fix: Fix SFI issues and update Foundry Roles naming

[Ragini-Microsoft]

Purpose

This pull request introduces several security and access improvements across the infrastructure and documentation, with a focus on enhancing monitoring, encryption, and clarifying the use of the "Foundry User" role (previously referred to as "Azure AI User"). The most significant updates include improved monitoring for jumpbox VMs, stricter authentication for services, and consistent naming for roles and documentation.

Security and Monitoring Enhancements:

• Added a Data Collection Rule (DCR) for jumpbox VMs to collect Windows Security Event logs, supporting SFI-AzTBv17 compliance, and associated the DCR with the VM for enhanced monitoring. (infra/main.bicep, infra/main_custom.bicep) [1] [2]
• Enabled infrastructure encryption for storage accounts and end-to-end encryption for web sites to increase data security. (infra/main.bicep, infra/main_custom.bicep) [1] [2] [3] [4]

Authentication and Access Control:

• Updated the Azure Search service to use managed identities and disabled local authentication, enforcing stricter access control. (infra/main.bicep, infra/main_custom.bicep) [1] [2]

Role Naming Consistency:

• Replaced all references to the "Azure AI User" role with "Foundry User" across Bicep modules, scripts, and documentation for clarity and alignment with current terminology. (infra/main.bicep, infra/main_custom.bicep, infra/modules/deploy_foundry_role_assignment.bicep, scripts/local_dev.sh, scripts/local_dev.ps1, docs/LocalDevelopmentSetup.md) [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]

These changes collectively improve the security posture, monitoring capabilities, and maintain consistency in access management across the project.

Does this introduce a breaking change?

• Yes
• No

Golden Path Validation

• I have tested the primary workflows (the "golden path") to ensure they function correctly without errors.

Deployment Validation

• I have validated the deployment process successfully and all services are running as expected with this change.

[Copilot]

Pull request overview

This PR strengthens the solution’s security posture and clarifies access guidance by adding jumpbox security log monitoring, tightening service authentication/encryption settings, and aligning “Foundry User” role naming across infra and developer docs/scripts.

Changes:

• Add a Data Collection Rule (DCR) to collect Windows Security events from the jumpbox and associate it with the VM when monitoring is enabled.
• Harden deployed resources by disabling local auth for Azure AI Search, enabling Storage infrastructure encryption, and enabling web app end-to-end encryption.
• Replace “Azure AI User” wording with “Foundry User” across infra comments, local dev scripts, and local dev documentation.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
scripts/local_dev.sh	Updates local-dev role assignment messaging to “Foundry User”.
scripts/local_dev.ps1	Updates local-dev role assignment messaging to “Foundry User”.
infra/modules/deploy_foundry_role_assignment.bicep	Updates role naming comments to “Foundry User” while keeping the same role definition ID.
infra/main.json	Regenerates the compiled ARM template to reflect new monitoring/encryption/auth settings.
infra/main.bicep	Adds jumpbox DCR + association via VM monitoring config; hardens Search/Storage/Web settings; updates role naming comments.
infra/main_custom.bicep	Adds jumpbox DCR + explicit association resource; hardens Search/Storage/Web settings; updates role naming comments.
docs/LocalDevelopmentSetup.md	Updates troubleshooting guidance and manual role assignment examples to “Foundry User”.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.