Claude quota inspector, preflight, workspace-scoped az login, Foundry role rename#2
Merged
Merged
Conversation
added 2 commits
May 20, 2026 11:59
* src/check_claude_quota.py: query the Foundry Usages + Model Capacities ARM APIs and print a merged (model, region) table with TPM utilization, derived RPM limits, deployable capacity, and version. RPM is derived from documented per-model RPM:TPM ratios since RPM is not a separate quota line.
* scripts/preflight-claude.{ps1,sh}: preprovision hook gating azd up on Marketplace catalog resolution + quota headroom; both azure.yaml files now invoke it instead of inlining a CLAUDE_ORGANIZATION_NAME check.
* README: link from the top to existing Advanced sections; new Advanced section documenting check_claude_quota.py (flags, requirements, output semantics) and the preflight preprovision section.
…erify script
* Workspace-scoped az login: activators (claude-code.env.{ps1,sh}) and
.vscode/settings.json (terminal.integrated.env.{windows,linux,osx}) now
set AZURE_CONFIG_DIR=<repo>/.azure-cli, so 'az login' / 'az ...' done in
this workspace writes its MSAL token cache and config to ./.azure-cli/
only - never touches ~/.azure or affects other VS Code windows.
Added .azure-cli/ to .gitignore. Documented in a new 'Workspace-scoped
az login' callout in README.
* Role rename fix: Azure recently renamed 'Azure AI User' to 'Foundry User'
and 'Azure AI Project Manager' to 'Foundry Project Manager' (role GUIDs
unchanged). Bicep referenced by GUID so it still worked, but the Terraform
variant used role_definition_name = 'Azure AI User' which now fails with
'role doesn't exist'. Renamed both TF role assignments to the current
names, updated Bicep variable names + comments + parameter description,
and corrected all 6 README mentions (with a 'formerly Azure AI User' note
for searchability).
* New verify-claude-code.{ps1,sh} script: 9 checks (activator file, env
vars, deployed families, .vscode/settings.json shape, az account, Foundry
reachability, claude CLI on PATH, optional claude -p round-trip per
family, optional Python SDK round-trip). Exits non-zero on hard failure
so it can be wired into CI.
* README expansions:
- New troubleshooting rows: soft-deleted Cognitive Services accounts
holding TPM quota for 48h (with parallel purge recipe), intermittent
401 from data-plane RBAC propagation lag, Windows charmap codec on
emoji, check_claude_quota.py needing AZURE_SUBSCRIPTION_ID.
- New 'Free quota held by soft-deleted accounts' section.
- New 'Granting data-plane roles after azd up' section with copy-paste
PowerShell + bash one-liners (covers the case where ASSIGN_RBAC is
left at its default false).
- 'Verify Claude Code is wired up' section now references the new
verify-claude-code scripts as the one-command end-to-end check.
* Default capacities lowered 50 -> 25 in both Bicep and Terraform so the
defaults fit in a typical MSDN/PAYG 80 TPM quota with room for a second
deployment.
* Misc: src/hello_claude_apikey.py docstring updated to 'Foundry User
(formerly Azure AI User)'.
achandmsft
changed the title
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Heads up to reviewers
This PR was updated in commit
fc84952on top of the originald3a505e. The new commit changes role terminology — please review with these names in mind:Azure AI UserFoundry User53ca6127-db72-4b80-b1b0-d745d6d5456dAzure AI Project ManagerFoundry Project Managereadc314b-1a2d-4efa-be10-5d325db5065eAzure quietly renamed both built-in roles. The GUIDs are stable. The Bicep variant always referenced by GUID, so it kept working but had stale variable names + comments. The Terraform variant referenced by literal name (
role_definition_name = "Azure AI User") and is now a runtime-only failure (Role "Azure AI User" doesn't exist) — fixed here. README mentions all carry a "(formerlyAzure AI User)" note for searchability.Summary
Five related changes:
src/check_claude_quota.py— programmatic Claude quota + capacity inspector. Queries the Foundry Usages and Model Capacities ARM APIs (per the official docs) and prints a merged(model, region)table with TPM utilization, derived RPM limits, deployable capacity, and active model version. RPM is derived from documented per-model RPM:TPM ratios since RPM is not a separate quota line in the Usages API.scripts/preflight-claude.{ps1,sh}— preprovision hook gatingazd upon Marketplace catalog resolution + quota headroom. Bothinfra-bicep/azure.yamlandinfra-terraform/azure.yamlnow invoke the script instead of inlining a singleCLAUDE_ORGANIZATION_NAMEcheck.Workspace-scoped
az login— activators (claude-code.env.{ps1,sh}) and.vscode/settings.json(terminal.integrated.env.{windows,linux,osx}) now setAZURE_CONFIG_DIR=<repo>/.azure-cli.az loginfrom this workspace writes its MSAL token cache + config to./.azure-cli/only — it never touches~/.azureand never leaks into other VS Code windows..azure-cli/is added to.gitignore. Documented in a new "Workspace-scopedaz login" callout in the README.Role rename fix (see heads-up above). Bicep variable names + comments updated for clarity (GUIDs unchanged); Terraform role assignments renamed to the current names; all 6 README mentions updated;
src/hello_claude_apikey.pydocstring updated.scripts/verify-claude-code.{ps1,sh}— one-command end-to-end verifier with 9 checks: activator file, env vars, deployed families,.vscode/settings.jsonshape,az account, Foundry resource reachable, Claude Code CLI on PATH, optionalclaude -pround-trip per family, optional Python SDK round-trip. Exits non-zero on hard failure so it can wire into CI. Referenced from the "Verify Claude Code is wired up" README section.README also expands:
check_claude_quota.pyneedingAZURE_SUBSCRIPTION_ID.azd up" section with copy-paste PowerShell + bash one-liners (covers the case whereASSIGN_RBACis left at its defaultfalse).check_claude_quota.py(flags, requirements, output semantics).50 -> 25in both Bicep and Terraform so the defaults fit in a typical MSDN / PAYG 80 TPM quota with room for a second deployment.Test plan
check_claude_quota.py: ran against an EA subscription with active Claude deployments; verified TPM, derived RPM, and capacity numbers acrosseastus2+swedencentral(and opportunistic regions likewestus2/westcentralus).preprovisionhook on both IaC variants; no change toazd upbehavior beyond clearer early failure messages.az login: opened a second VS Code window outside the repo, confirmedaz account showthere is unaffected byaz logininside this workspace; confirmed./.azure-cli/is populated and~/.azureis untouched.az bicep buildsucceeds with no new warnings;terraform init -backend=false && terraform validatereportsSuccess! The configuration is valid.verify-claude-code.ps1 -SkipClaudeCallreports 9/9 PASS against a liveclaude-foundryresource; full run withclaude -pround-trip and Python SDK round-trip also passes.