{"id":3518,"date":"2025-10-30T11:29:56","date_gmt":"2025-10-30T18:29:56","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/azure-sdk\/?p=3518"},"modified":"2025-11-14T14:10:16","modified_gmt":"2025-11-14T22:10:16","slug":"azure-developer-cli-copilot-coding-agent-config","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/azure-sdk\/azure-developer-cli-copilot-coding-agent-config\/","title":{"rendered":"Introducing the azd extension to configure GitHub Copilot coding agent integration with Azure"},"content":{"rendered":"<h1>This new <code>azd<\/code> extension makes it easy to use the GitHub Copilot coding agent with Azure<\/h1>\n<p>Want Copilot to help you build apps in the cloud? This tool does all the boring setup work for you. Instead of spending hours figuring out permissions and security, you can get Copilot coding agent connected to your cloud resources in minutes. Whether you&#8217;re just learning or building something big, this makes it simple.<\/p>\n<p>One of the most critical aspects of working with cloud infrastructure is ensuring secure access to resources. In today\u2019s era of agent-driven coding, it\u2019s essential that tools like the <a href=\"https:\/\/docs.github.com\/copilot\/concepts\/agents\/coding-agent\/about-coding-agent\">GitHub Copilot coding agent<\/a> are safely connected to your cloud environment. The GitHub Copilot coding agent can now achieve this through the <a href=\"http:\/\/aka.ms\/azmcp\/announcement\/ga\">Azure MCP server<\/a>, and the Azure Developer CLI (azd) <code>azure.coding-agent<\/code> extension makes it straightforward to configure secure MCP access for the agent to Azure resources.<\/p>\n<p>In this post, we&#8217;re going to show you how to use the <a href=\"https:\/\/learn.microsoft.com\/azure\/developer\/azure-developer-cli\/extensions\/copilot-coding-agent-extension\">new <code>azd<\/code> extension (<code>azure.coding-agent<\/code>)<\/a> to simplify the task of configuring the MCP secure access for the GitHub Copilot coding agents to Azure resources.<\/p>\n<h2>What is the <code>azd<\/code> coding agent extension?<\/h2>\n<p>The <code>azure.coding-agent<\/code> extension helps developers set up their GitHub repositories so the GitHub Copilot coding agent can securely access Azure resources using the Azure MCP Server. It simplifies the configuration of repository settings and automates the creation of the necessary managed identity and federated credentials on Azure.<\/p>\n<h2>Using the coding agent<\/h2>\n<p>Imagine a development team building a web application that uses Azure services such as App Service, Key Vault, and Cosmos DB to host and manage their application. The team wants to assign issues to the GitHub Copilot coding agent to provide AI-assisted coding that\u2019s aware of their Azure resources so it can suggest and even update infrastructure-related code. But manual setup is tedious: creating managed identities, assigning roles, and updating GitHub repository settings. <code>azd<\/code>&#8216;s <code>azure.coding-agent<\/code> extension automates this setup, letting developers focus on building their applications while ensuring secure access to Azure resources.<\/p>\n<h3>Key features<\/h3>\n<ul>\n<li><strong>Automated Managed Identity Creation<\/strong>: creates user-assigned managed identities with configurable RBAC roles (Role-Based Access Control, default: Reader role).<\/li>\n<li><strong>Federated Credential Configuration<\/strong>: sets up OpenID Connect federated credentials for secure, passwordless authentication from GitHub.<\/li>\n<li><strong>GitHub Environment Setup<\/strong>: automatically configures the GitHub Copilot coding agent environment with the necessary Azure credentials.<\/li>\n<li><strong>MCP Server Integration<\/strong>: provides ready-to-use Model Context Protocol (MCP) configuration for Azure resource access.<\/li>\n<li><strong>Workflow Automation<\/strong>: generates <code>copilot-setup-steps.yml<\/code> workflow file and creates pull requests with setup instructions.