fix: use workspace ID for Fabric RBAC in BYO mode

The RBAC script resolved workspace name from desiredFabricWorkspaceName
before FABRIC_WORKSPACE_NAME. In BYO mode these differ, causing the
Fabric API lookup to fail silently and skip the Contributor role grant.
The OneLake indexer then fails with 'access to the workspace was denied'.

Changes:
- 01_setup_rbac.ps1: Prefer FABRIC_WORKSPACE_NAME over
  desiredFabricWorkspaceName. Resolve FABRIC_WORKSPACE_ID and pass it.
- setup_ai_services_rbac.ps1: Accept -FabricWorkspaceId parameter.
  Use it directly for role assignment, skip displayName lookup.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: Harmanpreet-Microsoft

scripts/automationScripts/OneLakeIndex/01_setup_rbac.ps1

@@ -96,11 +96,12 @@ try {
   if (-not $aiSearchSubscriptionId) { $aiSearchSubscriptionId = $env_vars['aiSearchSubscriptionId'] }
   if (-not $aiFoundryName -and $outputs -and $outputs.aiFoundryName -and $outputs.aiFoundryName.value) { $aiFoundryName = $outputs.aiFoundryName.value }
   if (-not $aiFoundryName) { $aiFoundryName = $env_vars['aiFoundryName'] }
-  if (-not $fabricWorkspaceName -and $outputs -and $outputs.desiredFabricWorkspaceName -and $outputs.desiredFabricWorkspaceName.value) { $fabricWorkspaceName = $outputs.desiredFabricWorkspaceName.value }
-  if (-not $fabricWorkspaceName) { $fabricWorkspaceName = $env_vars['desiredFabricWorkspaceName'] }
+  # Prefer FABRIC_WORKSPACE_NAME (actual BYO name) over desiredFabricWorkspaceName (requested name that may differ in BYO mode)
   if (-not $fabricWorkspaceName) { $fabricWorkspaceName = $env_vars['FABRIC_WORKSPACE_NAME'] }
   if (-not $fabricWorkspaceName) { $fabricWorkspaceName = $env:FABRIC_WORKSPACE_NAME }
   if (-not $fabricWorkspaceName) { $fabricWorkspaceName = Get-AzdEnvValue -Key 'FABRIC_WORKSPACE_NAME' }
+  if (-not $fabricWorkspaceName -and $outputs -and $outputs.desiredFabricWorkspaceName -and $outputs.desiredFabricWorkspaceName.value) { $fabricWorkspaceName = $outputs.desiredFabricWorkspaceName.value }
+  if (-not $fabricWorkspaceName) { $fabricWorkspaceName = $env_vars['desiredFabricWorkspaceName'] }
   if (-not $fabricWorkspaceName) { $fabricWorkspaceName = Get-AzdEnvValue -Key 'fabricWorkspaceNameOut' }
   if (-not $fabricWorkspaceName) { $fabricWorkspaceName = Get-AzdEnvValue -Key 'desiredFabricWorkspaceName' }
   if (-not $fabricWorkspaceName -and (Test-Path (Join-Path ([IO.Path]::GetTempPath()) 'fabric_workspace.env'))) {
@@ -109,6 +110,14 @@ try {
     }
   }
   if (-not $fabricWorkspaceName -and $env:AZURE_ENV_NAME) { $fabricWorkspaceName = "workspace-$($env:AZURE_ENV_NAME.Trim())" }
+
+  # Resolve Fabric workspace ID for direct role assignment (avoids fragile displayName lookup)
+  $fabricWorkspaceId = ''
+  if (-not $fabricWorkspaceId) { $fabricWorkspaceId = $env_vars['FABRIC_WORKSPACE_ID'] }
+  if (-not $fabricWorkspaceId) { $fabricWorkspaceId = $env:FABRIC_WORKSPACE_ID }
+  if (-not $fabricWorkspaceId) { $fabricWorkspaceId = Get-AzdEnvValue -Key 'FABRIC_WORKSPACE_ID' }
+  if (-not $fabricWorkspaceId) { $fabricWorkspaceId = Get-AzdEnvValue -Key 'fabricWorkspaceIdOut' }
+  if (-not $fabricWorkspaceId -and $outputs -and $outputs.fabricWorkspaceIdOut -and $outputs.fabricWorkspaceIdOut.value) { $fabricWorkspaceId = $outputs.fabricWorkspaceIdOut.value }
   if (-not $aiSearchResourceId -and $outputs -and $outputs.aiSearchResourceId -and $outputs.aiSearchResourceId.value) { $aiSearchResourceId = $outputs.aiSearchResourceId.value }
   if (-not $aiSearchResourceId) { $aiSearchResourceId = $env_vars['aiSearchResourceId'] }
 
