microsoft · kvenkatrajan · Mar 12, 2026 · Mar 10, 2026 · Mar 10, 2026 · Mar 10, 2026
diff --git a/plugin/skills/azure-upgrade/SKILL.md b/plugin/skills/azure-upgrade/SKILL.md
@@ -0,0 +1,72 @@
+---
+name: azure-upgrade
+description: "Assess and upgrade Azure workloads between plans, tiers, or SKUs within Azure. Generates assessment reports and automates upgrade steps. WHEN: upgrade Consumption to Flex Consumption, upgrade Azure Functions plan, migrate hosting plan, upgrade Functions SKU, move to Flex Consumption, upgrade Azure service tier, change hosting plan, upgrade function app plan, migrate App Service to Container Apps."
+---
+
+# Azure Upgrade
+
+> This skill handles **assessment and automated upgrades** of existing Azure workloads from one Azure service, hosting plan, or SKU to another — all within Azure. This includes plan/tier upgrades (e.g. Consumption → Flex Consumption), cross-service migrations (e.g. App Service → Container Apps), and SKU changes. This is NOT for cross-cloud migration — use `azure-cloud-migrate` for that.
+
+## Triggers
+
+| User Intent | Example Prompts |
+|-------------|-----------------|
+| Upgrade Azure Functions plan | "Upgrade my function app from Consumption to Flex Consumption" |
+| Change hosting tier | "Move my function app to a better plan" |
+| Assess upgrade readiness | "Is my function app ready for Flex Consumption?" |
+| Automate plan migration | "Automate the steps to upgrade my Functions plan" |
+
+## Rules
+
+1. Follow phases sequentially — do not skip
+2. Generate an assessment before any upgrade operations
+3. Load the scenario reference and follow its rules
+4. Use `mcp_azure_mcp_get_bestpractices` and `mcp_azure_mcp_documentation` MCP tools
+5. Destructive actions require `ask_user` — [global-rules](references/global-rules.md)
+6. Always confirm the target plan/SKU with the user before proceeding
+7. Never delete or stop the original app without explicit user confirmation
+8. All automation scripts must be idempotent and resumable
+
+## Upgrade Scenarios
+
+| Source | Target | Reference |
+|--------|--------|-----------|
+| Azure Functions Consumption Plan | Azure Functions Flex Consumption Plan | [consumption-to-flex.md](references/services/functions/consumption-to-flex.md) |
+
+> No matching scenario? Use `mcp_azure_mcp_documentation` and `mcp_azure_mcp_get_bestpractices` tools to research the upgrade path.
+
+## MCP Tools
+
+| Tool | Purpose |
+|------|---------|
+| `mcp_azure_mcp_get_bestpractices` | Get Azure best practices for the target service |
+| `mcp_azure_mcp_documentation` | Look up Azure documentation for upgrade scenarios |
+| `mcp_azure_mcp_appservice` | Query App Service and Functions plan details |
+| `mcp_azure_mcp_applicationinsights` | Verify monitoring configuration |
+
+## Steps
+
+1. **Identify** — Determine the source and target Azure plans/SKUs. Ask user to confirm.
+2. **Assess** — Analyze existing app for upgrade readiness → load scenario reference (e.g., [consumption-to-flex.md](references/services/functions/consumption-to-flex.md))
+3. **Pre-migrate** — Collect settings, identities, configs from the existing app
+4. **Upgrade** — Execute the automated upgrade steps (create new resources, migrate settings, deploy code)
+5. **Validate** — Hit the function app default URL to confirm the app is reachable, then verify endpoints and monitoring
+6. **Ask User** — "Upgrade complete. Would you like to verify performance, clean up the old app, or update your IaC?"
+7. **Hand off** to `azure-validate` for deep validation or `azure-deploy` for CI/CD setup
+
+Track progress in `upgrade-status.md` inside the workspace root.
+
+## References
+
+- [Global Rules](references/global-rules.md)
+- [Workflow Details](references/workflow-details.md)
+- **Functions**
+  - [Consumption to Flex Consumption](references/services/functions/consumption-to-flex.md)
+  - [Assessment](references/services/functions/assessment.md)
+  - [Automation Scripts](references/services/functions/automation.md)
+
+## Next
+
+After upgrade is validated, hand off to:
+- `azure-validate` — for thorough post-upgrade validation
+- `azure-deploy` — if the user wants to set up CI/CD for the new app
diff --git a/plugin/skills/azure-upgrade/references/global-rules.md b/plugin/skills/azure-upgrade/references/global-rules.md
@@ -0,0 +1,47 @@
+# Global Rules
+
+These rules apply to ALL phases of the azure-upgrade skill.
+
+## Destructive Action Policy
+
+⛔ **NEVER** perform destructive actions without explicit user confirmation via `ask_user`:
+- Deleting apps, services, or resource groups
+- Stopping or disabling the original app/service
+- Overwriting app settings or configuration in the new app
+- Removing the original hosting plan or service tier
+- Modifying DNS or custom domain bindings
+
+## User Confirmation Required
+
+Always use `ask_user` before:
+- Selecting target Azure subscription
+- Selecting target Azure region/location
+- Creating new Azure resources
+- Stopping or deleting the original app/service
+- Modifying custom domains or network restrictions
+- Any irreversible configuration change
+
+## Best Practices
+
+- Always use `mcp_azure_mcp_get_bestpractices` tool before generating upgrade commands
+- Prefer managed identity over connection strings — upgrades are a good time to improve security
+- **Always target the latest supported runtime version** — check Azure docs for the newest GA version
+- Keep the original app/service running until the upgraded one is fully validated
+- Use the same resource group for the new resource to maintain access to existing dependencies
+- Follow Azure naming conventions for all new resources
+
+## Identity-First Authentication (Zero API Keys)
+
+> Enterprise subscriptions commonly enforce policies that block local auth. Always design for identity-based access from the start.
