Azure-Samples · pamelafox · Apr 24, 2026
diff --git a/infra/core/ai/ai-project.bicep b/infra/core/ai/ai-project.bicep
@@ -99,7 +99,6 @@ module applicationInsights '../monitor/applicationinsights.bicep' = if (shouldCr
     tags: tags
     name: 'appi-${resourceToken}'
     logAnalyticsWorkspaceId: logAnalytics.outputs.id
-    projectMIPrincipalId: aiAccount::project.identity.principalId
   }
 }
 
@@ -202,6 +201,21 @@ module aiConnections './connection.bicep' = [for (connection, index) in connecti
   }
 }]
 
+// Log Analytics Reader for the Foundry Project managed identity.
+// Required for continuous evaluation to query Application Insights traces.
+// This must NOT be gated on shouldCreateAppInsights, because after first deploy
+// the App Insights outputs get saved as azd env vars, making shouldCreateAppInsights=false
+// on subsequent provisions and skipping the entire applicationInsights module.
+resource projectLogAnalyticsReaderRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (enableMonitoring) {
+  name: guid(subscription().id, resourceGroup().id, aiAccount::project.name, '73c42c96-874c-492b-b04d-ab87d138a893')
+  properties: {
+    principalId: aiAccount::project.identity.principalId
+    principalType: 'ServicePrincipal'
+    // Log Analytics Reader
+    roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')
+  }
+}
+
 // Azure AI User for the developer, scoped to the Foundry Project.
 // Project scope is sufficient for creating/running agents and calling models via the project endpoint.
 resource localUserAzureAIUserRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {

diff --git a/infra/core/monitor/applicationinsights.bicep b/infra/core/monitor/applicationinsights.bicep
@@ -5,9 +5,6 @@ param location string = resourceGroup().location
 param tags object = {}
 param logAnalyticsWorkspaceId string
 
-@description('Optional. Principal ID of the Foundry Project managed identity to grant Log Analytics Reader.')
-param projectMIPrincipalId string = ''
-
 resource applicationInsights 'Microsoft.Insights/components@2020-02-02' = {
   name: name
   location: location
@@ -28,19 +25,6 @@ module applicationInsightsDashboard 'applicationinsights-dashboard.bicep' = if (
   }
 }
 
-// Log Analytics Reader for the Foundry Project managed identity.
-// Required for running evaluations on traces generated by agents.
-resource logAnalyticsReaderRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = if (!empty(projectMIPrincipalId)) {
-  scope: applicationInsights
-  name: guid(applicationInsights.id, projectMIPrincipalId, '73c42c96-874c-492b-b04d-ab87d138a893')
-  properties: {
-    principalId: projectMIPrincipalId
-    principalType: 'ServicePrincipal'
-    // Log Analytics Reader
-    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')
-  }
-}
-
 output connectionString string = applicationInsights.properties.ConnectionString
 output id string = applicationInsights.id
 output instrumentationKey string = applicationInsights.properties.InstrumentationKey