azuresfimcpagent 1.0.0__tar.gz

azuresfimcpagent-1.0.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Azure SFI Agent Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

azuresfimcpagent-1.0.0/MANIFEST.in

@@ -0,0 +1,10 @@
+# Manifest file to include non-Python files in the package
+include LICENSE
+include README.md
+include pyproject.toml
+recursive-include agent/scripts *.ps1
+recursive-include agent/templates *.bicep
+include agent/AGENT_INSTRUCTIONS.md
+global-exclude __pycache__
+global-exclude *.py[co]
+global-exclude .DS_Store

azuresfimcpagent-1.0.0/PKG-INFO

@@ -0,0 +1,173 @@
+Metadata-Version: 2.1
+Name: azuresfimcpagent
+Version: 1.0.0
+Summary: Azure MCP Agent for secure, compliant resource deployment
+Author: Siddhant Jha
+Project-URL: Homepage, https://github.com/yourusername/azure-sfi-agent
+Project-URL: Repository, https://github.com/yourusername/azure-sfi-agent
+Project-URL: Issues, https://github.com/yourusername/azure-sfi-agent/issues
+Keywords: mcp,azure,deployment,bicep,agent,sfi
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Operating System :: OS Independent
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: mcp>=0.1.0
+
+# Azure SFI MCP Agent - Installation Guide
+
+## Description
+
+**Azure SFI MCP Agent** is a Model Context Protocol (MCP) server that enables secure, compliant Azure resource deployment directly from VS Code using GitHub Copilot Chat. This agent helps you create SFI compliant Azure resources with automatic compliance orchestration.
+
+### Capabilities
+
+1. **List Azure Permissions** - View your active role assignments and access levels
+2. **List Azure Resources** - Browse resources across subscriptions and resource groups
+3. **Create SFI-Compliant Resources** - Deploy Azure resources with automatic compliance features:
+   - Storage Accounts (ADLS Gen2)
+   - Key Vaults
+   - Azure OpenAI
+   - AI Search
+   - AI Foundry
+   - Cosmos DB
+   - Log Analytics Workspaces
+   - Network Security Perimeters (NSP)
+   - User Assigned Managed Identity (UAMI)
+4. **Add Diagnostic Settings** - Automatically configure Log Analytics monitoring
+5. **NSP Attachment** - Automatic Network Security Perimeter attachment for supported resources
+
+---
+
+## Prerequisites
+
+Before installing the Azure SFI MCP Agent, ensure you have the following installed:
+
+### Required Software
+
+1. **Visual Studio Code** - [Download](https://code.visualstudio.com/download)
+2. **PowerShell Core (pwsh)** - [Download](https://learn.microsoft.com/en-us/powershell/scripting/install/install-powershell-on-windows?view=powershell-7.5)
+3. **Azure CLI** - [Download](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-windows?view=azure-cli-latest&pivots=winget)
+4. **Python 3.10+** - [Download](https://www.python.org/downloads/)
+5. **uvx** - [Download](https://docs.astral.sh/uv/getting-started/installation/)
+6. **GitHub Copilot Chat Extension** - [Install from VS Code Marketplace](https://marketplace.visualstudio.com/items?itemName=GitHub.copilot-chat)
+
+### Azure Requirements
+
+- Active Azure subscription
+- Appropriate Azure RBAC permissions for resource creation
+- Azure CLI authenticated (`az login`)
+
+---
+
+## Installation Steps
+
+### Step 1: Open GitHub Copilot Chat
+
+1. Launch **Visual Studio Code**
+2. Open **GitHub Copilot Chat** (click the chat icon in the sidebar or press `Ctrl+Alt+I`)
+
+### Step 2: Access MCP Tools Menu
+
+1. In the Copilot Chat window, click on the **🔧 Tools** button
+2. Select **"Install MCP Server from PyPI"** or similar option
+
+### Step 3: Install the Package
+
+1. When prompted for the package name, enter:
+   ```
+   azuresfimcpagent
+   ```
+2. Select the **latest version** when prompted
+3. Wait for the installation to complete
+
+### Step 4: Configure MCP Settings
+Add the following configuration to the `mcp.json` file:
+
+```json
+{
+    "mcpServers": {
+        "azuresfimcpagent": {
+            "type": "stdio",
+            "command": "uvx",
+            "args": [
+                "azuresfimcpagent==1.0.0"
+            ]
+        }
+    }
+}
+```
+
+> **Note**: Replace `1.0.0` with the latest version number you installed.
+
+### Step 5: Restart VS Code
+
+1. Close and reopen Visual Studio Code to load the MCP server configuration
+2. Open GitHub Copilot Chat again
+3. Select the MCP Tool installed
+
+### Step 6: Verify Installation
+
+In GitHub Copilot Chat, type:
+```
+show menu
+```
+
+You should see the available actions menu confirming successful installation.
+
+---
+
+## 💡 Usage Examples
+
+### List Your Azure Permissions
+```
+list my azure permissions
+```
+
+### List Azure Resources
+```
+list resources in resource-group-name
+```
+
+### Create a Storage Account
+```
+create storage account
+```
+
+### Create a Key Vault
+```
+create key vault
+```
+
+The agent will interactively prompt you for required parameters and automatically:
+- ✅ Deploy the SFI compliant resources
+- ✅ Configure Log Analytics diagnostic settings
+- ✅ Apply security best practices and compliance controls
+
+---
+
+### Azure CLI Authentication
+
+Ensure you're logged into Azure CLI:
+```bash
+az login
+az account show
+```
+
+### PowerShell Core Required
+
+This agent requires PowerShell Core (pwsh), not Windows PowerShell. Verify:
+```bash
+pwsh --version
+```
+---
+
+## 📄 License
+
+MIT License - see LICENSE file for details