+
+- Prefer managed identity connections over connection strings/keys
+- Use `DefaultAzureCredential` in code — works locally and in Azure
+- When using User Assigned Managed Identity, always pass `managedIdentityClientId` explicitly
+- See service-specific identity configuration in the scenario reference files
+
+## Rollback Policy
+
+- Always document rollback steps before executing upgrade
+- Keep the original app intact and running until upgrade is validated
+- If upgrade fails, guide the user to restart the original app
+- Never delete the original app automatically — always require `ask_user`
diff --git a/plugin/skills/azure-upgrade/references/services/functions/assessment.md b/plugin/skills/azure-upgrade/references/services/functions/assessment.md
@@ -0,0 +1,119 @@
+# Assessment: Functions Plan Upgrade
+
+Generate an upgrade assessment report before any changes to Azure resources.
+
+## Prerequisites
+
+- User has an existing Azure Functions app on a Consumption or other plan
+- User has Azure CLI v2.77.0+ installed
+- User has Owner or Contributor role in the target resource group
+- The `resource-graph` extension is installed (`az extension add --name resource-graph`)
+
+## Assessment Steps
+
+1. **Identify Source App** — Confirm the function app name, resource group, region, and current hosting plan
+2. **Check Region Compatibility** — Verify the target plan is available in the app's region
+3. **Verify Language Stack** — Confirm the app's runtime is supported on the target plan
+4. **Verify Stack Version** — Confirm the runtime version is supported on the target plan in the region
+5. **Check Deployment Slots** — Determine if slots are in use (Flex Consumption doesn't support slots)
+6. **Check Certificates** — Determine if TLS/SSL certificates are in use (not yet supported in Flex Consumption)
+7. **Check Blob Triggers** — Verify blob triggers use EventGrid source (container polling not supported in Flex Consumption)
+8. **Assess Dependencies** — Review upstream and downstream service dependencies and plan mitigation strategies
+9. **Generate Report** — Create `upgrade-assessment-report.md`
+
+## Assessment Report Format
+
+> ⚠️ **MANDATORY**: Use these exact section headings in every assessment report. Do NOT rename, reorder, or omit sections.
+
+The report MUST be saved as `upgrade-assessment-report.md` in the workspace root.
+
+```markdown
+# Upgrade Assessment Report
+
+## 1. Executive Summary
+
+| Property | Value |
+|----------|-------|
+| **App Name** | <app-name> |
+| **Resource Group** | <resource-group> |
+| **Current Plan** | <current-plan (e.g., Consumption / Y1 Dynamic)> |
+| **Target Plan** | <target-plan (e.g., Flex Consumption / FC1)> |
+| **Region** | <region> |
+| **Runtime** | <runtime and version> |
+| **OS** | <Linux / Windows> |
+| **Upgrade Readiness** | <Ready / Needs Attention / Blocked> |
+| **Assessment Date** | <date> |
+
+## 2. Compatibility Checks
+
+| Check | Status | Details |
+|-------|--------|---------|
+| Region supported | ✅ / ❌ | |
+| Language stack supported | ✅ / ❌ | |
+| Stack version supported | ✅ / ❌ | |
+| No deployment slots | ✅ / ⚠️ | |
+| No TLS/SSL certificates | ✅ / ⚠️ | |
+| Blob triggers use EventGrid | ✅ / ⚠️ / N/A | |
+| .NET isolated (not in-process) | ✅ / ❌ / N/A | |
+
+## 3. App Settings Inventory
+
+| Setting | Value | Migrate? | Notes |
+|---------|-------|----------|-------|
+| | | Yes / No / Convert | |
+
+## 4. Managed Identities
+
+| Type | Principal ID | Roles | Action |
+|------|-------------|-------|--------|
+| System-assigned | | | Recreate in new app |
+| User-assigned | | | Reassign to new app |
+
+## 5. Application Configurations
+
+| Configuration | Current Value | Migrate? | Notes |
+|---------------|---------------|----------|-------|
+| CORS settings | | | |
+| Custom domains | | | |
+| HTTP version | | | |
+| HTTPS only | | | |
+| TLS version | | | |
+| Client certificates | | | |
+| Access restrictions | | | |
+| Built-in auth | | | |
+
+## 6. Trigger & Binding Analysis
+
+| Function | Trigger Type | Source | Migration Risk | Mitigation |
+|----------|-------------|--------|----------------|------------|
+| | | | Low / Medium / High | |
+
+## 7. Dependent Services
+
+| Service | Dependency Type | Migration Risk | Mitigation Strategy |
+|---------|----------------|----------------|---------------------|
+| | Upstream / Downstream | | |
+
+## 8. Blockers & Warnings
+
+### Blockers (must fix before upgrade)
+- [ ] <any blocking issues>
+
+### Warnings (should address but not blocking)
+- [ ] <any non-blocking concerns>
+
+## 9. Recommendations
+
+1. **Plan**: <recommended target plan>
+2. **Auth**: <switch to Managed Identity if using connection strings>
+3. **Monitoring**: <Application Insights configuration>
+4. **Scaling**: <recommended instance count and concurrency settings>
+
+## 10. Next Steps
+
+- [ ] Review and approve this assessment
+- [ ] Address any blockers listed above
+- [ ] Proceed to automated upgrade (Phase 3-4)
+```
+
+> 💡 **Tip:** Use `mcp_azure_mcp_get_bestpractices` to get the latest recommendations for the target hosting plan.