Merge pull request #314175 from craigshoemaker/learn/sre-agent-pr6030-tools-roles

SRE Agent: Tools and roles from PR 6030 (split 2/2)

Author: AnnaMHuff

articles/sre-agent/global-tools-page.md

@@ -0,0 +1,88 @@
+---
+title: Tools and Skills in Azure SRE Agent
+description: Learn how to manage tools and skills at the space level in Azure SRE Agent.
+ms.topic: concept-article
+ms.service: azure-sre-agent
+ms.date: 04/03/2026
+author: dm-chelupati
+ms.author: dchelupati
+ms.ai-usage: ai-assisted
+ms.custom: tools, skills, built-in tools, custom tools, mcp servers
+---
+
+# Tools and skills in Azure SRE Agent
+
+See every tool and skill your agent has, including built-in, custom, and MCP tools plus system and custom skills, organized by category. Toggle capabilities on or off at the space level, and changes apply across all agents instantly.
+
+Agents created before March 10, 2026 require workspace tools to be enabled. For older agents, enable **EnableWorkspaceTools** in **Capabilities > Experimental Settings**.
+
+> [!TIP]
+> - **See every tool and skill**, including built-in, custom, and MCP tools plus system and custom skills, organized by category
+> - **Toggle on or off** at the space level. Changes apply across all agents instantly.
+> - **Smart defaults**: Both PagerDuty and ServiceNow incident management skills are enabled out of the box
+> - **Inherited counts on canvas**: Each agent card shows how many global tools and skills it inherits
+
+## Tools
+
+The **Tools** page organizes your agent's tools into three tabs:
+
+| Tab | What it shows |
+|-----|---------------|
+| **Built-in tools** | Platform-provided capabilities grouped by category: Core, Azure Operation, DevOps, Diagnostics, Incident Management, Knowledge Base, Log Query, and more |
+| **MCP servers + services** | Tools from your connected MCP server connectors |
+| **Custom tools** | User-defined tools created through Kusto tool creation, Python tool creation, or extended agent YAML |
+
+Each tool shows its name and description with a checkbox to toggle it on or off. **Core tools** (like CreateFile, FileSearch, and GrepSearch) are always enabled and can't be disabled.
+
+## Skills
+
+The **Skills** page organizes your agent's domain expertise into two tabs:
+
+| Tab | What it shows |
+|-----|---------------|
+| **Built-in skills** | System-provided skills grouped by domain: Core skills (always enabled), plus skills for Azure diagnostics, incident management, and more |
+| **Custom skills** | Skills you create through the Skill Builder or extended agent YAML |
+
+### Environment-aware defaults
+
+| Default incident skills | Status |
+|------------------------|--------|
+| **PagerDuty incident management** | Enabled by default |
+| **ServiceNow incident management** | Enabled by default |
+
+### Making changes
+
+1. **Browse** tools across tabs. Expand categories to see individual items.
+1. **Search** using the search box to find specific tools or skills by name.
+1. **Toggle** individual items, entire categories, or all items by using the checkboxes.
+1. **Save changes** to apply your configuration.
+1. **Reset to default** to restore all tools and skills to platform defaults.
+
+### Inherited tools on the agent canvas
+
+When you configure tools and skills on this page, every custom agent that doesn't have its own tool overrides automatically inherits your configuration. Agent cards display:
+
+| Card state | What it shows |
+|-----------|---------------|
+| **Inherited** | "Inherits N tools, M skills" as a clickable link |
+| **Custom** | "Tools, N," badge |
+
+## How tools are managed at each level
+
+| Level | Feature | What it controls |
+|-------|---------|-----------------|
+| **What tools exist** | [Deep context](workspace-tools.md) | The underlying capabilities, including file operations, terminal, Python, and Azure CLI |
+| **Space-wide on/off** | **Tools page** (this page) | Which tools are enabled or disabled for the entire space |
+| **Per-subagent** | Subagent tool configuration | Which specific tools each subagent can use |
+
+## Related content
+
+- [Deep context](workspace-tools.md)
+- [Kusto tools](kusto-tools.md)
+- [Plugin marketplace](plugin-marketplace.md)
+- [Workflow automation](workflow-automation.md)
+
+## Next step
+
+> [!div class="nextstepaction"]
+> [Manage global tools](manage-global-tools.md)