<\/li>\n<\/ul>\n<h2>Getting started<\/h2>\n<h3>Prerequisites<\/h3>\n<p>Before using the extension, ensure you have:<\/p>\n<ul>\n<li>Azure Developer CLI (<code>azd<\/code>) <a href=\"https:\/\/learn.microsoft.com\/azure\/developer\/azure-developer-cli\/install-azd\">installed<\/a> and authenticated (<code>azd auth login<\/code>)<\/li>\n<li>An Azure subscription with permissions to create resource groups and managed identities\n<ul>\n<li>Sign up for a free account at <a href=\"https:\/\/azure.com\/free\">https:\/\/azure.com\/free<\/a> if you don&#8217;t have one<\/li>\n<\/ul>\n<\/li>\n<li>A local clone of a GitHub repository where you have permissions to:\n<ul>\n<li>Update the <code>copilot<\/code> GitHub environment<\/li>\n<li>Update Copilot coding agent settings<\/li>\n<li>Push changes to the <code>.github\/workflows<\/code> folder<\/li>\n<\/ul>\n<\/li>\n<li>GitHub CLI (<code>gh<\/code>) <a href=\"https:\/\/cli.github.com\/\">installed<\/a> and authenticated (<code>gh auth login<\/code>)<\/li>\n<\/ul>\n<h3>Installation<\/h3>\n<p>Install the <code>azure.coding-agent<\/code> <a href=\"https:\/\/learn.microsoft.com\/azure\/developer\/azure-developer-cli\/extensions\/overview\">extension for <code>azd<\/code><\/a>:<\/p>\n<pre><code class=\"language-bash\">azd extension install azure.coding-agent<\/code><\/pre>\n<p>Or upgrade:<\/p>\n<pre><code class=\"language-bash\">azd extension upgrade azure.coding-agent<\/code><\/pre>\n<h3>Configuring your repository<\/h3>\n<p>Navigate to your local GitHub repository clone and run the configuration command:<\/p>\n<pre><code class=\"language-bash\">cd &lt;your-github-repository&gt;\nazd coding-agent config<\/code><\/pre>\n<p>The extension guides you through an interactive setup process:<\/p>\n<ol>\n<li><strong>Azure Authentication<\/strong>: verify your Azure login and select a subscription<\/li>\n<li><strong>Repository Selection<\/strong>: choose the GitHub repository remote for the coding agent<\/li>\n<li><strong>Managed Identity<\/strong>: create a new user-assigned managed identity or select an existing one<\/li>\n<li><strong>Resource Group<\/strong>: create a new resource group or use an existing one<\/li>\n<li><strong>Role Assignment<\/strong>: configure RBAC roles (defaults to Reader, fully configurable)<\/li>\n<li><strong>Git Operations<\/strong>: create a branch and push the necessary workflow files<\/li>\n<li><strong>MCP Server<\/strong>: copy MCP JSON output to GitHub Copilot coding agent settings<\/li>\n<\/ol>\n<h2>How it works: technical deep dive<\/h2>\n<p>The extension automates a multi-step process that would otherwise require manual configuration across Azure and GitHub:<\/p>\n<h3>1. Azure Managed Identity setup<\/h3>\n<p>The extension creates or selects a user-assigned managed identity in your Azure subscription:<\/p>\n<pre><code class=\"language-bash\"># Starts interactive configuration\nazd coding-agent config<\/code><\/pre>\n<p>Alternatively, you can skip the interactive mode and pass all of the arguements in one command:<\/p>\n<pre><code class=\"language-bash\"># Default managed identity name: mi-copilot-coding-agent\n# Configurable via --managed-identity-name flag\nazd coding-agent config --managed-identity-name \"my-custom-identity\"<\/code><\/pre>\n<p>New managed identities are configured with:<\/p>\n<ul>\n<li><strong>Resource Group Scope<\/strong>: the identity is created in a resource group you specify or create<\/li>\n<li><strong>Role Assignments<\/strong>: configurable RBAC roles that default to the Reader role on the resource group or you can use the <code>--roles<\/code> flag to assign <a href=\"https:\/\/learn.microsoft.com\/azure\/role-based-access-control\/built-in-roles\">additional roles<\/a> like Contributor, Storage Blob Data Reader, etc.<\/li>\n<\/ul>\n<h3>2. Federated credential configuration<\/h3>\n<p>The extension automatically sets up OpenID Connect federated credentials that allow GitHub Actions to authenticate as the managed identity without storing secrets. This configuration is created and stored in the Azure portal under your managed identity&#8217;s &#8220;Federated credentials&#8221; section.<\/p>\n<p>Navigate to Azure portal \u2192 Resource Groups \u2192 [Your Resource Group] \u2192 [Your Managed Identity] \u2192 Federated credentials. You see the federated credential entry with the name pattern shown, automatically created by the <code>azd<\/code> extension.