chore: dev to main merge

[Saswato-Microsoft]

Purpose

This pull request introduces a major update to how users access the jumpbox VM in network-isolated deployments: sign-in is now performed via Microsoft Entra ID (formerly Azure AD) authentication through Azure Bastion, eliminating the need to manage local VM credentials. The infrastructure code, deployment parameters, and all related documentation have been updated to support and explain this new authentication flow. Additionally, the jumpbox VM is now automatically configured to enable Entra ID sign-in, and the deploying principal is granted the necessary RBAC role. Documentation has also been improved to clarify the process and remove references to local admin credentials.

The most important changes are:

Infrastructure & Authentication Flow:

• The jumpbox VM is now provisioned with the AADLoginForWindows extension and Entra ID authentication is enabled via Azure Bastion. The deploying principal is granted the "Virtual Machine Administrator Login" RBAC role on the VM, allowing sign-in with Entra ID credentials. Local admin credentials are no longer required for access. (infra/main.bicep, infra/main.json, infra/main.bicepparam) [1] [2] [3]
• The jumpbox VM's local admin username and password are now set to deterministic, non-default values and are not used for sign-in; sign-in is exclusively via Entra ID. (infra/main.bicepparam)

Documentation Updates:

• All documentation has been revised to instruct users to sign in to the jumpbox via Bastion using Entra ID authentication, removing instructions for using local admin credentials. This includes deployment guides, post-deployment steps, and private resource access documentation. (docs/Accessing_Private_Resources.md, docs/deploymentguide.md, docs/post_deployment_steps.md, docs/deploy_app_from_foundry.md) [1] [2] [3] [4] [5]
• Troubleshooting sections now focus on Entra ID sign-in issues and RBAC role assignment, replacing previous guidance on resetting local admin passwords. (docs/Accessing_Private_Resources.md)

Parameter and Output Changes:

• Parameters related to local VM credentials (vmUserName, vmAdminPassword) are now fixed and not user-configurable; guidance for setting them has been removed from documentation. (docs/deploymentguide.md, infra/main.bicepparam) [1] [2]
• Outputs and variables in the deployment templates have been updated to reflect the new authentication flow and support for reusing existing AI Foundry projects. (infra/main.json) [1] [2]

File and Reference Updates:

• File and link names have been standardized for casing (e.g., ACCESSING_PRIVATE_RESOURCES.md → Accessing_Private_Resources.md) throughout the documentation. (README.md, docs/deploymentguide.md) [1] [2]

These changes make jumpbox access more secure and user-friendly, aligning with best practices for cloud-based authentication and RBAC.

Does this introduce a breaking change?

• Yes
• No

Golden Path Validation

• I have tested the primary workflows (the "golden path") to ensure they function correctly without errors.

Deployment Validation

• I have validated the deployment process successfully and all services are running as expected with this change.

What to Check

Verify that the following are valid

• ...

Other Information

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds resiliency and BYO (bring-your-own) options to deployment/automation while updating jumpbox access to use Microsoft Entra ID via Azure Bastion.

Changes:

• Add transient HTTP/network retry + exponential backoff to OneLake indexing search requests.
• Support reusing an existing AI Foundry project via a new ARM parameter and derived “effective” outputs.
• Enable Entra ID sign-in for the jumpbox VM (AADLoginForWindows extension + RBAC assignment) and update docs accordingly.

Reviewed changes

Copilot reviewed 9 out of 11 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
scripts/automationScripts/OneLakeIndex/SearchHelpers.ps1	Adds transient failure detection and retry/backoff behavior for search requests.
infra/main.json	Adds optional existing AI project parameter, effective outputs, and jumpbox Entra ID extension/RBAC resources.
infra/main.bicepparam	Changes jumpbox provisioning credentials strategy and VM size; adds Entra ID sign-in guidance comment.
infra/main.bicep	Adds resources to enable Entra ID sign-in to the existing jumpbox VM via Bastion.
docs/post_deployment_steps.md	Updates Bastion connection steps to Entra ID authentication and swaps screenshot reference.
docs/deploymentguide.md	Updates env setup guidance, jumpbox auth narrative, and fixes “Accessing Private Resources” link text/target.
docs/deploy_app_from_foundry.md	Updates jumpbox access step to Entra ID authentication.
docs/ACCESSING_PRIVATE_RESOURCES.md	Rewrites jumpbox access/troubleshooting flow for Entra ID sign-in (no local creds).
README.md	Updates “Accessing Private Resources” doc link target.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.