2026-02-06: Port from Prompty to Jinja2 for prompt templating

We were previously using Prompty for prompt templating. We have moved from Prompty to Jinja2 since we are preparing to move from Chat Completions to Responses (which Prompty does not support), plus Prompty did not achieve wide community adoption. Jinja2 is a widely supported templating framework, and Prompty was based off Jinja2, so the prompt templates look similar. However, we are only using Jinja2 to template individual messages, not the entire conversation like before.

What's Changed

• Fix multimodal image download from non-default blob container by @pamelafox in #2951
• Bump certifi from 2024.7.4 to 2026.1.4 by @dependabot[bot] in #2949
• Bump pyjwt from 2.10.1 to 2.11.0 by @dependabot[bot] in #2948
• Revert Yarn GPG workaround and use built-in devcontainer image by @Copilot in #2956
• Fix ty type checker errors breaking nightly jobs by @Copilot in #2958
• Migrate from Prompty to Jinja2 for prompt templates by @pamelafox in #2953

Full Changelog: 2026-01-27...2026-02-06

ACL support for cloud ingestion pipeline

This release adds Access Control List (ACL) support for the cloud ingestion pipeline, enabling document-level security filtering in Azure AI Search. Documents stored in Azure Data Lake Storage Gen2 can now have their ACLs automatically extracted during indexing.

⚠️ Breaking change: ADLS local file strategy removed

IMPORTANT: The previous "ADLS local file strategy" (using prepdocs directly against Azure Data Lake Storage) has been deprecated and removed. If you were using that approach in earlier versions of this sample, you must migrate to the cloud ingestion flow described in Cloud ingestion with Azure Data Lake Storage Gen2, which runs ingestion in Azure Functions and the Azure AI Search indexer instead of on the client machine.

How it works

Cloud ingestion with ACLs

• Automatic ACL extraction from ADLS Gen2 files during indexing
• Extracts user IDs (oids) and group IDs (groups) with read permission
• Supports global document access via the ADLS "other" ACL entry when AZURE_ENABLE_GLOBAL_DOCUMENT_ACCESS=true
• Indexes document chunks in Azure AI Search with oids and groups fields

Bring Your Own (BYO) ADLS Storage Account

• Use an existing ADLS Gen2 account instead of provisioning a new one
• Support for ADLS accounts in different resource groups
• Automatic RBAC role assignment at the storage account level

New environment variables

Variable	Description
USE_CLOUD_INGESTION_ACLS	Enable ACL extraction from ADLS Gen2 (requires USE_CLOUD_INGESTION=true)
USE_EXISTING_ADLS_STORAGE	Use an existing ADLS account instead of provisioning a new one
AZURE_ADLS_GEN2_STORAGE_ACCOUNT	Name of the ADLS storage account (required when USE_EXISTING_ADLS_STORAGE=true)
AZURE_ADLS_GEN2_STORAGE_RESOURCE_GROUP	Resource group for BYO ADLS (optional, defaults to main resource group)

Migration guide

If you were previously using the ADLS local file strategy:

1. Set USE_CLOUD_INGESTION=true and USE_CLOUD_INGESTION_ACLS=true
2. Un-comment the function lines in azure.yaml.
3. Run azd up to deploy the cloud ingestion Azure Functions
4. Upload documents to the ADLS storage account (check AZURE_ADLS_STORAGE_ACCOUNT output)
5. Set ACLs on files using Azure Storage Explorer
6. Run setup_cloud_ingestion.sh to trigger the indexer
7. Run scripts/verify_search_index_acls.py to verify ACL filtering is working correctly.

See the updated login_and_acl.md for complete setup instructions.

What's changed

• Add ACL support for cloud ingestion pipeline by @pamelafox in #2917

Full Changelog: 2026-01-26...2026-01-27

2026-01-26: "Stop" button in chat frontend

This release includes these two changes to the frontend:

1. Stop button for streaming responses (#2909) - Users can now cancel AI responses mid-generation using a new stop button. Helpful when the response isn't useful or you want to ask a different question.
2. No more chat input length limit (#2908) - Removed the frontend 1000-character cap on chat input. The text area now auto-grows and scrolls, letting users paste long prompts. Backend context window errors are properly surfaced if limits are reached.

