This new azd extension makes it easy to use the GitHub Copilot coding agent with Azure

Want Copilot to help you build apps in the cloud? This tool does all the boring setup work for you. Instead of spending hours figuring out permissions and security, you can get Copilot coding agent connected to your cloud resources in minutes. Whether you’re just learning or building something big, this makes it simple.

One of the most critical aspects of working with cloud infrastructure is ensuring secure access to resources. In today’s era of agent-driven coding, it’s essential that tools like the GitHub Copilot coding agent are safely connected to your cloud environment. The GitHub Copilot coding agent can now achieve this through the Azure MCP server, and the Azure Developer CLI (azd) azure.coding-agent extension makes it straightforward to configure secure MCP access for the agent to Azure resources.

In this post, we’re going to show you how to use the new azd extension (azure.coding-agent) to simplify the task of configuring the MCP secure access for the GitHub Copilot coding agents to Azure resources.

What is the azd coding agent extension?

The azure.coding-agent extension helps developers set up their GitHub repositories so the GitHub Copilot coding agent can securely access Azure resources using the Azure MCP Server. It simplifies the configuration of repository settings and automates the creation of the necessary managed identity and federated credentials on Azure.

Using the coding agent

Imagine a development team building a web application that uses Azure services such as App Service, Key Vault, and Cosmos DB to host and manage their application. The team wants to assign issues to the GitHub Copilot coding agent to provide AI-assisted coding that’s aware of their Azure resources so it can suggest and even update infrastructure-related code. But manual setup is tedious: creating managed identities, assigning roles, and updating GitHub repository settings. azd‘s azure.coding-agent extension automates this setup, letting developers focus on building their applications while ensuring secure access to Azure resources.

Key features

• Automated Managed Identity Creation: creates user-assigned managed identities with configurable RBAC roles (Role-Based Access Control, default: Reader role).
• Federated Credential Configuration: sets up OpenID Connect federated credentials for secure, passwordless authentication from GitHub.
• GitHub Environment Setup: automatically configures the GitHub Copilot coding agent environment with the necessary Azure credentials.
• MCP Server Integration: provides ready-to-use Model Context Protocol (MCP) configuration for Azure resource access.
• Workflow Automation: generates copilot-setup-steps.yml workflow file and creates pull requests with setup instructions.

Getting started

Prerequisites

Before using the extension, ensure you have:

• Azure Developer CLI (azd) installed and authenticated (azd auth login)
• An Azure subscription with permissions to create resource groups and managed identities
  • Sign up for a free account at https://azure.com/free if you don’t have one
• A local clone of a GitHub repository where you have permissions to:
  • Update the copilot GitHub environment
  • Update Copilot coding agent settings
  • Push changes to the .github/workflows folder
• GitHub CLI (gh) installed and authenticated (gh auth login)

Installation

Install the azure.coding-agent extension for azd:

azd extension install azure.coding-agent

Or upgrade:

azd extension upgrade azure.coding-agent

Configuring your repository

Navigate to your local GitHub repository clone and run the configuration command:

cd <your-github-repository>
azd coding-agent config

The extension guides you through an interactive setup process:

1. Azure Authentication: verify your Azure login and select a subscription
2. Repository Selection: choose the GitHub repository remote for the coding agent
3. Managed Identity: create a new user-assigned managed identity or select an existing one
4. Resource Group: create a new resource group or use an existing one
5. Role Assignment: configure RBAC roles (defaults to Reader, fully configurable)
6. Git Operations: create a branch and push the necessary workflow files
7. MCP Server: copy MCP JSON output to GitHub Copilot coding agent settings

How it works: technical deep dive

The extension automates a multi-step process that would otherwise require manual configuration across Azure and GitHub:

1. Azure Managed Identity setup

The extension creates or selects a user-assigned managed identity in your Azure subscription:

# Starts interactive configuration
azd coding-agent config

Alternatively, you can skip the interactive mode and pass all of the arguements in one command:

# Default managed identity name: mi-copilot-coding-agent
# Configurable via --managed-identity-name flag
azd coding-agent config --managed-identity-name "my-custom-identity"

New managed identities are configured with:

• Resource Group Scope: the identity is created in a resource group you specify or create
• Role Assignments: configurable RBAC roles that default to the Reader role on the resource group or you can use the --roles flag to assign additional roles like Contributor, Storage Blob Data Reader, etc.

2. Federated credential configuration

The extension automatically sets up OpenID Connect federated credentials that allow GitHub Actions to authenticate as the managed identity without storing secrets. This configuration is created and stored in the Azure portal under your managed identity’s “Federated credentials” section.

Navigate to Azure portal → Resource Groups → [Your Resource Group] → [Your Managed Identity] → Federated credentials. You see the federated credential entry with the name pattern shown, automatically created by the azd extension.

{
  "name": "repo-owner-repo-name-copilot-env",
  "subject": "repo:owner/repository:environment:copilot",
  "issuer": "https://token.actions.githubusercontent.com",
  "audience": "api://AzureADTokenExchange"
}

3. GitHub environment variables

The extension configures the copilot GitHub environment with the necessary Azure credentials:

• AZURE_CLIENT_ID: the managed identity’s client ID
• AZURE_TENANT_ID: your Azure tenant ID
• AZURE_SUBSCRIPTION_ID: your Azure subscription ID

4. Workflow file generation

The extension creates .github/workflows/copilot-setup-steps.yml that sets up the coding agent environment:

name: Setup Copilot Environment
on:
  workflow_dispatch:

jobs:
  setup:
    runs-on: ubuntu-latest
    environment: copilot
    steps:
      - name: Azure Login
        uses: azure/login@v1
        with:
          client-id: ${{ vars.AZURE_CLIENT_ID }}
          tenant-id: ${{ vars.AZURE_TENANT_ID }}
          subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}

      - name: Verify Azure Access
        run: az account show

5. MCP server configuration

The extension provides the MCP configuration JSON that enables Azure resource access.