articles/sre-agent/manage-global-tools.md

@@ -0,0 +1,90 @@
+---
+title: "Tutorial: Manage Global Tools in Azure SRE Agent"
+description: Browse, toggle, and manage tools and skills at the space level in Azure SRE Agent.
+ms.topic: tutorial
+ms.service: azure-sre-agent
+ms.date: 04/02/2026
+author: dm-chelupati
+ms.author: dchelupati
+ms.ai-usage: ai-assisted
+ms.custom: tools, manage tools, toggle tools, built-in tools, tutorial
+---
+
+# Tutorial: Manage global tools in Azure SRE Agent
+
+Learn how to browse, toggle, and manage tools at the space level by using the Tools page.
+
+> [!IMPORTANT]
+> Agents created before March 10, 2026, require workspace tools to be enabled. For older agents, enable **EnableWorkspaceTools** in **Capabilities > Experimental Settings**.
+
+**Time**: 5-10 minutes
+
+## Prerequisites
+
+- An active SRE Agent
+- Contributor or higher role on the agent resource
+
+## Step 1: Go to the Tools page
+
+In the left sidebar, expand **Capabilities** and select **Tools**.
+
+The page opens with three tabs: **Built-in tools** (selected by default), **MCP servers + services**, and **Custom tools**. A search box at the top filters tools within the active tab.
+
+**Checkpoint:** You see a page titled "Tools" with the description "Tools are the capabilities available to your agent for investigating and resolving incidents."
+
+## Step 2: Browse built-in tools
+
+The **Built-in tools** tab organizes tools into expandable categories. Each category header shows a count of active tools (for example, "4/4 tools" means all four tools in that category are enabled).
+
+Select a category to expand it and see individual tools with their descriptions.
+
+The **Core** category has grayed-out checkboxes because core tools are always enabled and can't be disabled.
+
+**Checkpoint:** You can expand categories and see tool names with descriptions.
+
+## Step 3: Toggle a built-in tool
+
+Find a non-core tool and clear its checkbox to disable it. A footer bar appears with three buttons:
+
+- **Save changes**: Persist your configuration.
+- **Undo changes**: Revert to the last saved state.
+- **Reset to default**: Restore all tools to platform defaults.
+
+Select **Save changes** to apply your configuration.
+
+**Checkpoint:** After saving, the tool's active count updates in the category header.
+
+## Step 4: Search for a tool
+
+Type a tool name or keyword in the search box (for example, "query" or "deploy"). The list filters in real time to show only matching tools across all categories.
+
+**Checkpoint:** Only tools matching your search term are visible.
+
+## Step 5: Explore MCP server tools
+
+Select the **MCP servers + services** tab.
+
+This tab shows tools provided by your connected MCP connectors. If you don't configure any MCP connectors, you see "No MCP servers + services found."
+
+**Checkpoint:** The MCP tab shows tools from configured connectors, or an empty state if none exist.
+
+## Step 6: View custom tools
+
+Select the **Custom tools** tab.
+
+Create custom tools through Kusto tool creation, Python tool creation, or extended agent YAML configurations. Once created, custom tools appear here automatically.
+
+**Checkpoint:** The Custom tab shows user-defined tools, or an empty state if none exist.
+
+## Step 7: Reset to defaults
+
+To undo all tool configuration changes, select **Reset to default** in the footer bar. A confirmation dialog appears. Select **Confirm** to revert all tool toggles to their platform defaults.
+
+**Checkpoint:** All tool active counts return to their default values.
+
+## Related content
+
+- [Tools and skills](global-tools-page.md)
+- [Create a Kusto tool](create-kusto-tool.md)
+- [Create a Python tool](create-python-tool.md)
+- [Plugin marketplace](plugin-marketplace.md)

articles/sre-agent/toc.yml

@@ -112,6 +112,8 @@ items:
             href: agent-hooks.md
           - name: Code interpreter
             href: code-interpreter.md
+          - name: Tools and skills
+            href: global-tools-page.md
       - name: Knowledge & data sources
         items:
           - name: Azure DevOps Wiki knowledge
@@ -206,6 +208,8 @@ items:
             href: tutorial-upload-knowledge-document.md
           - name: Connect Azure DevOps Wiki
             href: connect-devops-wiki.md
+          - name: Manage global tools
+            href: manage-global-tools.md
           - name: Connect ADO repo with managed identity
             href: connect-ado-repo-managed-identity.md
           - name: Cross-account ADO access

articles/sre-agent/user-roles.md

@@ -3,7 +3,7 @@ title: User Roles and Permissions in Azure SRE Agent
 description: Learn how to control who can view, interact with, and administer your agent by using Azure RBAC roles and layered access control.
 ms.topic: concept-article
 ms.service: azure-sre-agent
-ms.date: 03/18/2026
+ms.date: 03/30/2026
 author: craigshoemaker
 ms.author: cshoe
 ms.ai-usage: ai-assisted
@@ -12,116 +12,90 @@ ms.custom: rbac, roles, permissions, access control, user access, admin, reader,
 ---
 