<\/p>\n<pre><code class=\"language-json\">{\n  \"name\": \"repo-owner-repo-name-copilot-env\",\n  \"subject\": \"repo:owner\/repository:environment:copilot\",\n  \"issuer\": \"https:\/\/token.actions.githubusercontent.com\",\n  \"audience\": \"api:\/\/AzureADTokenExchange\"\n}<\/code><\/pre>\n<h3>3. GitHub environment variables<\/h3>\n<p>The extension configures the <code>copilot<\/code> GitHub environment with the necessary Azure credentials:<\/p>\n<ul>\n<li><code>AZURE_CLIENT_ID<\/code>: the managed identity&#8217;s client ID<\/li>\n<li><code>AZURE_TENANT_ID<\/code>: your Azure tenant ID<\/li>\n<li><code>AZURE_SUBSCRIPTION_ID<\/code>: your Azure subscription ID<\/li>\n<\/ul>\n<h3>4. Workflow file generation<\/h3>\n<p>The extension creates <code>.github\/workflows\/copilot-setup-steps.yml<\/code> that sets up the coding agent environment:<\/p>\n<pre><code class=\"language-yaml\">name: Setup Copilot Environment\non:\n  workflow_dispatch:\n\njobs:\n  setup:\n    runs-on: ubuntu-latest\n    environment: copilot\n    steps:\n      - name: Azure Login\n        uses: azure\/login@v1\n        with:\n          client-id: ${{ vars.AZURE_CLIENT_ID }}\n          tenant-id: ${{ vars.AZURE_TENANT_ID }}\n          subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}\n\n      - name: Verify Azure Access\n        run: az account show<\/code><\/pre>\n<h3>5. MCP server configuration<\/h3>\n<p>The extension provides the MCP configuration JSON that enables Azure resource access. <\/p>\n<p><strong>Important<\/strong>: You must manually add this configuration to your GitHub Copilot coding agent settings for the Azure integration to work:<\/p>\n<pre><code class=\"language-json\">{\n    \"mcpServers\": {\n        \"Azure\": {\n            \"type\": \"local\",\n            \"command\": \"npx\",\n            \"args\": [\n                \"-y\",\n                \"@azure\/mcp@latest\",\n                \"server\",\n                \"start\"\n            ],\n            \"tools\": [\n                \"*\"\n            ]\n        }\n    }\n}<\/code><\/pre>\n<p><strong>How to apply this configuration<\/strong>: Copy the JSON here and paste it into your Copilot coding agent&#8217;s MCP server configuration. For detailed steps on configuring the Azure MCP server for the Copilot coding agent, see the <a href=\"https:\/\/learn.microsoft.com\/azure\/developer\/azure-developer-cli\/extensions\/copilot-coding-agent-extension#configure-azure-mcp-server-for-the-copilot-coding-agent\">official documentation<\/a>.<\/p>\n<h2>Advanced configuration options<\/h2>\n<h3>Custom role assignments<\/h3>\n<p>By default, the managed identity is assigned the Reader role. You can configure additional roles:<\/p>\n<pre><code class=\"language-bash\">azd coding-agent config --roles \"Contributor,Storage Blob Data Reader,Key Vault Secrets User\"<\/code><\/pre>\n<h3>Custom branch and remote configuration<\/h3>\n<p>Control the git workflow with custom options:<\/p>\n<pre><code class=\"language-bash\">azd coding-agent config \\\n  --branch-name \"enable-copilot-azure-access\" \\\n  --remote-name \"origin\" \\\n  --github-host-name \"github.enterprise.com\"<\/code><\/pre>\n<h3>Using existing Managed Identities<\/h3>\n<p>The extension can work with existing managed identities:<\/p>\n<pre><code class=\"language-bash\">azd coding-agent config --managed-identity-name \"existing-identity-name\"<\/code><\/pre>\n<h2>Security and recommended practices<\/h2>\n<p>The extension implements several security recommended practices:<\/p>\n<h3>Least privilege access<\/h3>\n<ul>\n<li>Default Reader role minimizes permissions<\/li>\n<li>Resource group-scoped access limits exposure<\/li>\n<li>Configurable role assignments for specific use cases<\/li>\n<\/ul>\n<h3>Passwordless authentication<\/h3>\n<ul>\n<li>Uses OpenID Connect federated credentials<\/li>\n<li>No secrets stored in GitHub<\/li>\n<li>Automatic token refresh through Azure identity platform<\/li>\n<\/ul>\n<h3>Audit and compliance<\/h3>\n<ul>\n<li>All Azure resource access is logged through Azure Activity Log<\/li>\n<li>Managed identity usage is tracked and auditable<\/li>\n<li>Integration with Azure Policy for governance<\/li>\n<li>Copilot coding agent can&#8217;t be invoked by anyone <a href=\"https:\/\/docs.github.com\/copilot\/concepts\/agents\/coding-agent\/about-coding-agent#built-in-security-protections\">without write access<\/a> to the repository<\/li>\n<\/ul>\n<h2>What this enables: real-world scenarios<\/h2>\n<p>Once configured, GitHub Copilot coding agents can seamlessly interact with Azure resources through the MCP server. Here are some