This release makes one bug fix for developers using manageacl.py:

• ACL management permissions fix (#2912) - Fixed manageacl.py to use x-ms-enable-elevated-read header when querying documents, allowing the script to see documents without ACLs yet.

This release includes these improvements to development tools used with the repo:

• Migrated from mypy to ty type checker (#2911) - upgraded to the much faster type checker.
• Updated chat agents configuration (#2907) - Ported VS Code chat modes to the new chat agents format.
• DevContainer fix (#2931) - Removed Yarn repo with expired GPG key that was breaking devcontainer builds for GitHub Codespaces.

Many packages were also upgraded, per the PRs below.

What's Changed

• Port chat modes to chat agents by @pamelafox in #2907
• Fix #2399: Remove limit on chat input length by @pamelafox in #2908
• Add prompt to review PR comments by @pamelafox in #2914
• Add stop button to cancel streaming responses by @pamelafox in #2909
• Bump click from 8.3.0 to 8.3.1 in the pallets group by @dependabot[bot] in #2904
• Bump rapidfuzz from 3.14.1 to 3.14.3 by @dependabot[bot] in #2905
• Bump ndjson-readablestream from 1.2.0 to 1.4.0 in /app/frontend by @dependabot[bot] in #2899
• Bump the pydantic group with 2 updates by @dependabot[bot] in #2903
• Migrate from mypy to ty type checker by @pamelafox in #2911
• Update permissions for enabling global read and managing acls by @mattgotteiner in #2912
• Upgrade black with minor formatting changes by @pamelafox in #2928
• Bump cffi from 1.17.0 to 2.0.0 by @dependabot[bot] in #2924
• Bump types-beautifulsoup4 from 4.12.0.20240511 to 4.12.0.20250516 by @dependabot[bot] in #2923
• Bump hypercorn from 0.17.3 to 0.18.0 by @dependabot[bot] in #2922
• Add GitHub PR inline reply skill for Copilot agent by @pamelafox in #2930
• Fix devcontainer: remove Yarn repo with expired GPG key by @pamelafox in #2931
• Docs: Update deployment docs with RBAC warnings and SKU clarifications by @pamelafox in #2929
• Bump wsproto from 1.2.0 to 1.3.2 by @dependabot[bot] in #2935
• Bump beautifulsoup4 from 4.12.3 to 4.14.3 by @dependabot[bot] in #2933
• Bump azure-core from 1.35.0 to 1.38.0 in /app/backend by @dependabot[bot] in #2916
• Upgrade pypdf to 6.6.2 using uv pip compile by @Copilot in #2939

Full Changelog: 2026-01-12...2026-01-26

2026-01-12: Deprecation of "Ask" tab

Since the beginning of this repo, we've always had two tabs, "Chat" and "Ask". The "Chat" tab was always the most popular, since it allowed for multi-turn conversations. Since the existence of the two tabs greatly complicated the code and many developers deleted the "Ask" tab in their forks, we decided to deprecate the "Ask" tab entirely. This will allow us to focus more on the code that everyone is using.

Note that currently there's still a class hierarchy in the backend code of Approach -> ChatReadRetrieveApproach. We may decide to flatten that hierarchy since there's only sone subclass of Approach now, but that is a larger change, so if we do that, it will be a separate change.

What's Changed

• Deprecate Ask tab by @pamelafox in #2898

Full Changelog: 2026-01-09...2026-01-12

2026-01-09: Bug fixes and dependency updates

This release includes several bug fixes and improvements. Key fixes address issues with the web knowledge source (removing unsupported snippet and description fields), the VS Code debug launch configuration on Windows, and role assignments for the free Azure Search SKU. Infrastructure improvements include resolving all Bicep warnings, increasing embedding TPM capacity for cloud ingestion, and changing cloud ingestion to download blobs based on path rather than file data.

