscription <subscription-id>
Creating the app in the wrong tenant is the most common cause of AADSTS70025 errors.
Also add a Troubleshooting entry covering diagnosis and the full remediation steps (re-create app, SP, role assignment, and federated credentials in the correct tenant, then update AZURE_TENANT_ID in GitHub secrets).
Issue 4: GitHub Secrets table references wrong source for AZURE_TENANT_ID
What step on the page were you trying to complete?
Exercise: 04
Task: Automate with GitHub Actions
Step: 2 — Configure GitHub Secrets
What is the error you have?
No runtime error, but the table is inaccurate after fixing Issue 1.
Description of issue, possible causes, and attempted workarounds:
The secrets table says AZURE_TENANT_ID comes from the az ad sp create-for-rbac output. Once that command is replaced (Issue 1), the source reference is invalid. Additionally, in a tenant mismatch scenario (Issue 3), using the tenant from create-for-rbac output would populate the wrong value.
Fix: Update the table to:
| Secret |
Where to find it |
AZURE_CLIENT_ID |
appId from az ad app create output |
AZURE_TENANT_ID |
Run az account show --query tenantId -o tsv while logged into the correct tenant |
Environment
- Azure CLI 2.x
- GitHub Actions
azure/login@v2
- Multi-tenant Azure account
- Repository: personal fork of
MicrosoftLearning/mslearn-genaiops
Happy to submit a PR with these fixes if the maintainers agree with the approach.
Relevant screenshots
paste here 😉
Do you want to help us fix the issue even faster? 👏
Lab name
Automate evaluations of generative AI applications
What happened?
Summary
While completing Lab 04, I encountered four issues in the authentication setup instructions that caused workflow failures. Each issue is documented below with the exact error, root cause, and suggested fix. All fixes were verified working.
Issue 1:
az ad sp create-for-rbaccontradicts the OIDC setup that followsWhat step on the page were you trying to complete?
Exercise: 04
Task: Automate with GitHub Actions
Step: 1 — Configure Azure authentication
What is the error you have?
No explicit error, but the instructions are contradictory —
az ad sp create-for-rbacgenerates a client secret (password), yet the very next steps configure OIDC federated credentials which do not use a password.Description of issue, possible causes, and attempted workarounds:
The instructions tell the user to save
appId,tenant, andpasswordfromaz ad sp create-for-rbac. This implies client secret authentication, but the federated credential steps that follow are for OIDC/passwordless authentication. Thepasswordis never used and creates confusion about which auth method is being configured.Fix: Replace with the explicit two-step approach that matches the OIDC flow:
Remove all references to saving a
password.Issue 2: Wrong role causes
PermissionDeniedon dataset uploadWhat step on the page were you trying to complete?
Exercise: 04
Task: Automate with GitHub Actions
Step: 1 — Configure Azure authentication (role assignment)
What is the error you have?
Description of issue, possible causes, and attempted workarounds:
The instructions assign Azure AI User, but this role does not include the
AIServices/assets/writedata action required to upload evaluation datasets. The GitHub Actions workflow fails at the dataset upload step.Additionally, the Troubleshooting section contradicts the main instructions by stating
Azure AI Developeralone is not sufficient — in practice,Azure AI Developerscoped to the CognitiveServices account is sufficient for this lab.Fix: Change the role assignment to Azure AI Developer:
Issue 3: No guidance on tenant mismatch causes silent failure
What step on the page were you trying to complete?
Exercise: 04
Task: Automate with GitHub Actions
Step: 3 — Test the workflow manually
What is the error you have?
or
Description of issue, possible causes, and attempted workarounds:
If the user's Azure CLI session is authenticated to a different tenant than the one that owns their subscription (common in enterprise or multi-tenant accounts), the app registration is silently created in the wrong tenant. The federated credentials exist but Azure cannot find them at login time because the app and the subscription live in different tenants.
This scenario is not mentioned anywhere in the lab. The only way to diagnose it is to run
az ad app show --id <appId> --query appOwnerOrganizationIdand compare the result against the tenant ID of the subscription.Fix: Add a tenant alignment warning before the app creation step:
Also add a Troubleshooting entry covering diagnosis and the full remediation steps (re-create app, SP, role assignment, and federated credentials in the correct tenant, then update
AZURE_TENANT_IDin GitHub secrets).Issue 4: GitHub Secrets table references wrong source for
AZURE_TENANT_IDWhat step on the page were you trying to complete?
Exercise: 04
Task: Automate with GitHub Actions
Step: 2 — Configure GitHub Secrets
What is the error you have?
No runtime error, but the table is inaccurate after fixing Issue 1.
Description of issue, possible causes, and attempted workarounds:
The secrets table says
AZURE_TENANT_IDcomes from theaz ad sp create-for-rbacoutput. Once that command is replaced (Issue 1), the source reference is invalid. Additionally, in a tenant mismatch scenario (Issue 3), using the tenant fromcreate-for-rbacoutput would populate the wrong value.Fix: Update the table to:
AZURE_CLIENT_IDappIdfromaz ad app createoutputAZURE_TENANT_IDaz account show --query tenantId -o tsvwhile logged into the correct tenantEnvironment
azure/login@v2MicrosoftLearning/mslearn-genaiopsHappy to submit a PR with these fixes if the maintainers agree with the approach.
Relevant screenshots
paste here 😉
Do you want to help us fix the issue even faster? 👏