azuresfimcpagent-1.0.0/README.md

@@ -0,0 +1,151 @@
+# Azure SFI MCP Agent - Installation Guide
+
+## Description
+
+**Azure SFI MCP Agent** is a Model Context Protocol (MCP) server that enables secure, compliant Azure resource deployment directly from VS Code using GitHub Copilot Chat. This agent helps you create SFI compliant Azure resources with automatic compliance orchestration.
+
+### Capabilities
+
+1. **List Azure Permissions** - View your active role assignments and access levels
+2. **List Azure Resources** - Browse resources across subscriptions and resource groups
+3. **Create SFI-Compliant Resources** - Deploy Azure resources with automatic compliance features:
+   - Storage Accounts (ADLS Gen2)
+   - Key Vaults
+   - Azure OpenAI
+   - AI Search
+   - AI Foundry
+   - Cosmos DB
+   - Log Analytics Workspaces
+   - Network Security Perimeters (NSP)
+   - User Assigned Managed Identity (UAMI)
+4. **Add Diagnostic Settings** - Automatically configure Log Analytics monitoring
+5. **NSP Attachment** - Automatic Network Security Perimeter attachment for supported resources
+
+---
+
+## Prerequisites
+
+Before installing the Azure SFI MCP Agent, ensure you have the following installed:
+
+### Required Software
+
+1. **Visual Studio Code** - [Download](https://code.visualstudio.com/download)
+2. **PowerShell Core (pwsh)** - [Download](https://learn.microsoft.com/en-us/powershell/scripting/install/install-powershell-on-windows?view=powershell-7.5)
+3. **Azure CLI** - [Download](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-windows?view=azure-cli-latest&pivots=winget)
+4. **Python 3.10+** - [Download](https://www.python.org/downloads/)
+5. **uvx** - [Download](https://docs.astral.sh/uv/getting-started/installation/)
+6. **GitHub Copilot Chat Extension** - [Install from VS Code Marketplace](https://marketplace.visualstudio.com/items?itemName=GitHub.copilot-chat)
+
+### Azure Requirements
+
+- Active Azure subscription
+- Appropriate Azure RBAC permissions for resource creation
+- Azure CLI authenticated (`az login`)
+
+---
+
+## Installation Steps
+
+### Step 1: Open GitHub Copilot Chat
+
+1. Launch **Visual Studio Code**
+2. Open **GitHub Copilot Chat** (click the chat icon in the sidebar or press `Ctrl+Alt+I`)
+
+### Step 2: Access MCP Tools Menu
+
+1. In the Copilot Chat window, click on the **🔧 Tools** button
+2. Select **"Install MCP Server from PyPI"** or similar option
+
+### Step 3: Install the Package
+
+1. When prompted for the package name, enter:
+   ```
+   azuresfimcpagent
+   ```
+2. Select the **latest version** when prompted
+3. Wait for the installation to complete
+
+### Step 4: Configure MCP Settings
+Add the following configuration to the `mcp.json` file:
+
+```json
+{
+    "mcpServers": {
+        "azuresfimcpagent": {
+            "type": "stdio",
+            "command": "uvx",
+            "args": [
+                "azuresfimcpagent==1.0.0"
+            ]
+        }
+    }
+}
+```
+
+> **Note**: Replace `1.0.0` with the latest version number you installed.
+
+### Step 5: Restart VS Code
+
+1. Close and reopen Visual Studio Code to load the MCP server configuration
+2. Open GitHub Copilot Chat again
+3. Select the MCP Tool installed
+
+### Step 6: Verify Installation
+
+In GitHub Copilot Chat, type:
+```
+show menu
+```
+
+You should see the available actions menu confirming successful installation.
+
+---
+
+## 💡 Usage Examples
+
+### List Your Azure Permissions
+```
+list my azure permissions
+```
+
+### List Azure Resources
+```
+list resources in resource-group-name
+```
+
+### Create a Storage Account
+```
+create storage account
+```
+
+### Create a Key Vault
+```
+create key vault
+```
+
+The agent will interactively prompt you for required parameters and automatically:
+- ✅ Deploy the SFI compliant resources
+- ✅ Configure Log Analytics diagnostic settings
+- ✅ Apply security best practices and compliance controls
+
+---
+
+### Azure CLI Authentication
+
+Ensure you're logged into Azure CLI:
+```bash
+az login
+az account show
+```
+
+### PowerShell Core Required
+
+This agent requires PowerShell Core (pwsh), not Windows PowerShell. Verify:
+```bash
+pwsh --version
+```
+---
+
+## 📄 License
+
+MIT License - see LICENSE file for details

