Merge pull request #302835 from craigshoemaker/sre/permissions

[SRE Agent] New: Security context article

Author: AnnaMHuff

.openpublishing.redirection.json

@@ -6879,6 +6879,11 @@
       "redirect_url": "/azure/sre-agent/troubleshoot-azure-container-apps",
       "redirect_document_id": false
     },
+    {
+      "source_path": "articles/sre-agent/permissions.md",
+      "redirect_url": "/azure/sre-agent/security-context",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/reliability/whats-new.md",
       "redirect_url": "/azure/reliability/overview",

articles/sre-agent/permissions.md

@@ -0,0 +1,92 @@
+---
+title: Security contexts in Azure SRE Agent (preview)
+description: Learn how SRE Agent uses different security contexts to handle agent creation and execution.
+author: craigshoemaker
+ms.author: cshoe
+ms.topic: tutorial
+ms.date: 07/16/2025
+ms.service: azure
+---
+
+# Security contexts in Azure SRE Agent (preview)
+
+This article explains the different security contexts involved in Azure SRE Agent operations. The security contexts include the user account that creates the agent, user accounts that interact with the agent, and the agent's own managed identity. Each context has specific permission requirements and serves different purposes in maintaining a secure environment.
+
+Microsoft Entra enforces security policies that govern identity assignments as you associate resource groups with the agent's managed identity.
+
+## Prerequisites
+
+You need to grant your agent the correct permissions and access to the right namespace.
+
+* **Security context**: Before you create a new agent, make sure your user account has the `Microsoft.Authorization/roleAssignments/write` permissions using either [Role Based Access Control Administrator](/azure/role-based-access-control/built-in-roles) or [User Access Administrator](/azure/role-based-access-control/built-in-roles).
+
+* **Sweden Central region access**: During preview, the only allowed region for SRE Agent is Sweden Central. Make sure your user account has *owner* or *admin* permissions and permissions to create resources in the Sweden Central region.
+
+## User security context
+
+The security requirements for users are different depending on if you're creating or using the agent.
+
+| Action | User account requirements |
+|---|---|
+| Create agent | The user account needs to be in the *Owner* or *User Access Administrator* role with *Owner* or *Admin* permissions in the subscription. |
+| Access/run the agent | The user account must have *Contributor* permissions to the resource group the agent is running in, or for the agent instance.<br><br>**Note**: This requirement doesn't mean the user account needs *Contributor* access to the entire subscription or all resource groups.|
+
+## Agent security context
+
+Azure SRE Agent has its own managed identity that gives the agent the required credentials to act on your behalf as it manages assigned resource groups. You have full control over the roles and permissions applied to the managed identity.
+
+When you create the agent from the portal, you can select from different permissions levels best suited for your situation. When you create an agent, you can apply the *Reader* or *Privileged* permission level.
+
+The following table describes the difference between the two levels.
+
+| Permission level | Description |
+|---|---|
+| Reader | Initially configured with read-only permissions on the resource groups it manages. When an action is required that requires elevated permissions, the agent prompts the user for temporary to complete the action. |
+| Privileged | Initially configured to take approved actions on resources and resource types detected in its assigned resource groups. |
+
+At any time, you can change which permissions are available to the agent's managed identity by modifying the access control (IAM) settings of a resource group manged by the agent.
+
+As resource groups are added or removed from the agent's scope, the managed identity's permissions are updated accordingly. Removing a resource group revokes the agent's access to the group entirely.
+
+> [!NOTE]
+> You can't directly remove specific permissions from the agent. To restrict the agent's access, you must remove the entire resource group from the agent's scope.
+
+### Roles
+
+The agent's managed identity is often preconfigured with the following role assignments for a managed resource group:
+
+* Log Analytics Reader
+* Azure Reader
+* Monitoring Reader
+
+Plus any required roles related to specific Azure services in resource groups managed by the agent. 
+
+## Agent behavior
+
+The agent behaves differently depending on the permissions assigned, the execution mode, and the type of action it attempts to make. The following tables list how the agent responds in different scenarios.
+
+### Read-only actions
+
+The following table details how the agent behaves when attempting to conduct a read-only operation that requires elevated permissions.
+
+| Agent has permission? | Execution mode | Agent behavior |
+|---|---|---|
+| Yes | Review | Reads required data and doesn't prompt for approval |
+| No | Review | Prompts for approval to take action |
+| Yes | Auto | Executes action without requiring approval |
+| No | Auto | Prompts for approval, and executes action based on approval status |
+
+### Write actions
+
+The following table details how the agent behaves when attempting to conduct a write operation.
+
+| Agent has permission? | Execution mode | Agent behavior |
+|---|---|---|
+| Yes | Review | Prompts for approval to take action |
+| No | Review | Prompts for approval to take action, if granted the agent temporarily inherits the required permissions from the user |
+| Yes | Auto | Executes action without requiring approval |
+| No | Auto | Prompts for approval, and executes action based on approval status |
+
+## Related content
+
+* [Troubleshoot common errors](./troubleshoot.md)

articles/sre-agent/security-context.md

@@ -17,7 +17,9 @@ items:
 - name: Key concepts
   expanded: true
   items:
-    - name: Autonomous vs review mode
-      href: permissions.md
+    - name: Security context
+      href: security-context.md
+    - name: Troubleshooting
+      href: troubleshoot.md
     - name: Billing
       href: billing.md

articles/sre-agent/toc.yml

@@ -0,0 +1,27 @@
+---
+title: Troubleshoot common issues in Azure SRE Agent (preview)
+description: Learn to troubleshoot common problems in Azure SRE Agent.
+author: craigshoemaker
+ms.author: cshoe
+ms.topic: tutorial
+ms.date: 07/16/2025
+ms.service: azure
+---
+
+# Troubleshoot common issues in Azure SRE Agent (preview)
+
+This guide covers the common problems faced when working with Azure SRE Agent and provides practical solutions to resolve them. The issues are typically related to permissions, regional availability, and administrative access requirements.
+
+## Common troubleshooting scenarios
+
+The following table outlines frequent issues you might encounter and their solutions. For more information about how roles and permissions are applied to an agent, see [Security contexts in Azure SRE Agent](./security-context.md).
+
+| Scenario | Reason | Remarks |
+|---|---|---|
+| The agent shows a permissions error in the chat and knowledge graph. | The agent is created with *Contributor* access and an account with only *Reader* permissions attempts to interact with the agent. | Deny assignments or Azure Policy blocks identity assignment to the agent resource group.  |
+| The location dropdown is blank. | A non-US region policy blocks access to Sweden Central. | If your subscription or management group limits to US-only deployments, then the creation step fails. |
+| The *Create* button is disabled. | Lack of administrative permissions. | Agent identity assignments fail if the user account lacks *Owner* or *User Access Administrator* permissions. |
+
+## Related content
+
+- [Security contexts](./security-context.md)