Add post-deployment guidance for ASP.NET Core + EF + SQL with managed identity

[Copilot]

Implementation Plan: ASP.NET Core + EF Core + SQL Post-Deployment

Phase 1: Documentation Structure ✅

• Create post-deployment reference documentation
  • Create post-deployment.md with ASP.NET + SQL patterns
  • Create sql-managed-identity.md with SQL permission grant scripts
  • Create ef-migrations.md with EF Core migration patterns

Phase 2: Verification Updates ✅

• Update verify.md to include post-deployment steps
  • Add SQL database access verification
  • Add EF migrations verification
  • Add endpoint health check verification

Phase 3: Recipe Enhancement ✅

• Update azure-deploy/references/recipes/azd/README.md
  • Add post-deployment workflow step
  • Link to new post-deployment documentation

Phase 4: Testing ✅

• Add trigger test cases for post-deployment scenarios
• Update snapshots for new keywords (cli, identity, sql)
• Update main SKILL.md with post-deployment step
• All tests passing

Phase 5: Validation ✅

• Manual verification of documentation flow
• Review all file additions for completeness
• CodeQL security scan (0 issues found)
• Store memory for future reference

Phase 6: Optimization ✅

• Compact ef-migrations.md (404→137 lines, 66% reduction)
  • Removed duplicate PowerShell scripts
  • Condensed combined hook section
  • Simplified troubleshooting with table format
  • Removed verbose examples
  • Maintained all essential information
• Compact sql-managed-identity.md (289→112 lines, 61% reduction)
  • Removed sqlcmd alternative (focus on az sql)
  • Removed duplicate PowerShell script
  • Condensed troubleshooting to table format
  • Simplified verification query
  • Maintained all essential information

Summary

Successfully implemented comprehensive post-deployment documentation for the azure-deploy skill. All documentation optimized for token limits while maintaining clarity and completeness.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>azure-deploy: Automatically grant App Service managed identity access to SQL Database and apply EF migrations</issue_title>
<issue_description>## Summary

After a successful azd up deployment of an ASP.NET Core app with Entity Framework Core and Azure SQL Database using Entra-only authentication, the app fails with HTTP 500 because:

1. The App Service's system-assigned managed identity has no permissions on the SQL database
2. EF Core migrations have not been applied — the database has no application tables

These are predictable post-provisioning steps that the azure-deploy skill should handle automatically.

Current Behavior

After azd up completes successfully, the deployed app crashes on startup with:

Login failed for user '<token-identified principal>'.
Error Number: 18456

The user must manually:

1. Get an access token for the database
2. Run CREATE USER [app-name] FROM EXTERNAL PROVIDER and grant db_datareader, db_datawriter, db_ddladmin roles
3. Generate and apply EF migration SQL (dotnet ef migrations script --idempotent)
4. Restart the App Service

Expected Behavior

The azure-deploy skill should include post-provisioning steps that:

1. Detect that the architecture includes App Service + Azure SQL with managed identity
2. Grant the App Service's managed identity database access using the Entra admin credentials
3. Detect EF Core migrations in the project and apply them to the Azure SQL database
4. Verify the deployed endpoint returns a successful HTTP status code

This could be implemented as an azd post-provision hook or as explicit steps in the deploy recipe.

Steps to Reproduce

1. Deploy an ASP.NET Core + EF Core app to App Service with Azure SQL (Entra-only auth)
2. azd up succeeds but the app returns HTTP 500
3. Manual SQL commands are needed to create the managed identity user and apply migrations

Suggested Fix

• Add a post-provision hook template that grants managed identity SQL access
• Detect EF Core projects (look for Migrations/ folder or Microsoft.EntityFrameworkCore references) and auto-apply migrations
• Add endpoint verification to the deploy verification steps in verify.md</issue_description>

Comments on the Issue (you are @copilot in this section)

@tmeschter Note that this was an ASP.NET Core app deployed to an app service, along with an Azure SQL Server for a database.

We might need some dotnet-specific guidance around Entity Framework, similar to our NodeJS guidance.</comment_new>

• Fixes azure-deploy: Automatically grant App Service managed identity access to SQL Database and apply EF migrations #854

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[kvenkatrajan]

@copilot is there way to compact this file. If this documentation is obtained using mslearn remember to use the mslearn mcp server tools for the content

[Copilot]

Compacted from 404 to 137 lines (66% reduction) in commit 9f3a79b. Removed duplicate PowerShell scripts, condensed combined hook section, and simplified troubleshooting while maintaining all essential information. The content was written specifically for this PR based on EF Core and Azure SQL patterns, not sourced from MS Learn.

[kvenkatrajan]

@copilot is there way to compact this file. If this documentation is obtained using mslearn remember to use the mslearn mcp server tools for the content

[Copilot]

Compacted from 289 to 112 lines (61% reduction) in commit bbc2f9a. Removed sqlcmd alternative, duplicate PowerShell script, and condensed troubleshooting to table format while maintaining all essential information. Content written specifically for this PR based on Azure SQL and managed identity patterns, not sourced from MS Learn.