practical examples:<\/p>\n<h3>Azure resource management<\/h3>\n<p>Copilot can now help you:<\/p>\n<ul>\n<li>Query Azure resource properties: &#8220;Show me the configuration of my App Service&#8221;<\/li>\n<li>Monitor resource health: &#8220;Check the status of my Azure SQL database&#8221;<\/li>\n<li>Retrieve deployment information: &#8220;List all resources in my production resource group&#8221;<\/li>\n<\/ul>\n<h3>Infrastructure as code assistance<\/h3>\n<p>With Azure access configured, Copilot can:<\/p>\n<ul>\n<li>Generate Bicep or ARM templates based on existing resources<\/li>\n<li>Suggest infrastructure improvements based on current configurations<\/li>\n<li>Help troubleshoot deployment issues by examining resource states<\/li>\n<\/ul>\n<h3>Cost and governance insights<\/h3>\n<p>Copilot can provide intelligent insights about:<\/p>\n<ul>\n<li>Resource cost optimization opportunities<\/li>\n<li>Compliance with Azure Policy<\/li>\n<li>Security recommendations based on current configurations<\/li>\n<\/ul>\n<h2>Troubleshooting common issues<\/h2>\n<p>The extension includes comprehensive error handling. Here are some common scenarios:<\/p>\n<h3>Managed Identity permissions<\/h3>\n<p>If Copilot reports access issues:<\/p>\n<ol>\n<li>Check the managed identity roles in the Azure portal<\/li>\n<li>Verify the resource group scope matches your needs<\/li>\n<li>Consider expanding roles using <code>--roles<\/code> flag during reconfiguration<\/li>\n<\/ol>\n<h3>GitHub environment configuration<\/h3>\n<p>If authentication fails:<\/p>\n<ol>\n<li>Verify the <code>copilot<\/code> environment exists in your GitHub repository<\/li>\n<li>Check that the environment variables are properly set<\/li>\n<li>Ensure the federated credential subject matches your repository<\/li>\n<\/ol>\n<h3>Workflow file issues<\/h3>\n<p>The generated <code>copilot-setup-steps.yml<\/code> must be merged to the main branch to take effect. The extension creates a pull request with detailed instructions for this final step.<\/p>\n<h2>Current status and roadmap<\/h2>\n<p>The <code>azure.coding-agent<\/code> extension is currently at version <a href=\"https:\/\/github.com\/Azure\/azure-dev\/blob\/ec6ba2a0cddceb91dd173bea7028b5f555c68dbe\/cli\/azd\/extensions\/registry.json#L517\">0.5.1<\/a>. Recent improvements include:<\/p>\n<ul>\n<li>Enhanced error messages and user experience improvements<\/li>\n<li>Removal of the requirement for an existing <code>azd<\/code> project<\/li>\n<li>Better handling of git remotes and repository configuration<\/li>\n<li>Resource group-scoped role assignments for improved security<\/li>\n<\/ul>\n<p>Future enhancements being considered:<\/p>\n<p>If you have ideas or need specific features, please <a href=\"https:\/\/github.com\/Azure\/azure-dev\/issues\/new\">open an issue<\/a> or go to these issues and upvote them:<\/p>\n<ul>\n<li><a href=\"https:\/\/github.com\/Azure\/azure-dev\/issues\/6038\">Support for additional Azure services and MCP servers<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/Azure\/azure-dev\/issues\/6039\">Integration with Azure DevOps repositories<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/Azure\/azure-dev\/issues\/6040\">Enhanced role assignment templates for common scenarios<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/Azure\/azure-dev\/issues\/6041\">Support for custom MCP server configurations<\/a><\/li>\n<\/ul>\n<h2>Getting involved<\/h2>\n<p>The extension is part of the Azure Developer CLI (<code>azd<\/code>) open source project. You can:<\/p>\n<ul>\n<li><strong>Report issues and suggest features<\/strong> on the <a href=\"https:\/\/github.com\/Azure\/azure-dev\">Azure Developer CLI GitHub repository<\/a><\/li>\n<li><strong>Review the extension source code<\/strong> in <a href=\"https:\/\/github.com\/Azure\/azure-dev\/tree\/main\/cli\/azd\/extensions\/azure.coding-agent\">the <code>cli\/azd\/extensions\/azure.coding-agent<\/code> directory<\/a><\/li>\n<li><strong>Contribute improvements<\/strong> through pull requests and community discussions<\/li>\n<li><strong>Share your experiences<\/strong> and use cases with the developer community<\/li>\n<\/ul>\n<h2>Wrapping up: What this means for you<\/h2>\n<p>The <code>azure.coding-agent<\/code> extension transforms a tedious manual setup process into a guided experience. Instead of manually juggling security credentials, permission settings, and configuration files across multiple services, developers can now connect the GitHub Copilot coding agent to their Azure resources with just a few commands.