Deployment errors

import { Aside } from “@astrojs/starlight/components”;

The wizard deploy fails for one of a small number of reasons. Each one has a clean fix.

”AuthorizationFailed: … does not have permission to create role assignment”

Cause: you have Contributor on the subscription but not User Access Administrator. The bicep creates three role assignments (Cosmos DB Data Contributor, KV Secrets Officer, SignalR Service Owner) on the customer Function App’s MI, which requires UAA.

Fix:

# Either add UAA to your account:
az role assignment create \
  --role "User Access Administrator" \
  --assignee $(az account show --query user.name -o tsv) \
  --scope /subscriptions/{your-sub-id}

# OR ask your subscription Owner to deploy on your behalf.

After the role assignment propagates (~30s), re-run the deploy from the Marketplace listing’s Change plan blade (selecting the same plan re-runs the deploy).

”ServiceModelDeprecated: gpt-X is not available for new deployments”

Cause: Azure has stopped accepting new deployments of the AI model we depend on (gpt-5-mini). Microsoft typically gives 6-12 months notice.

Fix: this requires us to ship an updated package with a newer model. Contact support — we monitor model deprecation and ship updates ahead of cutoffs, but if you hit this, it means your install was triggered AFTER cutoff but BEFORE our update propagated.

”InvalidQuota: No quota for X in region Y”

Cause: your subscription has no gpt-5-mini GlobalStandard quota in the region you picked.

Fix: two options.

1. Request quota in the portal: Azure AI Foundry → Quotas → Request quota for gpt-5-mini in your chosen region. Approval typically takes minutes for small asks.

2. Pick a different region with available quota: westus3, eastus2, and swedencentral are typically reliable. Re-run the deploy from the Marketplace Change plan blade with the new region.

”Storage account name already exists”

Cause: your stack name (the suffix used in resource names) collides with an existing globally-unique resource. This is extremely rare with our uniqueString() derivation but theoretically possible.

Fix: pick a different stack name. Stack names use 3-12 lowercase alphanumeric chars; avoid common words.

Deploy succeeds, but /api/health returns 404 or 500

Cause: the customer-runtime publish (the step where we push the function code into your Function App) failed. The bicep finished but the Function App has no functions.

Fix:

# Check the FA's host status
curl https://pocai-fa-{stack-hash}.azurewebsites.net/admin/host/status \
  -H "x-functions-key: $(az functionapp keys list -g mrg-... -n pocai-fa-{stack-hash} --query masterKey -o tsv)"

# Check the deployment blob exists
az storage blob show \
  --account-name pocaist{stack-hash} \
  --account-key $(az storage account keys list -g mrg-... -n pocaist{stack-hash} --query '[0].value' -o tsv) \
  --container-name app-package \
  --name released-package.zip

If the blob is missing → our orchestrator publish step failed. Contact support with your stack name.

If the blob exists but the host has 0 functions → the host needs to be triggered to sync. Issue:

az rest --method post \
  --uri "https://management.azure.com/subscriptions/{your-sub}/resourceGroups/mrg-.../providers/Microsoft.Web/sites/pocai-fa-{stack-hash}/syncfunctiontriggers?api-version=2023-12-01"

“The AAD app was not created during install”

This isn't a deploy failure — the bicep succeeded. But the Teams app won't work until you fix it.

Cause: the install consent prompt offered Microsoft Graph Application.ReadWrite.OwnedBy and you declined. Without that, our auto-create skipped silently and your install-completed page shows a warning instead of the AAD secret.

Fix: run the manual fallback script from a checkout of the PointOfContactAI repo:

git clone https://github.com/innovations24/pocai.git
cd pocai
node scripts/create-aad-app.mjs --stack-name {your-stack-name}

The script prints the four values you need to set on your customer Function App. See Teams app setup.