@@ -182,6 +191,7 @@ try {
     Warn "  AI Foundry: not detected"
   }
   Log "  Fabric Workspace: $fabricWorkspaceName"
+  if ($fabricWorkspaceId) { Log "  Fabric Workspace ID: $fabricWorkspaceId" }
   if ($principalId) { Log "  Principal ID: $principalId" }
 
   # Setup RBAC permissions
@@ -190,21 +200,25 @@ try {
     Log "🔐 Setting up RBAC permissions for OneLake indexing..."
 
     try {
-      & "$PSScriptRoot/setup_ai_services_rbac.ps1" `
-        -ExecutionManagedIdentityPrincipalId $principalId `
-        -AISearchName $aiSearchName `
-        -AIFoundryName $aiFoundryName `
-        -AIFoundryResourceGroup $aiFoundryResourceGroup `
-        -AISearchResourceGroup $aiSearchResourceGroup `
-        -FabricWorkspaceName $fabricWorkspaceName
+      $rbacArgs = @{
+        ExecutionManagedIdentityPrincipalId = $principalId
+        AISearchName = $aiSearchName
+        AIFoundryName = $aiFoundryName
+        AIFoundryResourceGroup = $aiFoundryResourceGroup
+        AISearchResourceGroup = $aiSearchResourceGroup
+        FabricWorkspaceName = $fabricWorkspaceName
+      }
+      if ($fabricWorkspaceId) { $rbacArgs['FabricWorkspaceId'] = $fabricWorkspaceId }
+
+      & "$PSScriptRoot/setup_ai_services_rbac.ps1" @rbacArgs
 
       Log "✅ RBAC configuration completed successfully"
       Log "✅ Managed identity can now access AI Search and AI Foundry"
       Log "✅ OneLake indexing permissions are configured"
     } catch {
       Warn "RBAC setup failed: $_"
       Log "You can run RBAC setup manually later with:"
-      Log "  ./scripts/OneLakeIndex/setup_ai_services_rbac.ps1 -ExecutionManagedIdentityPrincipalId '$principalId' -AISearchName '$aiSearchName' -AIFoundryName '$aiFoundryName' -FabricWorkspaceName '$fabricWorkspaceName'"
+      Log "  ./scripts/OneLakeIndex/setup_ai_services_rbac.ps1 -ExecutionManagedIdentityPrincipalId '$principalId' -AISearchName '$aiSearchName' -AIFoundryName '$aiFoundryName' -FabricWorkspaceName '$fabricWorkspaceName' -FabricWorkspaceId '$fabricWorkspaceId'"
       throw
     }
   }

scripts/automationScripts/OneLakeIndex/setup_ai_services_rbac.ps1

@@ -14,7 +14,9 @@ param(
     [Parameter(Mandatory = $false)]
     [string]$AISearchResourceGroup = "",
     [Parameter(Mandatory = $false)]
-    [string]$FabricWorkspaceName = ""
+    [string]$FabricWorkspaceName = "",
+    [Parameter(Mandatory = $false)]
+    [string]$FabricWorkspaceId = ""
 )
 
 Set-StrictMode -Version Latest
@@ -341,7 +343,7 @@ try {
     }
 
     # Setup Fabric workspace permissions for OneLake access
-    if ($FabricWorkspaceName) {
+    if ($FabricWorkspaceId -or $FabricWorkspaceName) {
         Log "Setting up Fabric workspace permissions..."
 