azuresfimcpagent-1.0.0/agent/AGENT_INSTRUCTIONS.md

@@ -0,0 +1,176 @@
+name: Azure SFI Compliance Agent Instructions
+version: 2.0.0
+description: Interactive deployment with automatic NSP and Log Analytics orchestration
+applyTo: '**'
+---
+
+## CRITICAL DEPLOYMENT RULE
+**ALL Azure resource deployments MUST use the interactive MCP tool workflow.**
+- NEVER use manual `az deployment` commands
+- NEVER use direct Azure CLI for resource creation
+- ALWAYS use `create_azure_resource()` tool for interactive deployments
+- Agent will automatically prompt for missing parameters
+- Agent will automatically attach NSP and Log Analytics based on resource type
+
+Violation of this rule breaks compliance automation and is strictly forbidden.
+
+## Role and Persona
+You are the **Azure SFI Compliance Agent**. Your primary objectives:
+1. List active Azure role assignments for the signed-in user.
+2. List accessible Azure resources (subscription-wide or a specific resource group).
+3. Deploy strictly SFI-compliant resources via approved Bicep templates using MCP tools ONLY.
+
+## 1. Greeting & Menu Display
+Trigger words: `hi`, `hello`, `hey`, `start`, `menu`, `help`, `options`.
+Action: Reply politely and show EXACT menu below (do not alter wording or numbering):
+
+> **👋 Hello! I am your Azure SFI Compliance Agent.**
+> I can assist you with the following tasks:
+> 
+> 1.  **List Active Permissions** (View your current role assignments)
+> 2.  **List Azure Resources** (View all resources or filter by Resource Group)
+> 3.  **Deploy SFI-Compliant Resources**:
+>     * Storage Account
+>     * Key Vault
+>     * Azure OpenAI
+>     * Azure AI Search
+>     * Azure AI Foundry
+
+Show this menu after any greeting or explicit request for help/menu.
+
+## 2. Listing Permissions
+Triggers: "show permissions", "list permissions", "list roles", "what access do I have", user selects menu option 1.
+Steps:
+1. Do not ask for extra arguments.
+2. Execute tool `list_permissions` (underlying script `scripts/list-permissions.ps1`).
+3. Display raw output; then summarize principal and role names grouped by scope if feasible.
+Optional enhancements only on explicit user request: JSON view with `az role assignment list --assignee <UPN> --include-inherited --all -o json`.
+Never invoke alternative MCP permission tools first (local override).
+
+## 3. Listing Resources
+Triggers: "list resources", "show resources", "show assets", user selects menu option 2.
+Logic:
+1. Determine scope: if phrase contains "in <rgName>" extract `<rgName>`.
+2. Call `list_resources(resource_group_name='<rg>')` if RG specified or `list_resources()` otherwise.
+3. If output indicates permission issues, explain likely lack of Reader/RBAC at that scope.
+4. Offer export hint (e.g., rerun with `-OutFile resources.json`) only if user requests.
+
+## 4. Deploying SFI-Compliant Resources (Interactive Mode)
+Supported resource types: `storage-account`, `key-vault`, `openai`, `ai-search`, `ai-foundry`, `cosmos-db`, `sql-db`, `log-analytics`.
+
+Triggers: user asks to "create", "deploy", or "provision" a resource, or selects menu option 3.
+
+**Interactive Workflow (NEW):**
+1. User requests resource creation (e.g., "create a storage account", "deploy key vault")
+2. Agent calls `create_azure_resource(resource_type)` 
+3. Agent automatically identifies missing required parameters and prompts user:
+   ```
+   📋 Creating storage-account - Please provide the following parameters:
+      ✓ resource_group: (Azure resource group name)
+      ✓ storageAccountName: (required)
+      ✓ location: (required)
+      ✓ accessTier: (required)
+   
+   💡 Once you provide these, I'll:
+      1. Deploy the storage-account
+      2. Attach to Network Security Perimeter (NSP)
+   ```
+4. User provides parameters (can be in any format: comma-separated, JSON, natural language)
+5. Agent extracts parameters and calls `create_azure_resource()` again with all values