The release also includes multiple dependency updates for both backend (aiohttp, werkzeug, pypdf, urllib3) and frontend (react-router-dom) packages, along with documentation updates and a new VS Code for the Web badge in the README.

What's Changed

• Remove snippet from WebResult since the web source does not provide it by @pamelafox in #2843
• Remove description from web knowledge source by @pamelafox in #2844
• Bump the github-actions group with 2 updates by @dependabot[bot] in #2839
• Increase embedding TPM capacity and add note in cloud ingestion guide by @pamelafox in #2846
• Update setup instructions in login_and_acl.md by @pamelafox in #2851
• Resolve all Bicep warnings by @pamelafox in #2854
• Change cloud ingestion to download blobs based off path versus file data by @pamelafox in #2858
• Fix last exit code issue by @mattgotteiner in #2873
• Bump the github-actions group with 2 updates by @dependabot[bot] in #2874
• Skip role assignments for free Azure Search SKU (#2848) by @bnodir in #2886
• Restore azure-functions dependency for Azure Functions apps by @pamelafox in #2896
• Fix VS Code debug launch configuration for Windows by @bf-2026 in #2884
• Bump aiohttp from 3.12.14 to 3.13.3 in /app/backend by @dependabot[bot] in #2887
• Bump werkzeug from 3.1.3 to 3.1.5 in /app/backend by @dependabot[bot] in #2890
• Bump pypdf from 6.1.3 to 6.6.0 in /app/backend by @dependabot[bot] in #2894
• Bump urllib3 from 2.5.0 to 2.6.3 in /app/backend by @dependabot[bot] in #2888
• Bump types-html5lib from 1.1.11.20241018 to 1.1.11.20251014 by @dependabot[bot] in #2815
• Bump isodate from 0.6.1 to 0.7.2 by @dependabot[bot] in #2814
• Bump zipp from 3.21.0 to 3.23.0 by @dependabot[bot] in #2813
• Bump mdast-util-to-hast from 13.2.0 to 13.2.1 in /app/frontend by @dependabot[bot] in #2852
• Bump react-router-dom from 6.28.0 to 7.9.5 in /app/frontend by @dependabot[bot] in #2812
• Bump react-router and react-router-dom in /app/frontend by @dependabot[bot] in #2897
• Add VS Code for the Web badge to README by @Copilot in #2871

New Contributors

• @bf-2026 made their first contribution in #2884

Full Changelog: 2025-11-18...2026-01-09

2025-11-18: Agentic knowledge base with Bing + SharePoint options

This release upgrades the agentic retrieval feature to use Azure AI Search's new Knowledge Base functionality, which provides enhanced intelligent document retrieval with configurable reasoning levels and support for multiple knowledge sources including web and SharePoint.

Knowledge Base changes

• Upgraded from Knowledge Agent to Knowledge Base: The feature now uses the new KnowledgeBaseRetrievalClient from Azure AI Search, replacing the legacy KnowledgeAgentRetrievalClient
• Added multiple reasoning level options: Choose between minimal, low, or medium reasoning effort for retrieval
  • Minimal: Most similar to current search() call, where we bring our own query planning to generate a single query
  • Low: Adds a query planning step that's built into AI Search and can suggest multiple queries for complex queries
  • Medium: Adds an optional iteration step if an AI Search model determines results aren't good enough

The feature supports three kinds of sources:

• Search Index (default): Searches documents in your Azure AI Search index. We currently only support one index, but you can modify the code to bring in additional indices if desired. We may add a YAML config for multiple indices in future.
• Web Source (optional): Enables searching the public web for information
  • ⚠️ Requires answer synthesis mode (disables streaming, follow-up questions, and some LLM customizations)
  • ⚠️ Microsoft Data Protection Addendum doesn't apply to data sent to Web Knowledge Source
• SharePoint Source (optional): Searches SharePoint documents using on-behalf-of flow
  • Requires authentication to be enabled
  • Requires users to have a Microsoft Copilot license

Environment variable changes

New environment variables for deployment configuration:

