Howie/hosted agent with rbac

[howieleung]

Description

Please add an informative description that covers that changes made by the pull request and link all relevant issues.

If an SDK is being regenerated based on a new API spec, a link to the pull request containing these API spec changes should be included above.

All SDK Contribution checklist:

• The pull request does not introduce [breaking changes]
• CHANGELOG is updated for new features, bug fixes or other significant changes.
• I have read the contribution guidelines.

General Guidelines and Best Practices

• Title of the pull request is clear and informative.
• There are a small number of commits, each of which have an informative message. This means that previously merged commits do not appear in the history of the PR. For more information on cleaning up the commits in your PR, see this page.

Testing Guidelines

• Pull request includes test coverage for the included changes.

[Copilot]

Pull request overview

This PR updates azure-ai-projects to align hosted agent samples and generated models with newer Foundry specs, including adding RBAC helper logic for hosted agent identities and introducing telemetry-related model types.

Changes:

• Update hosted agent samples to rely on an existing Hosted Agent (by name) and ensure sessions are cleaned up.
• Add a new sample_create_hosted_agent.py plus rbac_util.py to provision a hosted agent version and assign Azure AI User RBAC to the agent identity.
• Regenerate/update models to include telemetry endpoint/auth/config types and related enums, and bump the tsp-location.yaml spec commit.

Reviewed changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
sdk/ai/azure-ai-projects/tsp-location.yaml	Bumps the REST API spec commit used for generation.
sdk/ai/azure-ai-projects/samples/hosted_agents/sample_sessions_files_upload_download_async.py	Removes async session file sample.
sdk/ai/azure-ai-projects/samples/hosted_agents/sample_sessions_files_upload_download.py	Uses existing hosted agent + explicit session create/delete.
sdk/ai/azure-ai-projects/samples/hosted_agents/sample_sessions_crud_async.py	Removes async sessions CRUD sample.
sdk/ai/azure-ai-projects/samples/hosted_agents/sample_sessions_crud.py	Uses existing hosted agent; session CRUD sample updated.
sdk/ai/azure-ai-projects/samples/hosted_agents/sample_session_log_stream_async.py	Removes async log streaming sample.
sdk/ai/azure-ai-projects/samples/hosted_agents/sample_session_log_stream.py	Uses existing hosted agent; adds session create/delete around log stream flow.
sdk/ai/azure-ai-projects/samples/hosted_agents/sample_agent_endpoint_async.py	Removes async agent endpoint sample.
sdk/ai/azure-ai-projects/samples/hosted_agents/sample_agent_endpoint.py	Uses existing hosted agent; creates/deletes session around endpoint routing + Responses call.
sdk/ai/azure-ai-projects/samples/hosted_agents/sample_create_hosted_agent.py	New sample to create a hosted agent version and set up RBAC for agent identity.
sdk/ai/azure-ai-projects/samples/hosted_agents/rbac_util.py	New helper to create deterministic role assignments for the hosted agent managed identity.
sdk/ai/azure-ai-projects/samples/hosted_agents/hosted_agents_util.py	Replaces create-and-cleanup helpers with “get latest active agent version” helper.
sdk/ai/azure-ai-projects/pyrightconfig.json	Adds extraPaths for mgmt SDKs used by samples/utilities.
sdk/ai/azure-ai-projects/dev_requirements.txt	Adds a new dev dependency for local sample/tooling use.
sdk/ai/azure-ai-projects/azure/ai/projects/models/_models.py	Adds telemetry endpoint/auth/config model types and HostedAgentDefinition.telemetry_config.
sdk/ai/azure-ai-projects/azure/ai/projects/models/_enums.py	Adds telemetry enums (data kind, endpoint kind/auth type, transport protocol).
sdk/ai/azure-ai-projects/azure/ai/projects/models/init.py	Exports the new telemetry model/enums in the public surface.
sdk/ai/azure-ai-projects/apiview-properties.json	Adds APIView mappings for telemetry types/enums.

[Copilot]

rbac_util imports AgentDetails but never uses it. This will trip linters/type-checkers; please remove the unused import.

Suggested change

	from azure.ai.projects.models import AgentDetails, AgentVersionDetails
	from azure.ai.projects.models import AgentVersionDetails

[Copilot]

ensure_agent_identity_rbac claims it resolves the Azure AI account resource ID from the Foundry project endpoint, but _resolve_ai_account_resource_id actually assumes the Azure AI account is in the same resource group as the project (it extracts the project's RG and then lists accounts only within that RG). Please either document this assumption in the docstring (and/or sample docs) or make the lookup robust across resource groups.