+6. **Automatic Compliance Orchestration:**
+   - Bicep template deploys the resource
+   - **NSP Attachment** (if resource_type in `[storage-account, key-vault, cosmos-db, sql-db]`):
+     - Check if NSP exists in resource group → create if needed
+     - Attach resource to NSP
+   - **Log Analytics Configuration** (if resource requires monitoring):
+     - Check if Log Analytics workspace exists → create if needed
+     - Configure diagnostic settings
+7. Agent reports deployment status with compliance confirmation
+
+**Example Conversation:**
+```
+User: "Create a storage account for ADLS"
+Agent: 📋 Creating storage-account - Please provide:
+       ✓ resource_group
+       ✓ storageAccountName
+       ✓ location
+       ✓ accessTier
+       
+User: "RG: my-platform-rg, name: datalake001, location: eastus, tier: Hot"
+Agent: ✅ Deploying storage-account 'datalake001'...
+       ✅ Resource deployed successfully
+       ✅ NSP attached: my-platform-rg-nsp
+       
+       Endpoints:
+       - DFS: https://datalake001.dfs.core.windows.net/
+       - Blob: https://datalake001.blob.core.windows.net/
+```
+
+**Advanced Usage:**
+Users can provide all parameters at once:
+```
+create_azure_resource(
+  resource_type="storage-account",
+  resource_group="my-rg",
+  storageAccountName="mystg123",
+  location="eastus",
+  accessTier="Hot"
+)
+```
+
+Compliance Enforcement:
+- **MANDATORY**: NSP automatically attached for: storage-account, key-vault, cosmos-db, sql-db
+- **MANDATORY**: Log Analytics automatically configured for monitoring-enabled resources
+- Do not offer changes that break SFI baseline (public network enablement, open firewall)
+- Warn if user requests non-compliant configurations
+- Templates are locked to secure defaults
+
+## 5. Constraints & Boundaries
+- No raw Bicep/Python generation unless user explicitly asks for code examples or explanation.
+- Prefer existing scripts & tools. Only guide parameter collection and trigger deployments.
+- Keep responses concise; expand technical detail only when requested.
+
+## 6. Error & Ambiguity Handling
+- Ambiguous multi-action requests: ask user to pick one (e.g., "Which first: permissions, resources, or deploy?").
+- Unknown commands: display brief notice and re-show full menu.
+- Destructive operations (role changes, deletions) are out of scope; decline politely.
+
+## 7. Security & Least Privilege
+- Never proactively recommend role escalation.
+- When listing permissions, refrain from suggesting modifications.
+
+## 8. Audit & Diagnostics
+- On deployment failure: surface stderr excerpt and advise checking deployment operations.
+- Provide follow-up diagnostic command suggestions only if failure occurs.
+
+## 9. Internal Implementation Notes (Non-user Facing)
+- Dispatcher maps intents: greeting/menu → show menu; permissions/resources/deploy flows per spec.
+- Parameter extraction uses script parsing; missing mandatory parameters block deployment until supplied.
+- Cache subscription ID if needed for repeated operations (optimization, not user visible).
+
+## 10. Sample Minimal Dispatcher Pseudocode (Reference Only)
+```python
+def handle(input: str):
+    if is_greeting(input) or wants_menu(input):
+        return MENU_TEXT
+    intent = classify(input)
+    if intent == 'permissions':
+        return list_permissions()
+    if intent == 'resources':
+        rg = extract_rg(input)
+        return list_resources(rg)
+    if intent == 'deploy':
+        # Start requirements flow
+        return start_deploy_flow(input)
+    return MENU_TEXT
+```
+
+## Usage
+Treat this file as authoritative. Update `version` when modifying workflows or menu text.
+
+## Integration Notes
+- Load this file at agent startup; simple parser can split on headings (`##` / `###`).
+- Maintain a command dispatch map keyed by normalized user intent tokens.
+- Provide a fallback handler to re-display menu.
+
+ 

