Add Azure Functions TypeScript deployment guidance for Event Hubs and enterprise policies

[Copilot]

Problem

Four deployment failures with TypeScript Azure Functions + Event Hub triggers: (1) RequestDisallowedByPolicy errors from missing disableLocalAuth, (2) agent wrote Bicep instead of using existing templates, (3) tsc: Permission denied from incorrect .funcignore, (4) no Application Insights telemetry with identity-based auth.

Changes

Template Selection

• Added Rule 7 to azure-prepare/SKILL.md: require azd init -t <template> when templates exist
• Updated Event Hubs section with specific commands:

  azd init -t Azure-Samples/functions-quickstart-dotnet-azd-eventhub
  azd init -t Azure-Samples/functions-quickstart-python-azd-eventhub

TypeScript Build Configuration

• Created typescript-funcignore.md with remote vs local build guidance
• Key rule: exclude node_modules/, do NOT exclude *.ts or tsconfig.json for remote builds
• Added troubleshooting for tsc: Permission denied to azure-deploy/errors.md

Enterprise Policy Compliance

• Created enterprise-policy.md with required Bicep properties:
  • Event Hubs/Service Bus: disableLocalAuth: true
  • Storage: allowSharedKeyAccess: false
  • Application Insights: DisableLocalAuth: true
• Added policy violation error handling

Application Insights Identity Auth

• Created appinsights-auth.md with complete setup:

  resource appInsightsRole 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
    scope: appInsights
    properties: {
      roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')
      principalId: functionApp.identity.principalId
    }
  }
  
  // Required app setting
  APPLICATIONINSIGHTS_AUTHENTICATION_STRING: 'Authorization=AAD'

• Added "No Traces" troubleshooting with verification commands

File Organization

• azure-prepare: template selection, IAC patterns, config examples
• azure-deploy: error troubleshooting with quick fixes
• New reference files: 361-715 tokens each, all cross-referenced

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Skill Updates: Azure Functions TypeScript Deployment Issues</issue_title>
<issue_description>## Background

During deployment of a TypeScript Azure Function with Event Hub trigger, several issues were encountered that could have been prevented with better skill guidance. This document captures the learnings and proposed updates.

Issues Encountered

Issue 1: Policy Violation - Event Hub Local Auth

Error:

RequestDisallowedByPolicy: Resource 'evhns-xxx' was disallowed by policy.
Reasons: 'Local authentication methods are not allowed.'

Root Cause: Generated Bicep for Event Hub namespace did not include disableLocalAuth: true.

Resolution: Added the property to Bicep.

---

Issue 2: Did Not Use Existing Template

What Happened: Agent wrote Bicep from scratch instead of using azd init -t <template>.

Root Cause: The decision tree in functions-templates.md pointed to a generic samples page URL rather than specific azd init commands. The agent did not follow through to find the actual template.

Existing Templates Found:

• Azure-Samples/functions-quickstart-dotnet-azd-eventhub
• Azure-Samples/functions-quickstart-python-azd-eventhub

---

Issue 3: TypeScript Remote Build Failure

Error:

sh: 1: tsc: Permission denied

Actual Root Cause: The .funcignore file had incorrect entries that:

1. Excluded *.ts files - preventing Oryx from seeing TypeScript source
2. Excluded tsconfig.json - preventing Oryx from compiling
3. Did NOT exclude node_modules/ - uploading local binaries with wrong permissions

Correct .funcignore (enables remote build):

*.js.map
.git*
.vscode
__azurite_db*__.json
__blobstorage__
__queuestorage__
local.settings.json
test
node_modules/     # REQUIRED - excludes local binaries

Reference: Azure-Samples/remote-mcp-functions-typescript#35

---

Issue 4: Application Insights Not Receiving Traces

Symptom: No traces appearing in Application Insights after deployment.

Root Cause: When DisableLocalAuth: true is set on Application Insights (required by enterprise policy), identity-based authentication requires:

1. App Setting: APPLICATIONINSIGHTS_AUTHENTICATION_STRING with value ClientId=<managed-identity-client-id>;Authorization=AAD
2. RBAC Role: Monitoring Metrics Publisher role assigned to the managed identity on the Application Insights resource

---

Proposed Skill File Updates

File 1: azure-prepare/references/recipes/azd/functions-templates.md

Update 1A: Event Hubs Template Section (lines 55-57)

Replace with:

8. Does it use Event Hubs for streaming?
   Indicators: EventHubTrigger, @app.event_hub, event_hub_output, streaming
   └─► YES → Use Event Hubs Template:
       | Runtime | Template Command |
       |---------|-----------------|
       | .NET | `azd init -t Azure-Samples/functions-quickstart-dotnet-azd-eventhub` |
       | Python | `azd init -t Azure-Samples/functions-quickstart-python-azd-eventhub` |
       | TypeScript/JS | No template yet. Use .NET or Python template infra, adapt azure.yaml for Node.js |

Update 1B: Add New Section - TypeScript .funcignore Configuration

Add guidance on correct .funcignore for TypeScript with remote build:

• Exclude node_modules/
• Do NOT exclude *.ts or tsconfig.json

Update 1C: Add New Section - Enterprise Policy Compliance

Add default disableLocalAuth: true for Event Hubs, Storage, App Insights, Service Bus.

Update 1D: Add New Section - Application Insights Identity-Based Authentication

Add required app settings and RBAC role for identity-based App Insights auth.

File 2: azure-prepare/SKILL.md

Update 2A: Add Rule 7 - Template-First Requirement

7. **ALWAYS use `azd init -t <template>`** when a matching template exists in the decision tree.

File 3: azure-prepare/references/recipes/azd/azure-yaml.md

Update 3A: Add TypeScript and .funcignore Guidance

Document two valid approaches (remote build vs local build) and common errors.

---

Summary of Changes

File	Change Type	Description
functions-templates.md	Update	Event Hubs section - add specific azd init commands
functions-templates.md	Add Section	TypeScript .funcignore configuration
functions-templates.md	Add Section	Enterprise policy compliance defaults
functions-templates.md	Add Section	Application Insights identity-based authentication
SKILL.md	Add Rule	Template-first enforcement (Rule 7)
azure-yaml.md	Add Section	TypeScript deployment approaches

---

References

• Official TypeScript template: https://github.com/Azure-Samples/functions-quickstart-typescript-azd
• Event Hubs .NET template: https://github.com/Azure-Samples/functions-quickstart-dotne...

• Fixes Skill Updates: Azure Functions TypeScript Deployment Issues #768

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[paulyuk]

Suggest we keep this blocked. Functions and AZD owners are deciding on design decision for integration, which may turn server/remote build off by default. That would change skills guidance. ETA for decision 1-2 days.

[kvenkatrajan]

Blocked due to possible design changes in azd

CC: @rajeshkamal5050