Suggested change

	reads the hosted agent managed identity principal ID from ``agent``, and
	creates a deterministic role assignment for the Azure AI User role if one does not
	already exist.
	:param agent: Agent version details containing ``instance_identity``.
	:type agent: ~azure.ai.projects.models.AgentVersionDetails
	:param credential: Credential used for Azure Resource Manager authorization calls.
	:type credential: ~azure.core.credentials.TokenCredential
	:param subscription_id: Azure subscription ID containing the Foundry project/account.
	:type subscription_id: str
	:param foundry_project_endpoint: Foundry project endpoint in the format
	``https://<account>.services.ai.azure.com/api/projects/<project-name>``.
	:type foundry_project_endpoint: str
	:raises RuntimeError: If the agent identity principal ID is unavailable, or if the
	account/project resources cannot be resolved.
	assuming the Azure AI account is in the same resource group as the Foundry
	project, reads the hosted agent managed identity principal ID from ``agent``,
	and creates a deterministic role assignment for the Azure AI User role if one
	does not already exist.
	:param agent: Agent version details containing ``instance_identity``.
	:type agent: ~azure.ai.projects.models.AgentVersionDetails
	:param credential: Credential used for Azure Resource Manager authorization calls.
	:type credential: ~azure.core.credentials.TokenCredential
	:param subscription_id: Azure subscription ID containing the Foundry project and,
	under the current lookup behavior, the Azure AI account.
	:type subscription_id: str
	:param foundry_project_endpoint: Foundry project endpoint in the format
	``https://<account>.services.ai.azure.com/api/projects/<project-name>``.
	The account resource lookup assumes the backing Azure AI account is in the
	same resource group as the Foundry project.
	:type foundry_project_endpoint: str
	:raises RuntimeError: If the agent identity principal ID is unavailable, or if the
	account/project resources cannot be resolved under the same-resource-group
	lookup assumption.

[Copilot]

azure-mgmt-subscription is added here, but there are no usages of azure.mgmt.subscription anywhere under sdk/ai/azure-ai-projects (only this requirements entry and the pyright extraPath). If it's not needed, please remove it to avoid unnecessary dependency surface/installs; if it is needed, add the corresponding imports/usages (or a comment) so the intent is clear.

Suggested change

azure-mgmt-subscription

[Copilot]

./../../resources/azure-mgmt-subscription is added to extraPaths, but the repo has no Python imports of azure.mgmt.subscription under sdk/ai/azure-ai-projects (it appears unused). Please remove this path unless there's a concrete consumer; otherwise it can mask missing-install issues and increases maintenance overhead.

Suggested change

"./../../resources/azure-mgmt-subscription",

[Copilot]

get_openai_client(...) returns an OpenAI client that supports being used as a context manager (many other samples use with project_client.get_openai_client() as openai_client:). Here it's created without closing, which can leave underlying HTTP resources open. Please wrap it in a with block (or explicitly close it) to ensure resources are released.

Suggested change

	openai_client = project_client.get_openai_client(agent_name=agent_name)
	# Call Responses API and bind the request to the created agent session.
	response = openai_client.responses.create(
	input="What is the size of France in square miles?",
	extra_body={
	"agent_session_id": session.agent_session_id,
	},
	)
	print(f"Response output: {response.output_text}")
	with project_client.get_openai_client(agent_name=agent_name) as openai_client:
	# Call Responses API and bind the request to the created agent session.
	response = openai_client.responses.create(
	input="What is the size of France in square miles?",
	extra_body={
	"agent_session_id": session.agent_session_id,
	},
	)
	print(f"Response output: {response.output_text}")

[Copilot]

This sample creates a session but doesn't guard cleanup with a try/finally. If any of the subsequent operations (get/list) raise, delete_session(...) won't run and the session may be left behind. Consider wrapping the session operations in try: ... finally: delete_session(...) (similar to the other hosted_agents samples in this PR).

[Copilot]

The usage instructions say to pip install "azure-ai-projects>=2.1.0" python-dotenv, but this sample imports azure.mgmt.authorization / azure.mgmt.resource via rbac_util. Without installing those packages, the sample will fail at import time. Please update the install instructions to include the required azure-mgmt-authorization and azure-mgmt-resource dependencies (and any other mgmt packages actually needed).

Suggested change

	pip install "azure-ai-projects>=2.1.0" python-dotenv
	pip install "azure-ai-projects>=2.1.0" python-dotenv azure-mgmt-authorization azure-mgmt-resource

[Copilot]

In the environment variable list, item "4)" is mis-indented compared to the other items, which makes the rendered docstring harder to read. Align the indentation of this line with the other numbered entries.

Suggested change

	4) FOUNDRY_PROJECTS_AZURE_SUBSCRIPTION_ID - Azure subscription ID where the
	Azure AI account and project are deployed.
	4) FOUNDRY_PROJECTS_AZURE_SUBSCRIPTION_ID - Azure subscription ID where the
	Azure AI account and project are deployed.