• USE_AGENTIC_KNOWLEDGEBASE: Enable the knowledge base feature (replaces USE_AGENTIC_RETRIEVAL)
• AZURE_SEARCH_KNOWLEDGEBASE_RETRIEVAL_REASONING_EFFORT: Set default reasoning level (minimal, low, or medium)
• USE_WEB_SOURCE: Enable web knowledge source
• USE_SHAREPOINT_SOURCE: Enable SharePoint knowledge source
• AZURE_OPENAI_KNOWLEDGEBASE_DEPLOYMENT: Specify the deployment for knowledge base
• AZURE_OPENAI_KNOWLEDGEBASE_MODEL: Specify the model (default: gpt-4.1-mini)
• AZURE_OPENAI_KNOWLEDGEBASE_MODEL_VERSION: Specify the model version

⚠️ If you were using the previous agentic retrieval feature (USE_AGENTIC_RETRIEVAL), you must change USE_AGENTIC_RETRIEVAL → USE_AGENTIC_KNOWLEDGEBASE

UI enhancements

• Developer settings: New options for toggling sources and changing reasoning level.

• Thought Process: Now includes:
  • Token usage for the planning process
  • Generated search queries
  • Activity details for each source citation

Documentation

See docs/agentic_retrieval.md for complete deployment and configuration instructions.

---

All changes included in this release

• Comment out the functions by default by @pamelafox in #2827
• Comment out final function in azure.yaml by @pamelafox in #2829
• Fixes issue with user uploaded files by @pamelafox in #2830
• Add Knowledge Base support by @mattgotteiner in #2835

Full Changelog: 2025-11-12...2025-11-18

2025-11-12: Cloud ingestion pipeline with custom skills (Azure Functions)

We're excited to announce a new cloud ingestion option that enables scalable, automated document processing using Azure Functions as custom skills within an Azure AI Search indexer pipeline. This repo previously supported an "integrated vectorization" strategy that used built-in skills for document extraction and splitting, but this new approach uses custom skills that use our own approach to document extraction and splitting. You can now use either local ingestion or cloud ingestion and get the same results.

This diagram shows the overall ingestion pipeline:

The indexer uses this skill sequence:

1. Document Extractor - Parses source documents (PDFs, HTML, Office files, images) and extracts text, tables, and figure metadata
2. Figure Processor - Enriches figures with AI-generated descriptions, uploads images to Blob Storage, and computes embeddings (when multimodal is enabled)
3. Shaper Skill - Consolidates enriched data from multiple processing paths into a unified document structure
4. Text Processor - Merges figures with text, performs sentence-aware chunking, and generates embeddings for vector search

The implementation required significant refactoring to maximize code reuse between local and cloud ingestion:

• Extracted shared setup logic into servicesetup.py
• Created standalone modules for figure processing (figureprocessor.py) and text processing (textprocessor.py)
• Bicep templates for Function App deployment with proper authentication

To enable the new feature, see the this guide. Please provide feedback in the issue tracker.

What's Changed

• Cloud ingestion strategy with prepdocs as custom skillset for Azure AI Search Blob Indexer by @pamelafox in #2819

Full Changelog: 2025-11-03...2025-11-12

2025-11-03: Port from AzureOpenAI to OpenAI constructors

Thanks to a recent improvement in the openai Python SDK and changes in the Azure OpenAI endpoint, we can now use OpenAI to connect to AzureOpenAI endpoint. The new Azure OpenAI endpoint is at "/openai/v1/" and does not accept an API version parameter, so we were able to remove the API version parameter entirely from this codebase, and simplify the code to only use the OpenAI() constructor.

If you merge in this change and see an OpenAI connection error locally, please make sure you have upgraded your local openai package version. You must have the version that accepts a token provider callback as the api_key parameter, otherwise you'll get an error about incorrect key/resource.

