azure-validate

Overview

What is azure-validate?

azure-validate is a deployment validation skill designed to run deep preflight checks against your Azure application and infrastructure before you deploy. It reads the approved deployment plan created by azure-prepare and then validates configuration, infrastructure as code (Bicep or Terraform), Azure Developer CLI (azd) workflows, Azure CLI (azcli) scripts, policies, regions, and required permissions.

The skill belongs in the deployment phase of your workflow, but it behaves like an automated test suite for your Azure environment. It helps you confirm that the plan is safe to execute and that your app truly is ready to deploy.

When should you use this skill?

Use azure-validate whenever you want to:

• Check if your app and infrastructure are ready to deploy
• Validate azure.yaml or Bicep templates before running azd provision or azd deploy
• Run pre-deployment checks for Terraform or raw Azure CLI scripts
• Verify Azure subscription, region, and quota choices
• Validate Azure Policy compliance for your planned resources
• Catch common Azure CLI and IaC validation errors early
• Troubleshoot repeated deployment failures in CI/CD pipelines

It fits best in this sequence:

azure-prepare → azure-validate → azure-deploy

Who is azure-validate for?

azure-validate is aimed at:

• Backend and cloud developers building apps on Azure
• DevOps and platform engineers responsible for reliable deployments
• Teams standardizing on Bicep, Terraform, azd, or azcli for infrastructure
• CI/CD owners who need consistent, automated pre-deployment checks

If you frequently manage multi-environment deployments (dev/test/prod) or need to comply with organization-wide policies and region rules, this skill gives you a repeatable validation layer.

What problems does it solve?

azure-validate helps reduce failed or partial deployments by catching issues such as:

• Missing or invalid configuration in azure.yaml or IaC files
• Misconfigured or unsupported Azure regions for specific services
• Azure Policy violations that would block the deployment
• Authentication and permission problems (e.g., missing roles)
• Common Azure CLI validation errors for Bicep and templates
• Misaligned infrastructure recipes across azd, azcli, Bicep, and Terraform

Instead of discovering these issues in production or late in a pipeline, you surface them during validation with clear references and recipes to fix them.

When is azure-validate not a good fit?

This skill is not intended for:

• Non-Azure deployments (other clouds or on-prem only)
• Post-deployment monitoring, health checks, or observability
• Application-level test suites (unit, integration, or UI tests)
• One-off manual deployments without a plan generated by azure-prepare

If you do not use infrastructure as code or a structured plan file (like .azure/plan.md created by azure-prepare), you will not get the full benefit of azure-validate.

How to Use

1. Installation and setup

Add azure-validate to your skills

Install the skill from the microsoft/azure-skills repository:

npx skills add https://github.com/microsoft/azure-skills --skill azure-validate

This makes the azure-validate workflow available to your agent or tools environment.

Required workflow order

Before running azure-validate, you must have:

• Successfully invoked azure-prepare, and
• An .azure/plan.md file present with status Approved or later

The supported workflow is strictly:

azure-prepare → azure-validate → azure-deploy

If .azure/plan.md is missing or not approved, stop and run azure-prepare first.

2. Understand core triggers and rules

Key triggers

Use azure-validate when you need to:

• Confirm an app is ready to deploy
• Validate azure.yaml or Bicep templates
• Run preflight checks before provisioning resources
• Troubleshoot Azure deployment errors coming from IaC or CLI steps

Core rules to follow

From the skill’s guidance and shared global-rules reference:

1. Run azure-validate only after azure-prepare and before any real deployment.
2. Treat validation failures as blocking. Do not proceed with azure-deploy until issues are resolved.
3. For any destructive or high-impact action (deletion, overwrite, major cost or security change), always prompt the user using ask_user as described in references/global-rules.md.
4. Never assume the Azure subscription or region; these must be confirmed with the user when relevant.

3. Follow infrastructure-specific validation recipes

The skill includes targeted recipes under references/recipes/ to validate different infrastructure approaches.

For Azure Developer CLI (azd) projects

• Start with references/recipes/azd/README.md.
• Use references/recipes/azd/environment.md to verify environment configuration.
• Use references/recipes/azd/errors.md to interpret and fix common azd validation and deployment issues.
• For .NET Aspire-based projects, see references/recipes/azd/aspire.md for extra checks.

These guides help you confirm that azure.yaml, application wiring, and environment setup are valid before provisioning with azd.

For Azure CLI (azcli) + Bicep workflows

• Start with references/recipes/azcli/README.md for a full AZCLI validation checklist, including:
  • Verifying Azure CLI installation (az version)
  • Logging in and setting the subscription
  • Compiling Bicep (az bicep build)
  • Running template validation and what-if previews
• Use references/recipes/azcli/errors.md for quick fixes to common az error messages (token issues, MFA, authorization problems, template validation failures).

This combination gives you a concrete, step-by-step way to validate Bicep-based deployments driven by Azure CLI.

For Bicep-focused infrastructure

• See references/recipes/bicep/README.md for Bicep-specific validation workflows.
• Use references/recipes/bicep/errors.md for guidance on typical Bicep validation problems and how to resolve them.

You can integrate these checks into your local workflow or CI pipeline to ensure templates and parameters are valid before you run a full deployment.

