diff --git a/.github/workflows/azd-template-validation.yml b/.github/workflows/azd-template-validation.yml
index 0fee728..d2e2abc 100644
--- a/.github/workflows/azd-template-validation.yml
+++ b/.github/workflows/azd-template-validation.yml
@@ -1,9 +1,14 @@
 name: AZD Template Validation
-on: 
+on:
   workflow_dispatch:
   push:
     branches:
       - main
+    paths:
+      - 'infra/**'
+      - 'azure.yaml'
+      - 'scripts/**'
+      - '.github/workflows/azure-dev.yml'
 
 permissions:
   contents: read
@@ -16,6 +21,8 @@ jobs:
     name: azd template validation
     steps:
       - uses: actions/checkout@v4
+        with:
+          submodules: recursive
 
       # This postprovision cleanup step (Stage 19) has been removed from azure.yaml because
       # azd down was failing in the pipeline. As a workaround, we are removing this step
@@ -36,6 +43,9 @@ jobs:
           AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }}
           AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TEMP: /tmp
           fabricCapacityMode: 'none'
+          AZURE_PRINCIPAL_ID: ${{ vars.PRINCIPAL_ID || secrets.AZURE_CLIENT_ID }}
+          AZURE_PRINCIPAL_TYPE: 'ServicePrincipal'
       - name: print result
         run: cat ${{ steps.validation.outputs.resultFile }}
diff --git a/.github/workflows/azure-dev.yml b/.github/workflows/azure-dev.yml
index 5cea4c7..0e30910 100644
--- a/.github/workflows/azure-dev.yml
+++ b/.github/workflows/azure-dev.yml
@@ -24,26 +24,73 @@ jobs:
       AZURE_RESOURCE_GROUP: ${{ vars.AZURE_RESOURCE_GROUP }}
       AZURE_ENV_NAME: ${{ vars.AZURE_ENV_NAME }}
       AZURE_LOCATION: ${{ vars.AZURE_LOCATION }}
-      AZURE_USER_OBJECT_ID: ''
+      AZURE_PRINCIPAL_TYPE: 'ServicePrincipal'
+      TEMP: /tmp
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
       - name: Install azd
         uses: Azure/setup-azd@v2
+
       - name: Azure Developer CLI Login
         run: |
           azd auth login `
             --client-id "$Env:AZURE_CLIENT_ID" `
             --federated-credential-provider "github" `
-            --tenant-id "$Env:AZURE_TENANT_ID" 
+            --tenant-id "$Env:AZURE_TENANT_ID"
         shell: pwsh
+
       - name: Azure CLI Login
         uses: azure/login@v2
         with:
           client-id: ${{ vars.AZURE_CLIENT_ID }}
           tenant-id: ${{ vars.AZURE_TENANT_ID }}
           subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Resolve Service Principal Object ID
+        run: |
+          # If PRINCIPAL_ID repo variable is set and is a valid GUID, use it directly
+          if [[ "${{ vars.PRINCIPAL_ID }}" =~ ^[0-9a-fA-F-]{36}$ ]]; then
+            echo "Using PRINCIPAL_ID from repo variables"
+            echo "AZURE_PRINCIPAL_ID=${{ vars.PRINCIPAL_ID }}" >> $GITHUB_ENV
+          else
+            # Resolve the Object ID from the Application (Client) ID
+            # Role assignments require the SP Object ID, not the Client/App ID
+            echo "Resolving Service Principal Object ID from Client ID..."
+            SP_OBJECT_ID=$(az ad sp show --id "${{ vars.AZURE_CLIENT_ID }}" --query id -o tsv 2>/dev/null)
+            if [[ -z "$SP_OBJECT_ID" ]]; then
+              echo "::error::Failed to resolve Service Principal Object ID from Client ID: ${{ vars.AZURE_CLIENT_ID }}"
+              exit 1
+            fi
+            echo "Resolved SP Object ID: $SP_OBJECT_ID"
+            echo "AZURE_PRINCIPAL_ID=$SP_OBJECT_ID" >> $GITHUB_ENV
+          fi
+
+      - name: Create Resource Group if needed
+        run: |
+          # Use provided RG name or derive from environment name
+          RESOURCE_GROUP="${AZURE_RESOURCE_GROUP:-rg-${AZURE_ENV_NAME}}"
+          echo "Using resource group: $RESOURCE_GROUP"
+
+          RG_EXISTS=$(az group exists --name "$RESOURCE_GROUP")
+          if [ "$RG_EXISTS" = "false" ]; then
+            echo "Creating resource group: $RESOURCE_GROUP"
+            az group create --name "$RESOURCE_GROUP" --location ${{ vars.AZURE_LOCATION }}
+          else
+            echo "Resource group already exists: $RESOURCE_GROUP"
+          fi
+
+          # Set for subsequent steps
+          echo "RESOURCE_GROUP=$RESOURCE_GROUP" >> $GITHUB_ENV
+
       - name: Provision Infrastructure
+        id: provision-main
         run: azd provision --no-prompt
         env:
-           AZD_INITIAL_ENVIRONMENT_CONFIG: ${{ secrets.AZD_INITIAL_ENVIRONMENT_CONFIG }}
+          AZD_INITIAL_ENVIRONMENT_CONFIG: ${{ secrets.AZD_INITIAL_ENVIRONMENT_CONFIG }}
+          AZURE_PRINCIPAL_TYPE: 'ServicePrincipal'
+          fabricCapacityMode: 'none'
+          fabricWorkspaceMode: 'none'
diff --git a/infra/main.bicepparam b/infra/main.bicepparam
index 947940c..3976692 100644
--- a/infra/main.bicepparam
+++ b/infra/main.bicepparam
@@ -9,7 +9,7 @@ param location = readEnvironmentVariable('AZURE_LOCATION', '')
 param cosmosLocation = readEnvironmentVariable('AZURE_COSMOS_LOCATION', '')
 // Entra object ID of the identity to grant RBAC (user, group, service principal, or UAI). Set this if Graph lookup is blocked.
 param principalId = readEnvironmentVariable('AZURE_PRINCIPAL_ID', '')
-param principalType = 'User'
+param principalType = readEnvironmentVariable('AZURE_PRINCIPAL_TYPE', 'User')
 
 // ========================================
 // OPTIONAL INPUTS (Existing Resources)