Important: You must manually add this configuration to your GitHub Copilot coding agent settings for the Azure integration to work:

{
  "servers": {
    "azure-mcp": {
      "type": "stdio",
      "command": "npx",
      "args": ["-y", "@azure/mcp-server-azure"]
    }
  }
}

How to apply this configuration: Copy the JSON here and paste it into your Copilot coding agent’s MCP server configuration. For detailed steps on configuring the Azure MCP server for the Copilot coding agent, see the official documentation.

Advanced configuration options

Custom role assignments

By default, the managed identity is assigned the Reader role. You can configure additional roles:

azd coding-agent config --roles "Contributor,Storage Blob Data Reader,Key Vault Secrets User"

Custom branch and remote configuration

Control the git workflow with custom options:

azd coding-agent config \
  --branch-name "enable-copilot-azure-access" \
  --remote-name "origin" \
  --github-host-name "github.enterprise.com"

Using existing Managed Identities

The extension can work with existing managed identities:

azd coding-agent config --managed-identity-name "existing-identity-name"

Security and recommended practices

The extension implements several security recommended practices:

Least privilege access

• Default Reader role minimizes permissions
• Resource group-scoped access limits exposure
• Configurable role assignments for specific use cases

Passwordless authentication

• Uses OpenID Connect federated credentials
• No secrets stored in GitHub
• Automatic token refresh through Azure identity platform

Audit and compliance

• All Azure resource access is logged through Azure Activity Log
• Managed identity usage is tracked and auditable
• Integration with Azure Policy for governance
• Copilot coding agent can’t be invoked by anyone without write access to the repository

What this enables: real-world scenarios

Once configured, GitHub Copilot coding agents can seamlessly interact with Azure resources through the MCP server. Here are some practical examples:

Azure resource management

Copilot can now help you:

• Query Azure resource properties: “Show me the configuration of my App Service”
• Monitor resource health: “Check the status of my Azure SQL database”
• Retrieve deployment information: “List all resources in my production resource group”

Infrastructure as code assistance

With Azure access configured, Copilot can:

• Generate Bicep or ARM templates based on existing resources
• Suggest infrastructure improvements based on current configurations
• Help troubleshoot deployment issues by examining resource states

Cost and governance insights

Copilot can provide intelligent insights about:

• Resource cost optimization opportunities
• Compliance with Azure Policy
• Security recommendations based on current configurations

Troubleshooting common issues

The extension includes comprehensive error handling. Here are some common scenarios:

Managed Identity permissions

If Copilot reports access issues:

1. Check the managed identity roles in the Azure portal
2. Verify the resource group scope matches your needs
3. Consider expanding roles using --roles flag during reconfiguration

GitHub environment configuration

If authentication fails:

1. Verify the copilot environment exists in your GitHub repository
2. Check that the environment variables are properly set
3. Ensure the federated credential subject matches your repository

Workflow file issues

The generated copilot-setup-steps.yml must be merged to the main branch to take effect. The extension creates a pull request with detailed instructions for this final step.

Current status and roadmap

The azure.coding-agent extension is currently at version 0.5.1. Recent improvements include:

• Enhanced error messages and user experience improvements
• Removal of the requirement for an existing azd project
• Better handling of git remotes and repository configuration
• Resource group-scoped role assignments for improved security

Future enhancements being considered:

If you have ideas or need specific features, please open an issue or go to these issues and upvote them:

• Support for additional Azure services and MCP servers
• Integration with Azure DevOps repositories
• Enhanced role assignment templates for common scenarios
• Support for custom MCP server configurations

Getting involved

The extension is part of the Azure Developer CLI (azd) open source project. You can:

• Report issues and suggest features on the Azure Developer CLI GitHub repository
• Review the extension source code in the cli/azd/extensions/azure.coding-agent directory
• Contribute improvements through pull requests and community discussions
• Share your experiences and use cases with the developer community

Wrapping up: What this means for you

The azure.coding-agent extension transforms a tedious manual setup process into a guided experience. Instead of manually juggling security credentials, permission settings, and configuration files across multiple services, developers can now connect the GitHub Copilot coding agent to their Azure resources with just a few commands.

The result is a direct path from “I want Copilot to help me with Azure” to “Copilot is successfully helping me build and manage my cloud applications” in minutes, not hours. This setup makes AI-powered cloud development accessible whether you’re just getting started with Azure or managing enterprise-scale applications.

Whether you’re exploring Azure for the first time or managing complex enterprise workloads, the azure.coding-agent extension provides the security and convenience for AI-enhanced Azure development.

Install the Azure MCP Server today and experience the future of AI-powered cloud development!

Additional resources

• GitHub Copilot Documentation
• Model Context Protocol Specification
• Azure Managed Identity Documentation
• Azure Developer CLI Extensions Repository

New to azd?

Welcome! The Azure Developer CLI (azd) is a developer-centric command-line interface (CLI) tool that accelerates provisioning and deploying app resources on Azure.

You can use azd from:

• Your terminal of choice on Windows, Linux, or macOS.
• Visual Studio Code or GitHub Codespaces by downloading the extension from the Marketplace, or installing it directly from the extension view (Ctrl + Shift + X for Windows or Cmd + Shift + X for macOS) in Visual Studio Code.
• Visual Studio by enabling the preview feature flag.

Learn more about the Azure Developer CLI from our official documentation. If you run into any problems or have suggestions, file an issue or start a discussion in the Azure Developer CLI repository. You can also reference our troubleshooting documentation.

Happy coding!