Azure Deployment Preflight Validation
This skill validates Bicep deployments before execution, supporting both Azure CLI (
) and Azure Developer CLI (
) workflows.
When to Use This Skill
- Before deploying infrastructure to Azure
- When preparing or reviewing Bicep files
- To preview what changes a deployment will make
- To verify permissions are sufficient for deployment
- Before running , , or commands
Validation Process
Follow these steps in order. Continue to the next step even if a previous step fails—capture all issues in the final report.
Step 1: Detect Project Type
Determine the deployment workflow by checking for project indicators:
-
Check for azd project: Look for
in the project root
- If found → Use azd workflow
- If not found → Use az CLI workflow
-
Locate Bicep files: Find all
files to validate
- For azd projects: Check directory first, then project root
- For standalone: Use the file specified by the user or search common locations (, , project root)
-
Auto-detect parameter files: For each Bicep file, look for matching parameter files:
- (Bicep parameters - preferred)
<filename>.parameters.json
- or in same directory
Step 2: Validate Bicep Syntax
Run Bicep CLI to check template syntax before attempting deployment validation:
bash
bicep build <bicep-file> --stdout
What to capture:
- Syntax errors with line/column numbers
- Warning messages
- Build success/failure status
If Bicep CLI is not installed:
- Note the issue in the report
- Continue to Step 3 (Azure will validate syntax during what-if)
Step 3: Run Preflight Validation
Choose the appropriate validation based on project type detected in Step 1.
For azd Projects (azure.yaml exists)
Use
to validate the deployment:
If an environment is specified or multiple environments exist:
bash
azd provision --preview --environment <env-name>
For Standalone Bicep (no azure.yaml)
Determine the deployment scope from the Bicep file's
declaration:
| Target Scope | Command |
|---|
| (default) | az deployment group what-if
|
| az deployment sub what-if
|
| |
| az deployment tenant what-if
|
Run with Provider validation level first:
bash
# Resource Group scope (most common)
az deployment group what-if \
--resource-group <rg-name> \
--template-file <bicep-file> \
--parameters <param-file> \
--validation-level Provider
# Subscription scope
az deployment sub what-if \
--location <location> \
--template-file <bicep-file> \
--parameters <param-file> \
--validation-level Provider
# Management Group scope
az deployment mg what-if \
--location <location> \
--management-group-id <mg-id> \
--template-file <bicep-file> \
--parameters <param-file> \
--validation-level Provider
# Tenant scope
az deployment tenant what-if \
--location <location> \
--template-file <bicep-file> \
--parameters <param-file> \
--validation-level Provider
Fallback Strategy:
If
--validation-level Provider
fails with permission errors (RBAC), retry with
:
bash
az deployment group what-if \
--resource-group <rg-name> \
--template-file <bicep-file> \
--validation-level ProviderNoRbac
Note the fallback in the report—the user may lack full deployment permissions.
Step 4: Capture What-If Results
Parse the what-if output to categorize resource changes:
| Change Type | Symbol | Meaning |
|---|
| Create | | New resource will be created |
| Delete | | Resource will be deleted |
| Modify | | Resource properties will change |
| NoChange | | Resource unchanged |
| Ignore | | Resource not analyzed (limits reached) |
| Deploy | | Resource will be deployed (changes unknown) |
For modified resources, capture the specific property changes.
Step 5: Generate Report
Create a Markdown report file in the project root named:
Use the template structure from references/REPORT-TEMPLATE.md.
Report sections:
- Summary - Overall status, timestamp, files validated, target scope
- Tools Executed - Commands run, versions, validation levels used
- Issues - All errors and warnings with severity and remediation
- What-If Results - Resources to create/modify/delete/unchanged
- Recommendations - Actionable next steps
Required Information
Before running validation, gather:
| Information | Required For | How to Obtain |
|---|
| Resource Group | | Ask user or check existing config |
| Subscription | All deployments | or ask user |
| Location | Sub/MG/Tenant scope | Ask user or use default from config |
| Environment | azd projects | or ask user |
If required information is missing, prompt the user before proceeding.
Error Handling
See references/ERROR-HANDLING.md for detailed error handling guidance.
Key principle: Continue validation even when errors occur. Capture all issues in the final report.
| Error Type | Action |
|---|
| Not logged in | Note in report, suggest or |
| Permission denied | Fall back to , note in report |
| Bicep syntax error | Include all errors, continue to other files |
| Tool not installed | Note in report, skip that validation step |
| Resource group not found | Note in report, suggest creating it |
Tool Requirements
This skill uses the following tools:
- Azure CLI () - Version 2.76.0+ recommended for
- Azure Developer CLI () - For projects with
- Bicep CLI () - For syntax validation
- Azure MCP Tools - For documentation lookups and best practices
Check tool availability before starting:
bash
az --version
azd version
bicep --version
Example Workflow
- User: "Validate my Bicep deployment before I run it"
- Agent detects → azd project
- Agent finds and
- Agent runs
bicep build infra/main.bicep --stdout
- Agent runs
- Agent generates in project root
- Agent summarizes findings to user
Reference Documentation
- Validation Commands Reference
- Report Template
- Error Handling Guide