         # Get Fabric access token
@@ -355,23 +357,40 @@ try {
                 # Create Fabric headers
                 $fabricHeaders = New-SecureHeaders -Token $fabricToken
 
-                # Find the workspace
-                $workspacesUrl = "https://api.fabric.microsoft.com/v1/workspaces"
-                $workspacesResponse = Invoke-SecureRestMethod -Uri $workspacesUrl -Headers $fabricHeaders -Method Get
-                
-                # Debug: Log available workspaces and their properties
-                Log "Available workspaces:"
-                foreach ($ws in $workspacesResponse.value) {
-                    Log "  - Name: '$($ws.displayName)' ID: $($ws.id)"
+                $workspaceId = $null
+
+                # Use workspace ID directly if provided (avoids fragile displayName lookup, critical for BYO workspaces)
+                if ($FabricWorkspaceId) {
+                    $workspaceId = $FabricWorkspaceId.Trim()
+                    Log "Using provided Fabric workspace ID: $workspaceId"
                 }
-                
-                # Find workspace by displayName only (name property may not exist)
-                $workspace = $workspacesResponse.value | Where-Object { $_.displayName -eq $FabricWorkspaceName }
-                
-                if ($workspace) {
-                    $workspaceId = $workspace.id
-                    Log "Found Fabric workspace: $FabricWorkspaceName (ID: $workspaceId)"
+
+                # Fall back to displayName lookup if no ID provided
+                if (-not $workspaceId) {
+                    # Find the workspace
+                    $workspacesUrl = "https://api.fabric.microsoft.com/v1/workspaces"
+                    $workspacesResponse = Invoke-SecureRestMethod -Uri $workspacesUrl -Headers $fabricHeaders -Method Get
+                    
+                    # Debug: Log available workspaces and their properties
+                    Log "Available workspaces:"
+                    foreach ($ws in $workspacesResponse.value) {
+                        Log "  - Name: '$($ws.displayName)' ID: $($ws.id)"
+                    }
+                    
+                    # Find workspace by displayName only (name property may not exist)
+                    $workspace = $workspacesResponse.value | Where-Object { $_.displayName -eq $FabricWorkspaceName }
 
+                    if ($workspace) {
+                        $workspaceId = $workspace.id
+                        Log "Found Fabric workspace: $FabricWorkspaceName (ID: $workspaceId)"
+                    } else {
+                        Warn "Could not find Fabric workspace: '$FabricWorkspaceName'"
+                        Log "Available workspace names: $($workspacesResponse.value.displayName -join ', ')"
+                        Log "Make sure the workspace name matches exactly (case-sensitive)"
+                    }
+                }
+
+                if ($workspaceId) {
                     # Add the managed identity as a workspace member with Contributor role
                     $roleAssignmentUrl = "https://api.fabric.microsoft.com/v1/workspaces/$workspaceId/roleAssignments"
                     $rolePayload = @{
@@ -382,7 +401,7 @@ try {
                         role = "Contributor"
                     } | ConvertTo-Json -Depth 3
 
-                    Log "Assigning Contributor role to managed identity in workspace..."
+                    Log "Assigning Contributor role to managed identity in workspace $workspaceId..."
                     try {
                         Invoke-SecureRestMethod -Uri $roleAssignmentUrl -Headers @{ 
                             Authorization = "Bearer $fabricToken"
@@ -399,10 +418,6 @@ try {
                             Log "  2. Add managed identity $ExecutionManagedIdentityPrincipalId as Contributor"
                         }
                     }
-                } else {
-                    Warn "Could not find Fabric workspace: '$FabricWorkspaceName'"
-                    Log "Available workspace names: $($workspacesResponse.value.displayName -join ', ')"
-                    Log "Make sure the workspace name matches exactly (case-sensitive)"
                 }
             }
         } catch {
@@ -423,8 +438,9 @@ try {
             Log "  - AI Foundry project identity has Search roles"
         }
     }
-    if ($FabricWorkspaceName) {
-        Log "  - Contributor on Fabric workspace $FabricWorkspaceName"
+    if ($FabricWorkspaceId -or $FabricWorkspaceName) {
+        $wsLabel = if ($FabricWorkspaceId) { "Fabric workspace ID $FabricWorkspaceId" } else { "Fabric workspace $FabricWorkspaceName" }
+        Log "  - Contributor on $wsLabel"
     }
 
 } catch {