The Azure Chat Solution Accelerator powered by Azure OpenAI Service allows organizations to deploy a private chat tenant with enhanced security and control over their data. One of the new features is the support for Managed Identities, adding a layer of security by eliminating the need for managing service principals and secrets through the application, and leveraging Azure's built-in role-based access controls.
Managed Identities for Azure resources provide the following benefits:
-
Improved Security:
- No Secret Management: Eliminates the need to manually store and manage credentials or keys.
- Automatic Rotation: Managed Identities’ credentials are rotated automatically, eliminating potential security risk from non-rotated credentials.
- Scope Limited Access: Access to Azure resources can be fine-grained, allowing least-privilege access policies.
-
Simplified Management:
- Platform Managed: The Azure platform handles identity creation and lifecycle management.
- Simplified Resource Access: Applications can request tokens to access resources without handling secrets.
The following services within the Azure Chat Solution Accelerator use Managed Identities for authentication:
- Azure OpenAI Service
- Azure Cosmos DB
- Azure AI Services (e.g., Document Intelligence, Azure OpenAI DALL-E)
- Azure AI Search Service
- Azure Storage Account
Note: Currently, due to compatibility issues, the Azure AI Speech Service does not utilize Managed Identities. There is no available documentation for using Entra ID authentication with the Speech Service, making it a
TODOitem.
Using Managed Identities is preferred for production deployments due to:
- Enhanced Security: Eliminates risks associated with secret management such as accidental exposure or non-rotation of credentials.
- Compliance and Governance: Managed Identities integrate with Azure's role-based access control (RBAC), facilitating easier audits and compliance management.
- Operational Efficiency: Reduces the operational overhead of managing secrets, while also providing a more straightforward implementation.
To deploy the application to Azure App Service with Managed Identities, follow the standard deployment instructions available in the Deploy to Azure - GitHub Actions section of the repository as follows:
- Update the Parameter:
- Set the parameter
disableLocalAuthtotrueininfra/main.bicep(orinfra/main.jsonfor ARM deployment) to use Managed Identities.
- Set the parameter
- Deploy resources using azd:
- Refer to the README
You can run Azure Chat locally with Managed Identities - in this case the identity of the currently logged in user (via az login) is used to authenticate with the required Azure services. Follow the steps below to run Azure Chat locally with Managed Identities:
-
Refer to the documentation in Run Locally to set up your local environment up for development.
-
Update your
.envfile with the following setting:USE_MANAGED_IDENTITIES=true -
Make sure that your
.enveither has the following settings removed, uncommented, or set to empty. Even though you have setUSE_MANAGED_IDENTITIES=truethe various SDKs that the application uses to interact with these services can still default to key based authentication if these are present:AZURE_OPENAI_API_KEY= AZURE_OPENAI_DALLE_API_KEY= AZURE_COSMOSDB_KEY= AZURE_SEARCH_API_KEY= AZURE_DOCUMENT_INTELLIGENCE_KEY= -
Run this script to grant yourself RBAC permissions on the various Azure resources used by Azure Chat.
If you haven't already done so then you will need to login to Azure using the Azure CLI command
az login- In Powershell:
PS> .\scripts\add_localdev_roles.ps1 - In Bash:
> chmod +x .\scripts\add_localdev_roles.sh > .\scripts\add_localdev_roles.sh
- In Powershell:
By leveraging Managed Identities, you enhance the security posture of your Azure Chat deployment while simplifying secret management and access control. This guide outlines the security advantages and highlights the necessary parameter changes to ensure a secure and efficient production setup. For more details, review the complete code and configurations available in the repository's infra directory.