Streamlining authentication and authorization<\/h2>\n
Typically, developers would need to build custom logic on their backend to verify the authorization code flow, handle OAuth, and return an access token. This process can be time-consuming and requires considerable development effort to manage authentication.<\/p>\n
![\"OAuth2](\"https:\/\/devblogs.microsoft.com\/identity\/wp-content\/uploads\/sites\/74\/2024\/11\/OAuth2-authentication-flow-with-OIDC.png\")
<\/p>\n
Instead, we\u2019ll use Azure\u2019s built-in authentication for App Service which intercepts requests, figures out which users are not logged in, manages token issuance, and redirects users back to the application upon successful sign in. This allows you to focus on building application features while the platform manages authentication and authorization.<\/p>\n
![\"Built](\"https:\/\/devblogs.microsoft.com\/identity\/wp-content\/uploads\/sites\/74\/2024\/11\/Built-in-authentication-for-App-Service.png\")
<\/p>\n
Setting up and running the application<\/h2>\nPrerequisites<\/h3>\n\n- Install Python<\/a> (Python 3+ recommended).<\/li>\n
- After installing Python, install pip<\/a> if it doesn\u2019t exist.<\/li>\n
- Docker<\/a> for Windows\/Linux. <\/li>\n
- An external tenant with a subscription. \n
\n- If you don\u2019t have one, you can create one using our\u202f30-day free trial<\/a>\u202for\u202fcreate an external tenant<\/a>\u202fwith an Azure subscription.<\/li>\n<\/ul>\n<\/li>\n
- (Optional): Quota<\/a> increase on open AI. This can be done by going to the quotas tab and asking for an increase in gpt-4o-mini.<\/li>\n<\/ul>\n
![\"External](\"https:\/\/devblogs.microsoft.com\/identity\/wp-content\/uploads\/sites\/74\/2024\/11\/External-id-tenant-architecture.png\")
<\/p>\n
We are going to set up our architecture using two tenants:<\/p>\n
\n- a workforce\/default tenant where we will create the Azure infrastructure, and <\/li>\n
- an external tenant where we will work on creating all the Entra resources.<\/li>\n<\/ul>\n
Setting up the virtual environment<\/h3>\n
You will install all dependencies and set up the environment on your local machine to run the Python scripts.<\/p>\n
\n- \n
Clone the following repository:<\/p>\n
git clone https:\/\/github.com\/Azure-Samples\/openai-chat-app-entra-auth-builtin.git<\/p>\n<\/li>\n
- \n
Cd to where the openai chat application is<\/p>\n
cd openai-chat-app-entra-auth-builtin<\/p>\n<\/li>\n
- \n
Create a Python virtual environment. This will create tutorial-env<\/code> if it doesn\u2019t exist and create directories inside it containing a copy of the Python interpreter and various supporting files.<\/p>\npython -m venv tutorial-env<\/p>\n<\/li>\n
- \n
Now, activate the environment by running:<\/p>\n<\/li>\n<\/ul>\n
Windows<\/strong><\/p>\ntutorial-env\\Scripts\\activate\n<\/code><\/pre>\nLinux\/MacOS<\/strong><\/p>\nsource tutorial-env\/bin\/activate\n<\/code><\/pre>\n\n- \n
Install the requirements:<\/p>\n
python -m pip install -r requirements-dev.txt<\/p>\n<\/li>\n<\/ul>\n
Setting up Microsoft Entra External ID<\/h3>\n
You will create an app and an associated user flow in an external tenant.<\/p>\n
To request tokens from the Microsoft Identity platform, you will need to create a service principal that can programmatically create an app registration, application roles, and a user flow, and link your app to the user flow. This is because azd doesn\u2019t let you create an app and user flow directly. However, you can create a service principal with azd, which you can then use with the Microsoft Graph SDK to set up an application and user flow in Microsoft Entra.<\/p>\n