azuresfimcpagent-1.0.0/agent/__init__.py

@@ -0,0 +1,9 @@
+"""Azure SFI Agent - MCP Server for Azure resource deployment with compliance orchestration."""
+
+__version__ = "1.0.0"
+__author__ = "Azure SFI Agent Contributors"
+__description__ = "Interactive Azure deployment with automatic NSP and Log Analytics orchestration"
+
+from agent.server import mcp, main
+
+__all__ = ["mcp", "main", "__version__"]

azuresfimcpagent-1.0.0/agent/scripts/attach-log-analytics.ps1

@@ -0,0 +1,26 @@
+Param(
+    [Parameter(Mandatory=$true)] [string]$ResourceGroupName,
+    [Parameter(Mandatory=$true)] [string]$WorkspaceId,
+    [Parameter(Mandatory=$true)] [string]$ResourceId
+)
+$ErrorActionPreference = "Stop"
+
+$diagName = "diag-" + ($ResourceId -split '/')[-1]
+
+# Check if setting already exists to avoid errors? 
+# Az diagnostic-settings create is idempotent (it updates if exists), so safe to run.
+
+az monitor diagnostic-settings create `
+    --name $diagName `
+    --resource $ResourceId `
+    --workspace $WorkspaceId `
+    --logs '[{"categoryGroup":"allLogs","enabled":true}]' `
+    --metrics '[{"category":"AllMetrics","enabled":true}]' `
+    --output none 2>$null
+
+if ($LASTEXITCODE -eq 0) {
+    Write-Output "Diagnostic setting '$diagName' successfully configured."
+} else {
+    Write-Error "Failed to configure diagnostic setting. Resource type might not support 'allLogs' or 'AllMetrics'."
+    exit 1
+}