What's Changed

• Migrate AzureOpenAI constructors to standard OpenAI client by @Copilot in #2752

Full Changelog: 2025-10-29...2025-11-03

2025-10-29: Support Python 3.14 and drop support for 3.9

Python 3.14 is now the default version of Python downloaded from Python.org. We've upgraded all packages so that they should work in Python 3.14 environments. We've dropped 3.9 since it is reaching end-of-life and since many packages dropped 3.9 support when they added 3.14 support (like Pillow). Please update your local development environments to run at least 3.10.

What's Changed

• Bump flask from 3.0.3 to 3.1.2 by @dependabot[bot] in #2803
• Bump httpx from 0.27.0 to 0.28.1 by @dependabot[bot] in #2810
• Bump @types/dom-speech-recognition from 0.0.4 to 0.0.7 in /app/frontend by @dependabot[bot] in #2807
• Add Python 3.14 support and drop Python 3.9 by @Copilot in #2787
• Bump click from 8.1.8 to 8.3.0 in the pallets group by @dependabot[bot] in #2808
• Bump the github-actions group across 1 directory with 4 updates by @dependabot[bot] in #2783

Full Changelog: 2025-10-28...2025-10-29

2025-10-28: Upgraded ACLs to use Azure AI Search Query-time ACL

This release makes a significant change to our optional ACL feature, which builds on the login feature.

Previously we implemented access controls by storing oids and groups in the search index for each chunk, and dynamically building a search filter based off the oids/groups in the logged in user's token.
Now, Azure AI Search has built-in support to filter documents based off a user's token, so we keep the same index setup, but we delegate the filtering to the AI Search query itself.
If you already have the ACL feature enabled, you should be able to pull in the new changes, run "azd up", and have prepdocs setup the new permission filtering option on the index. If you have the AZURE_ENABLE_GLOBAL_DOCUMENT_ACCESS option enabled, then you'll also need to run the migration script to explicitly add a global identifier to the ACLs for those documents. Please also ensure that your azd environment has AZURE_ENFORCE_ACCESS_CONTROL, as we discovered some code paths weren't requiring that before (but do now).

If you are new to using the feature, please read through the login and ACLs guide to learn more.

What's Changed

• Better support for coding agents by @pamelafox in #2725
• added polish locales by @michuhu in #2729
• Bump jiter from 0.8.2 to 0.11.0 by @dependabot[bot] in #2731
• Bump msal from 1.30.0 to 1.33.0 by @dependabot[bot] in #2713
• Resolve issues with colliding private endpoint names, and redundant private endpoints by @kachihro in #2740
• Add missing set in command by @pamelafox in #2746
• Add tests for auth_init.py by @pamelafox in #2741
• Bump oauthlib from 3.2.2 to 3.3.1 by @dependabot[bot] in #2747
• Sanitize image markdown in sources by @pamelafox in #2765
• Restrict locations due to App Insights components availability by @pamelafox in #2764
• Add 'australiaeast' to allowed regions by @kachihro in #2770
• Bump multidict from 6.0.5 to 6.7.0 by @dependabot[bot] in #2768
• Group telemetry together for pip updates by @pamelafox in #2792
• Bump prismjs and react-syntax-highlighter in /app/frontend by @dependabot[bot] in #2791
• Bump the telemetry group with 21 updates by @dependabot[bot] in #2793
• Add dependabot group for pydantic by @pamelafox in #2795
• Bump markupsafe from 2.1.5 to 3.0.3 by @dependabot[bot] in #2794
• Bump vite from 5.4.19 to 6 in /app/frontend by @dependabot[bot] in #2782
• Bump pypdf from 6.0.0 to 6.1.3 in /app/backend by @pamelafox in #2799
• Bump rapidfuzz from 3.13.0 to 3.14.1 by @dependabot[bot] in #2798
• Bump asgiref from 3.8.1 to 3.10.0 by @dependabot[bot] in #2797
• Update link thats now 404ing by @pamelafox in #2801
• Bump the pydantic group with 2 updates by @dependabot[bot] in #2796
• Switch from security filter to built-in ACL enforcement by @mattgotteiner in #2771

New Contributors

• @michuhu made their first contribution in #2729
• @kachihro made their first contribution in #2740

Full Changelog: 2025-09-11...2025-10-28