For Terraform-based deployments

• Use references/recipes/terraform/README.md to align azure-validate with Terraform plans and apply steps.
• Refer to references/recipes/terraform/errors.md for common Terraform validation and Azure authorization errors and their resolutions.

These recipes help you validate Terraform infrastructure and Azure account setup before running terraform apply in any environment.

4. Validate policy, region, and quota readiness

Azure Policy validation

Use references/policy-validation.md as your guide to ensure the planned deployment respects Azure Policy assignments on the subscription.

Typical flow:

1. Get the current subscription ID:

   az account show --query id -o tsv
   

2. Use the Azure policy MCP integration to list and review policies for that subscription as shown in the reference.

3. Resolve policy violations (disallowed SKUs, missing tags, restricted resource types, location blocks, network security rules) before proceeding.

Only continue to deployment once policy compliance is confirmed.

Region availability and quota checks

Use references/region-availability.md to cross-check that all services in your architecture are supported in the requested regions and that quota is sufficient.

This is especially critical for services with limited region availability, such as:

• Azure Static Web Apps
• Azure OpenAI (with model-specific region differences)

Follow the reference’s guidance and any listed MCP tools (for quota and region availability) to avoid failures caused by unsupported regions or insufficient capacity.

5. App and function validation examples

Aspire + Azure Functions secret storage

If you are using .NET Aspire plus Azure Functions, consult references/aspire-functions-secrets.md:

• Detect whether your app host includes AddAzureFunctionsProject with identity-based storage.
• Ensure AzureWebJobsSecretStorageType is properly configured.
• Apply the recommended fix (including .WithEnvironment("AzureWebJobsSecretStorageType", "Files") where instructed) before provisioning.

Running this validation step before azd provision avoids common function secret storage issues that can block serverless deployments.

6. Using azure-validate in CI/CD pipelines

While azure-validate is authored as an agent skill, its steps and references map well to automated pipelines:

• Use the recipes as pipeline stages (e.g., run Bicep validation and what-if before deploy jobs).
• Fail the pipeline on any validation error exposed by the recipes or policy checks.
• Surface links or snippets from references/* files in pipeline logs to guide developers on how to fix issues.

This turns azure-validate into a consistent pre-deployment gate for all environments.

7. Files to review for deeper customization

To tailor azure-validate to your workflow, open these key files in the repository:

• SKILL.md – Authoritative instructions, triggers, rules, and ordered steps for the skill.
• references/global-rules.md – Mandatory global rules for destructive actions, subscription and region handling.
• references/policy-validation.md – Detailed policy validation usage.
• references/region-availability.md – Region and quota guidance for constrained services.
• references/aspire-functions-secrets.md – Validation for Aspire + Azure Functions secret storage.
• references/recipes/README.md – Index of azd, azcli, Bicep, and Terraform validation recipes.

Use these as building blocks instead of copying the entire workflow blindly.

FAQ

Is azure-validate required, or can I deploy without it?

The skill is designed to run between azure-prepare and azure-deploy. While you could technically deploy without running azure-validate, the authoritative guidance expects you to treat it as a required gate. Skipping it increases the risk of deployment failures, policy blocks, or region/permission issues.

Do I need to run azure-prepare first?

Yes. azure-validate assumes that azure-prepare has already been invoked and that .azure/plan.md exists with a status of Approved or later. If that file is missing or not approved, you should stop and run azure-prepare before using azure-validate.

Which infrastructure tools does azure-validate support?

azure-validate provides recipes and guidance for:

• Azure Developer CLI (azd)
• Azure CLI (azcli) with Bicep templates
• Bicep-based infrastructure
• Terraform

You can choose the recipe that matches your stack under references/recipes/.

Can I use azure-validate with CI/CD pipelines?

Yes. Although authored as an agent skill, its validation steps, error guides, and policy/region checks are suitable for CI/CD. You can mirror the recipes and checks in your pipeline (e.g., GitHub Actions, Azure DevOps) so that deployments only proceed when validation succeeds.

Does azure-validate make changes to my Azure resources?

azure-validate is focused on validation and preflight checks. The guidance emphasizes that any destructive or high-impact actions must be explicitly confirmed with the user (via ask_user and the global-rules file). In typical usage, you use this skill to inspect, validate, and plan—not to perform irreversible changes.

How does azure-validate help with Azure Policy and governance?

The skill includes references/policy-validation.md, which shows how to inspect policies for a subscription and review policy compliance before deployment. By following this guidance, you can detect disallowed resource types, SKUs, tags, or regions in advance and align your deployment with organizational rules.

How does it handle region-specific services such as Azure Static Web Apps or Azure OpenAI?

references/region-availability.md lists services with limited region support and points to official Azure documentation and MCP tools for quota and availability checks. azure-validate expects you to consult this reference and only offer or use regions where all required services are supported.

Is azure-validate suitable for local development environments?

Yes, as long as you are planning to deploy to Azure and you use azure-prepare to generate a plan, you can run azure-validate against dev and test environments. This is a good way to catch issues early before you promote to staging or production.

Where should I start when first installing azure-validate?

After adding the skill, begin with SKILL.md to understand the rules and sequence, then review references/recipes/README.md to pick the recipe that matches your infrastructure tool (azd, azcli, Bicep, Terraform). From there, follow the relevant recipe plus the policy and region guidance to wire azure-validate into your workflow.