 # User roles and permissions in Azure SRE Agent
-<!-- Video: SRE_Agent__User_Roles.mp4 — Replace with the hosted video URL using > [!VIDEO https://...] syntax -->
 
-Your agent can investigate problems, take actions on production infrastructure, and access sensitive data across your environment. Access control determines who can request actions, who can approve them, and who can modify the agent's configuration.
+Your agent can investigate issues, take actions on production infrastructure, and access sensitive data across your environment. Access control determines who can request actions, who can approve them, and who can modify the agent's configuration.
 
 ## Access control overview
 
-Access control works across three layers.
-
-:::image type="content" source="media/user-roles/access-control-hierarchy.svg" alt-text="Diagram of access control hierarchy showing user roles, run modes, and agent permissions." lightbox="media/user-roles/access-control-hierarchy.svg":::
+Access control works across three layers:
 
 | Layer | Controls | Configured at |
-|---|---|---|
-| **User roles** (this article) | What *users* can do with the agent | Azure IAM on the agent resource |
+|-------|----------|---------------|
+| **User roles** (this page) | What *users* can do with the agent | Azure IAM on the agent resource |
 | **[Run modes](run-modes.md)** | Whether the agent asks before acting | Per response plan and per scheduled task |
-| **[Agent permissions](permissions.md)** | What *the agent* can access on Azure, which includes managed identity RBAC roles and on-behalf-of fallback | RBAC roles on resource groups |
-
-## Layer 1: User roles
+| **[Agent permissions](permissions.md)** | What *the agent* can access on Azure | RBAC roles on resource groups |
 
-Your agent includes three built-in Azure RBAC roles.
+## Three built-in roles
 
 | Role | Can do | Can't do |
-|---|---|---|
+|------|--------|-----------|
 | **SRE Agent Reader** | View threads, logs, incidents | Chat, request actions, modify anything |
 | **SRE Agent Standard User** | Chat, run diagnostics, request actions | Approve actions, delete resources, modify connectors |
-| **SRE Agent Administrator** | Approve actions, manage connectors, delete resources | (Full access) |
-
-The user who creates the agent automatically gets the **SRE Agent Administrator** role.
+| **SRE Agent Administrator** | Approve actions, manage connectors, delete resources | — |
 
-:::image type="content" source="media/user-roles/portal-sre-agent-roles-identity-access.png" alt-text="Screenshot of SRE Agent roles in Azure portal IAM showing Administrator, Reader, and Standard User." lightbox="media/user-roles/portal-sre-agent-roles-identity-access.png":::
+The user who creates the agent automatically receives the **SRE Agent Administrator** role.
 
-## Who should have which role
-
-Use the following guidance to assign roles based on team responsibilities.
+## Who should have which role?
 
 | Role | Give to |
-|---|---|
+|------|---------|
 | **SRE Agent Reader** | Auditors, compliance teams, stakeholders who need visibility |
-| **SRE Agent Standard User** | L1/L2 engineers, first responders, anyone who diagnoses problems |
+| **SRE Agent Standard User** | L1/L2 engineers, first responders, anyone who diagnoses issues |
 | **SRE Agent Administrator** | SRE managers, cloud admins, incident commanders |
 
 ## How the portal enforces permissions
 
-The portal checks your Azure role assignments when you access the agent. The portal enforces access at two levels.
+The portal checks your Azure role assignments when you access the agent. Access is enforced at two levels.
 
-### Level 1: No agent access
+### No agent access
 
-When you don't have the SRE Agent role assignment, the portal shows an **Access Required** screen with a shield icon and a **Go to Access Control** button that opens the Azure IAM window. If you have Azure Owner or Contributor on the resource, you also see a banner offering to autoassign the Administrator role.
+When you have no SRE Agent role assignment, the portal shows an **Access Required** screen with a shield icon and a **Go to Access Control** button that opens the Azure IAM blade. If you have Azure Owner or Contributor on the resource, you also see a banner offering to auto-assign the Administrator role.
 
