diff --git a/.azure-pipelines/azure-pipelines.yml b/.azure-pipelines/azure-pipelines.yml
new file mode 100644
index 0000000000..220f05264e
--- /dev/null
+++ b/.azure-pipelines/azure-pipelines.yml
@@ -0,0 +1,52 @@
+trigger:
+- main
+
+parameters:
+- name: azureServiceConnection
+  type: string
+  default: 'MyAzureServiceConnection'  # Replace with your actual service connection name
+
+variables:
+  - group: AzureSecrets  # Replace with your actual variable group
+  - name: vmImageName
+    value: 'ubuntu-latest'
+  - name: resourceGroupName
+    value: ''  # User should replace with their actual resource group name
+  - name: location
+    value: ''  # User should replace with their actual location
+  - name: templateFile
+    value: 'infra/main.bicep'
+  - name: csmParametersFile
+    value: 'infra/main.parameters.json'
+
+pool:
+  vmImage: $(vmImageName)
+
+steps:
+- checkout: self
+
+- task: AzureCLI@2
+  inputs:
+    azureSubscription: '${{ parameters.azureServiceConnection }}'
+    scriptType: 'bash'
+    scriptLocation: 'inlineScript'
+    inlineScript: |
+      az bicep install
+
+- task: AzureCLI@2
+  inputs:
+    azureSubscription: '${{ parameters.azureServiceConnection }}'
+    scriptType: 'bash'
+    scriptLocation: 'inlineScript'
+    inlineScript: |
+      echo "Replacing placeholder with actual value in parameters file"
+      sed -i 's|REPLACE_WITH_PRINCIPAL_ID|$(AZURE_PRINCIPAL_ID)|g' $(csmParametersFile)
+      echo "Updated parameters file:"
+      cat $(csmParametersFile)
+      az deployment sub create --location $(location) --template-file $(templateFile) --parameters @$(csmParametersFile)
+  displayName: 'Deploy Bicep Template'
+
+
+
+
+
diff --git a/infra/docprep.bicep b/infra/docprep.bicep
index a8f774fde6..9dfaa06d40 100644
--- a/infra/docprep.bicep
+++ b/infra/docprep.bicep
@@ -41,7 +41,7 @@ module formRecognizerRoleUser 'core/security/role.bicep' = {
   params: {
     principalId: principalId
     roleDefinitionId: 'a97b65f3-24c7-4388-baec-2e87135dc908'
-    principalType: 'User'
+    principalType: 'ServicePrincipal'
   }
 }
 
diff --git a/infra/main.bicep b/infra/main.bicep
index 20560f807f..df1441b7fc 100644
--- a/infra/main.bicep
+++ b/infra/main.bicep
@@ -206,6 +206,35 @@ module cosmos 'db.bicep' = {
   }
 }
 
+// Storage Account
+module storageAccount 'core/storage/storage-account.bicep' = {
+  name: 'storage-account'
+  scope: resourceGroup
+  params: {
+    name: !empty(storageAccountName) ? storageAccountName : '${abbrs.storageStorageAccounts}${resourceToken}'
+    location: location
+    tags: tags
+    accessTier: 'Hot'
+    allowBlobPublicAccess: false
+    allowCrossTenantReplication: true
+    allowSharedKeyAccess: true
+    defaultToOAuthAuthentication: false
+    deleteRetentionPolicy: {}
+    dnsEndpointType: 'Standard'
+    kind: 'StorageV2'
+    minimumTlsVersion: 'TLS1_2'
+    publicNetworkAccess: 'Disabled'
+    sku: {
+      name: 'Standard_LRS'
+    }
+    containers: [
+      {
+        name: 'example-container'
+        publicAccess: 'None'
+      }
+    ]
+  }
+}
 
 // USER ROLES
 module openAiRoleUser 'core/security/role.bicep' = {
@@ -214,7 +243,7 @@ module openAiRoleUser 'core/security/role.bicep' = {
   params: {
     principalId: principalId
     roleDefinitionId: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd'
-    principalType: 'User'
+    principalType: ''ServicePrincipal'
   }
 }
 
@@ -224,7 +253,7 @@ module searchRoleUser 'core/security/role.bicep' = {
   params: {
     principalId: principalId
     roleDefinitionId: '1407120a-92aa-4202-b7e9-c0e197c71c8f'
-    principalType: 'User'
+    principalType: 'ServicePrincipal'
   }
 }
 
@@ -234,7 +263,7 @@ module searchIndexDataContribRoleUser 'core/security/role.bicep' = {
   params: {
     principalId: principalId
     roleDefinitionId: '8ebe5a00-799e-43f5-93ac-243d3dce84a7'
-    principalType: 'User'
+    principalType: 'ServicePrincipal'
   }
 }
 
@@ -244,7 +273,7 @@ module searchServiceContribRoleUser 'core/security/role.bicep' = {
   params: {
     principalId: principalId
     roleDefinitionId: '7ca78c08-252a-4471-8644-bb5ff32d4ba0'
-    principalType: 'User'
+    principalType: 'ServicePrincipal'
   }
 }
 
@@ -269,6 +298,16 @@ module searchRoleBackend 'core/security/role.bicep' = {
   }
 }
 
+module storageAccountRoleUser 'core/security/role.bicep' = {
+  scope: resourceGroup
+  name: 'storage-account-role-user'
+  params: {
+    principalId: principalId
+    roleDefinitionId: 'ba92f5b4-2d11-453d-a403-e96b0029c9fe' // Example role definition ID for Storage Blob Data Contributor
+    principalType: 'ServicePrincipal'
+  }
+}
+
 // For doc prep
 module docPrepResources 'docprep.bicep' = {
   name: 'docprep-resources${resourceToken}'
diff --git a/infra/main.parameters.json b/infra/main.parameters.json
index aed5af4779..b56a915b09 100644
--- a/infra/main.parameters.json
+++ b/infra/main.parameters.json
@@ -11,6 +11,21 @@
     "principalId": {
       "value": "${AZURE_PRINCIPAL_ID}"
     },
+    "appServicePlanName": {
+      "value": "${AZURE_APPSERVICE_PLAN}"
+    },
+    "cosmosAccountName": {
+      "value": "${AZURE_COSMOS_ACCOUNT}"
+    },
+    "backendServiceName": {
+      "value": "${AZURE_BACKEND_SERVICE}"
+    },
+    "resourceGroupName": {
+      "value": "${AZURE_RESOURCE_GROUP}"
+    },
+    "storageAccountName": {
+      "value": "${AZURE_STORAGE_ACCOUNT}"
+    },
     "openAiResourceName": {
       "value": "${AZURE_OPENAI_RESOURCE}"
     },