azuresfimcpagent-1.0.0/agent/scripts/attach-nsp.ps1

@@ -0,0 +1,65 @@
+Param(
+  [Parameter(Mandatory=$true)] [string]$ResourceGroupName,
+  [Parameter(Mandatory=$true)] [string]$NSPName,
+  [Parameter(Mandatory=$true)] [string]$ResourceId
+)
+
+$ErrorActionPreference = "Stop"
+
+if (-not $ResourceId -or -not $ResourceGroupName -or -not $NSPName) {
+    Write-Error "Missing required parameters."
+    exit 1
+}
+
+try {
+  $SubscriptionId = az account show --query id -o tsv
+  # Token fetch needs to be robust
+  $token = az account get-access-token --resource-type arm --query accessToken -o tsv
+  
+  if (-not $token) { Write-Error "Failed to acquire access token."; exit 1 }
+
+  # --- GET PROFILE ---
+  $apiVersion = "2023-07-01-preview"
+  $baseUrl = "https://management.azure.com/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Network/networkSecurityPerimeters/$NSPName"
+  
+  $headers = @{ Authorization = "Bearer $token"; "Content-Type" = "application/json" }
+  
+  # Get Profiles
+  $url = "$baseUrl/profiles?api-version=$apiVersion"
+  $response = Invoke-RestMethod -Method Get -Uri $url -Headers $headers -ErrorAction Stop
+  $ProfileNSP = $response.value
+
+  if (-not $ProfileNSP -or $ProfileNSP.Count -eq 0) {
+      Write-Error "No profiles found in NSP '$NSPName'."
+      exit 1
+  }
+  # Default to first profile
+  $profileIdString = if ($ProfileNSP -is [array]) { $ProfileNSP[0].id } else { $ProfileNSP.id }
+
+  # --- GENERATE ASSOCIATION NAME (DETERMINISTIC) ---
+  # REMOVED TIMESTAMP to ensure Idempotency. 
+  # Using the same resource ID always generates the same association name.
+  $hashedResourceID = $ResourceId.GetHashCode().ToString("X")
+  $uniqueAssociationName = "assoc-" + $hashedResourceID
+  
+  Write-Output "Association Name: $uniqueAssociationName"
+
+  # --- CREATE/UPDATE ASSOCIATION ---
+  $assocUrl = "$baseUrl/resourceAssociations/$uniqueAssociationName?api-version=$apiVersion"
+  
+  $body = @{
+    properties = @{
+        accessMode = "Learning"
+        privateLinkResourceId = $ResourceId
+        profile = @{ id = $profileIdString }
+    }
+  } | ConvertTo-Json -Depth 10
+
+  $putResponse = Invoke-RestMethod -Method Put -Uri $assocUrl -Headers $headers -Body $body -ErrorAction Stop
+  
+  Write-Output "Successfully attached resource to NSP."
+  
+} catch {
+  Write-Error "Failed to attach resource to NSP. Error: $_"
+  exit 1
+}

azuresfimcpagent-1.0.0/agent/scripts/check-log-analytics.ps1

@@ -0,0 +1,24 @@
+Param(
+    [Parameter(Mandatory=$true)] [string]$ResourceGroupName
+)
+$ErrorActionPreference = "Stop"
+
+$workspaces = az monitor log-analytics workspace list --resource-group $ResourceGroupName --output json | ConvertFrom-Json
+
+if ($workspaces.Count -gt 0) {
+    # LOGIC UPDATE: Automation priority
+    # 1. Look for standard name "$ResourceGroupName-law"
+    $targetWs = $workspaces | Where-Object { $_.name -eq "$ResourceGroupName-law" } | Select-Object -First 1
+    
+    # 2. If not found, pick the first one
+    if (-not $targetWs) {
+        $targetWs = $workspaces[0]
+    }
+    
+    Write-Output "LOG ANALYTICS WORKSPACE FOUND: $($targetWs.name)"
+} else {
+    Write-Output "LOG ANALYTICS WORKSPACE NOT FOUND. Creating..."
+    $wsName = "$ResourceGroupName-law"
+    az monitor log-analytics workspace create --resource-group $ResourceGroupName --workspace-name $wsName --location "eastus" --output none
+    Write-Output "LOG ANALYTICS WORKSPACE FOUND: $wsName"
+}

azuresfimcpagent-1.0.0/agent/scripts/check-nsp.ps1

@@ -0,0 +1,17 @@
+Param(
+    [Parameter(Mandatory=$true)] [string]$ResourceGroupName
+)
+$ErrorActionPreference = "Stop"
+
+# Use basic AZ CLI JSON output to avoid module dependencies
+$nspList = az resource list --resource-group $ResourceGroupName --resource-type "Microsoft.Network/networkSecurityPerimeters" --output json | ConvertFrom-Json
+
+if ($nspList.Count -gt 0) {
+    Write-Output "NSP FOUND: $($nspList[0].name)"
+} else {
+    Write-Output "NSP NOT FOUND. Creating..."
+    # Quick creation of NSP if missing
+    $nspName = "$ResourceGroupName-nsp"
+    az resource create --resource-group $ResourceGroupName --name $nspName --resource-type "Microsoft.Network/networkSecurityPerimeters" --location "eastus" --properties "{}" --output none
+    Write-Output "NSP '$nspName' created."
+}