November 13th, 2024

Creating an Azure OpenAI app with Python using External ID authentication

In the world of artificial intelligence (AI), creating secure and robust applications is essential. Integrating powerful AI models, such as those offered by Azure’s OpenAI services, with secure authentication through External ID, you can confidently deploy powerful AI-driven applications. This guide shows you how to bring these capabilities together using Python and Azure’s built-in tools, as well as leveraging External ID authentication to make it easy to create an app with secure access to AI-driven functionalities.

We’ll be using a mix of Azure CLI commands (azd) and Bicep templates to get an app up and running and configured with External ID and Azure infrastructure.

Objectives

To securely access and manage AI-driven functionality, we have two main tasks:

  1. Implementing user authentication: We’ll take an OpenAI application and add user authentication to it so that a user can log in and securely use our app.
  2. Automated setup: We want the set up to be fully automated so we will use a combination of Bicep templates with the Microsoft Graph SDK using Python.

Streamlining authentication and authorization

Typically, developers would need to build custom logic on their backend to verify the authorization code flow, handle OAuth, and return an access token. This process can be time-consuming and requires considerable development effort to manage authentication.

OAuth2 authentication flow with OIDC

Instead, we’ll use Azure’s built-in authentication for App Service which intercepts requests, figures out which users are not logged in, manages token issuance, and redirects users back to the application upon successful sign in. This allows you to focus on building application features while the platform manages authentication and authorization.

Built in authentication for App Service

Setting up and running the application

Prerequisites

  • Install Python (Python 3+ recommended).
  • After installing Python, install pip if it doesn’t exist.
  • Docker for Windows/Linux.
  • An external tenant with a subscription.
  • (Optional): Quota increase on open AI. This can be done by going to the quotas tab and asking for an increase in gpt-4o-mini.

External id tenant architecture

We are going to set up our architecture using two tenants:

  • a workforce/default tenant where we will create the Azure infrastructure, and
  • an external tenant where we will work on creating all the Entra resources.

Setting up the virtual environment

You will install all dependencies and set up the environment on your local machine to run the Python scripts.

  • Clone the following repository:

    git clone https://github.com/Azure-Samples/openai-chat-app-entra-auth-builtin.git

  • Cd to where the openai chat application is

    cd openai-chat-app-entra-auth-builtin

  • Create a Python virtual environment. This will create tutorial-env if it doesn’t exist and create directories inside it containing a copy of the Python interpreter and various supporting files.

    python -m venv tutorial-env

  • Now, activate the environment by running:

Windows

tutorial-env\Scripts\activate

Linux/MacOS

source tutorial-env/bin/activate
  • Install the requirements:

    python -m pip install -r requirements-dev.txt

Setting up Microsoft Entra External ID

You will create an app and an associated user flow in an external tenant.

To request tokens from the Microsoft Identity platform, you will need to create a service principal that can programmatically create an app registration, application roles, and a user flow, and link your app to the user flow. This is because azd doesn’t let you create an app and user flow directly. However, you can create a service principal with azd, which you can then use with the Microsoft Graph SDK to set up an application and user flow in Microsoft Entra.

Next, we’ll run a script that will do the following:

  • Create a service principal in the external tenant.

  • Create an application.

  • Granting application roles.

  • Creating a user flow.

  • Link the application to the user flow.

  • Create a new azd environment

    azd env new

This will create the folder under .azure/ in your project to store the configuration for this deployment.

  • Set the AZURE_AUTH_TENANT_ID azd environment variable to the external tenant you want to use for authentication. This can be found on the Entra portal under tenant properties.

  • Set the AZURE_AUTH_LOGIN_ENDPOINT for the External ID tenant, which usually appears as TenantName.ciamlogin.com. You can find it on the Entra portal, under Settings ⚙️. Simply pick the tenantname and add .ciamlogin.com

    azd env set AZURE_AUTH_TENANT_ID your-tenant-id

  • Login to azd CLI with the External ID tenant ID:

    azd auth login –tenant-id AUTH-TENANT-ID

Run the script that will set up the app registration, service principals, roles, and permissions on Entra:

Linux

./scripts/setup_for_external_id.ps1 

./scripts/setup_for_external_id.sh 

Windows

In PowerShell, run:

.\setup_for_external_id.ps1

In Git Bash, run the shell script:

./setup_for_external_id.sh

Deploying the application

You will deploy resources in the workforce (or default) tenant using a Bicep file which will include the provisioning of a resource group, Azure Key Vault, Log Analytics, and your application as an Azure Container App.

Once you have set up Microsoft Entra External ID you can now log in to your Azure tenant to deploy your app.

  • Log in to the default or workforce tenant on the Azure portal where you want to deploy your application. This will be a different tenant from your external tenant.

    azd auth login –tenant-id AZURE-TENANT-ID

  • Set your quota capacity to 8 as that’s currently the max quota available , unless you request an increase.

    azd env set AZURE_OPENAI_DEPLOYMENT_CAPACITY 8

  • You can customize the deployment by setting the environment variables to use existing Azure resources.

  • Provision and deploy all the resources.

    azd up

  • When azd has finished deploying you will see an endpoint URL in the command output. Visit the URL and you should see the chat app running with External ID.

Output from running azd up

  • When you make any changes to the app, you can run:

    azd deploy

Running the application

Once deployment has completed, you will be able to run your application using the endpoint provided after the azd deployment.

screenshot

  • Run the endpoint in the browser. It should look like:

    https://containername.randomname..azurecontainerapps.io

  • In the browser, sign up or sign in to your Open AI application with a user within your external tenant.

  • Once signed in, you can now interact with the app as shown below:

Azure open AI chat app and Microsoft Entra

Let’s recap

You have now successfully set up External ID as an identity provider for your container application using Open AI and Python.

In this blog post, you have learned how to:

  • create an OpenAI application using Python.
  • add authentication to your Function App using External ID.
  • configure external authentication by creating and adding a user flow with customized branding.
  • sign up and sign in an External ID user with email and password on your website.

Stay connected

To learn more or test out features in the Microsoft Entra portfolio, visit our developer center. Make sure you subscribe to the Identity developer blog for more insights and to keep up with the latest on all things Identity. And, follow us on YouTube for video overviews, tutorials, and deep dives.

Join our research panel to receive occasional invites to participate in customer research.

0 comments