-### Level 2: Backend enforcement
+### Backend enforcement
 
-When you have an SRE Agent role but attempt an action beyond your permissions, the backend blocks the action with a 403 error. The portal might let you navigate to a page or select a button, but the operation fails with a permission error when it reaches the server.
+When you have an SRE Agent role but attempt an action beyond your permissions, the **backend blocks the action with a 403 error**. The portal might let you navigate to a page or select a button, but the operation fails with a permission error when it reaches the server.
 
 > [!NOTE]
-> Some portal features proactively disable buttons when you lack write permissions (for example, connector management shows disabled buttons with tooltips). However, this behavior isn't yet consistent across all features. The backend always enforces the correct permissions regardless of what the UI shows.
+> Some portal features proactively disable buttons when you lack write permissions. However, this isn't yet consistent across all features—the backend always enforces the correct permissions regardless of what the UI shows.
 
 ## What each role can access
 
-The following table summarizes the access level for each role across different areas of the portal.
-
 | Area | Reader | Standard User | Administrator |
-|---|---|---|---|
-| **Chat** | View threads (read-only) | Send messages, start threads | Full access, approve actions, delete threads |
+|------|--------|---------------|---------------|
+| **Chat** | View threads (read-only) | Send messages, start threads | Full access + approve actions, delete threads |
 | **Agent Canvas** | View custom agents | View custom agents | Create, edit, delete custom agents |
-| **Knowledge base** | Browse documents | Upload documents | Upload and delete documents |
+| **Knowledge base** | Browse documents | Upload documents | Upload + delete documents |
 | **Connectors** | View connectors | View connectors | Add, edit, delete connectors |
 | **Response plans** | View plans | View plans | Create, edit, delete plans |
 | **Managed resources** | View resources | View resources | Add, remove resources |
 | **Settings** | View settings | View settings | Modify settings, stop/delete agent |
 
 ## Assign roles
 
-Assign roles through the Azure portal (**Access control (IAM)** > **Add role assignment**) or by using the Azure CLI.
+Assign roles through the Azure portal (**Access control (IAM)** > **Add role assignment**) or Azure CLI:
 
 ```azurecli
 az role assignment create \
   --assignee [email protected] \
   --role "SRE Agent Administrator" \
-  --scope <AGENT_RESOURCE_ID>
+  --scope <agent-resource-id>
 ```
 
 Replace the role name with `SRE Agent Standard User` or `SRE Agent Reader` as needed.
 
-To find your agent's resource ID, run the following command:
-
-```azurecli
-az resource show \
-  --resource-group <RESOURCE_GROUP> \
-  --name <AGENT_NAME> \
-  --resource-type Microsoft.SREAgent/agents \
-  --query id -o tsv
-```
-
 ## How roles work together
 
-The following example shows how roles interact during an action approval workflow. An engineer requests an action, but only administrators can approve it.
-
 | Step | Who | Action |
-|---|---|---|
+|------|-----|--------|
 | 1 | Engineer (Standard User) | "Fix the config issue" |
 | 2 | Agent | Drafts remediation plan |
 | 3 | Agent | Can't execute (needs Administrator approval) |
 | 4 | Manager (Administrator) | Reviews and approves |
-| 5 | Agent | Executes fix using managed identity or [on-behalf-of](permissions.md#on-behalf-of-obo) authorization |
-
-## Learn how the access control layers interact
+| 5 | Agent | Executes fix using managed identity |
 
-This article covers **user roles** which includes who can do what with the agent. To understand the full access control picture, see:
+## Related content
 
-| Article | Page | What you'll learn |
-|-------|------|-------------------|
-| **Run modes** | [Run modes](run-modes.md) | How Review and Autonomous modes control whether the agent asks before acting. Only Administrators can approve in Review mode |
-| **Agent permissions** | [Agent permissions](permissions.md) | How the agent gets access to Azure resources. This includes *Reader* vs *Privileged* permission levels, RBAC roles, and OBO fallback |
-| **Audit** | [Audit agent actions](audit-agent-actions.md) | Review what your agent did, who approved it, and which identity was used |
+- [Run modes](run-modes.md)
+- [Agent permissions](permissions.md)
+- [Agent identity](agent-identity.md)
+- [Audit agent actions](audit-agent-actions.md)