<\/p>\n<p>The result is a direct path from &#8220;I want Copilot to help me with Azure&#8221; to &#8220;Copilot is successfully helping me build and manage my cloud applications&#8221; in minutes, not hours. This setup makes AI-powered cloud development accessible whether you&#8217;re just getting started with Azure or managing enterprise-scale applications.<\/p>\n<p>Whether you&#8217;re exploring Azure for the first time or managing complex enterprise workloads, the <code>azure.coding-agent<\/code> extension provides the security and convenience for AI-enhanced Azure development.<\/p>\n<p><a href=\"https:\/\/github.com\/microsoft\/mcp\/tree\/main\/servers\/Azure.Mcp.Server\">Install the Azure MCP Server<\/a> today and experience the future of AI-powered cloud development!<\/p>\n<h2>Additional resources<\/h2>\n<ul>\n<li><a href=\"https:\/\/docs.github.com\/copilot\">GitHub Copilot Documentation<\/a><\/li>\n<li><a href=\"https:\/\/spec.modelcontextprotocol.io\/\">Model Context Protocol Specification<\/a><\/li>\n<li><a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/managed-identities-azure-resources\/\">Azure Managed Identity Documentation<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/Azure\/azure-dev\">Azure Developer CLI Extensions Repository<\/a><\/li>\n<\/ul>\n<h2>New to <code>azd<\/code>?<\/h2>\n<p>Welcome! The Azure Developer CLI (<code>azd<\/code>) is a developer-centric command-line interface (CLI) tool that accelerates provisioning and deploying app resources on Azure.<\/p>\n<p>You can use azd from:<\/p>\n<ul>\n<li>Your terminal of choice on Windows, Linux, or macOS.<\/li>\n<li>Visual Studio Code or GitHub Codespaces by <a href=\"https:\/\/marketplace.visualstudio.com\/items?itemName=ms-azuretools.azure-dev\">downloading the extension<\/a> from the Marketplace, or installing it directly from the extension view (<code>Ctrl<\/code> + <code>Shift<\/code> + <code>X<\/code> for Windows or <code>Cmd<\/code> + <code>Shift<\/code> + <code>X<\/code> for macOS) in Visual Studio Code.<\/li>\n<li>Visual Studio by <a href=\"https:\/\/devblogs.microsoft.com\/azure-sdk\/introducing-the-azure-developer-cli-a-faster-way-to-build-apps-for-the-cloud\/#visual-studio\">enabling the preview feature flag<\/a>.<\/li>\n<\/ul>\n<p>Learn more about the Azure Developer CLI from our <a href=\"https:\/\/aka.ms\/azd\">official documentation<\/a>. If you run into any problems or have suggestions, file an issue or start a discussion in the <a href=\"https:\/\/github.com\/Azure\/azure-dev\">Azure Developer CLI repository<\/a>. You can also reference our <a href=\"https:\/\/aka.ms\/azd-troubleshoot\">troubleshooting documentation<\/a>.<\/p>\n<p>Happy coding!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This post shares how to set up the GitHub Copilot coding agent integration with Azure resources and services by using the Azure Developer CLI (`azd`) extension.<\/p>\n","protected":false},"author":107449,"featured_media":3519,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[701,864,878,954,939,160,159,861,162,733,895],"class_list":["post-3518","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure-sdk","tag-net","tag-azure-developer-cli","tag-codespaces","tag-copilot","tag-docker","tag-java","tag-javascript","tag-kubernetes","tag-python","tag-typescript","tag-vscode"],"acf":[],"blog_post_summary":"<p>This post shares how to set up the GitHub Copilot coding agent integration with Azure resources and services by using the Azure Developer CLI (`azd`) extension.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/posts\/3518","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/users\/107449"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/comments?post=3518"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/posts\/3518\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/media\/3519"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/media?parent=3518"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/categories?post=3518"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azure-sdk\/wp-json\/wp\/v2\/tags?post=3518"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}