Next, we\u2019ll run a script that will do the following:<\/p>\n
\n- \n
Create a service principal in the external tenant.<\/p>\n<\/li>\n
- \n
Create an application.<\/p>\n<\/li>\n
- \n
Granting application roles.<\/p>\n<\/li>\n
- \n
Creating a user flow.<\/p>\n<\/li>\n
- \n
Link the application to the user flow.<\/p>\n<\/li>\n
- \n
Create a new azd environment<\/p>\n
azd env new<\/p>\n<\/li>\n<\/ul>\n
This will create the folder under .azure\/<\/code> in your project to store the configuration for this deployment.<\/p>\n\n- \n
Set the AZURE_AUTH_TENANT_ID<\/code> azd environment variable to the external tenant you want to use for authentication. This can be found on the Entra portal under tenant properties.<\/p>\n<\/li>\n- \n
Set the AZURE_AUTH_LOGIN_ENDPOINT<\/code> for the External ID tenant, which usually appears as TenantName.ciamlogin.com<\/code>. You can find it on the Entra portal, under Settings<\/strong> \u2699\ufe0f. Simply pick the tenantname and add .ciamlogin.com<\/p>\nazd env set AZURE_AUTH_TENANT_ID your-tenant-id<\/p>\n<\/li>\n
- \n
Login to azd CLI with the External ID tenant ID:<\/p>\n
azd auth login –tenant-id AUTH-TENANT-ID<\/p>\n<\/li>\n<\/ul>\n
Run the script that will set up the app registration, service principals, roles, and permissions on Entra:<\/p>\n
Linux<\/strong><\/p>\n.\/scripts\/setup_for_external_id.ps1 \n\n.\/scripts\/setup_for_external_id.sh \n<\/code><\/pre>\nWindows<\/strong><\/p>\nIn PowerShell, run:<\/em><\/p>\n.\\setup_for_external_id.ps1\n<\/code><\/pre>\nIn Git Bash, run the shell script:<\/em><\/p>\n.\/setup_for_external_id.sh\n<\/code><\/pre>\nDeploying the application<\/h3>\n
You will deploy resources in the workforce (or default) tenant using a Bicep file which will include the provisioning of a resource group, Azure Key Vault, Log Analytics, and your application as an Azure Container App.<\/p>\n
Once you have set up Microsoft Entra External ID you can now log in to your Azure tenant to deploy your app.<\/p>\n
\n- \n
Log in to the default or workforce tenant on the Azure portal where you want to deploy your application. This will be a different tenant from your external tenant.<\/p>\n
azd auth login –tenant-id AZURE-TENANT-ID<\/p>\n<\/li>\n
- \n
Set your quota capacity to 8 as that\u2019s currently the max quota available , unless you request an increase.<\/p>\n
azd env set AZURE_OPENAI_DEPLOYMENT_CAPACITY 8<\/p>\n<\/li>\n
- \n
You can customize the deployment by setting the environment variables to use existing Azure resources.<\/p>\n<\/li>\n
- \n
Provision and deploy all the resources.<\/p>\n
azd up<\/p>\n<\/li>\n
- \n
When azd has finished deploying you will see an endpoint URL in the command output. Visit the URL and you should see the chat app running with External ID.<\/p>\n<\/li>\n<\/ul>\n
![\"Output](\"https:\/\/devblogs.microsoft.com\/identity\/wp-content\/uploads\/sites\/74\/2024\/11\/Output-from-running-azd-up.png\")
<\/p>\n
\n- \n
When you make any changes to the app, you can run:<\/p>\n
azd deploy<\/p>\n<\/li>\n<\/ul>\n
Running the application<\/h3>\n
Once deployment has completed, you will be able to run your application using the endpoint provided after the azd deployment.<\/p>\n
![\"screenshot\"](\"https:\/\/devblogs.microsoft.com\/identity\/wp-content\/uploads\/sites\/74\/2024\/11\/Application-endpoint-URL.png\")
<\/p>\n
\n- \n
Run the endpoint in the browser. It should look like:<\/p>\n
https:\/\/containername.randomname..azurecontainerapps.io<\/p>\n<\/li>\n- \n
In the browser, sign up or sign in to your Open AI application with a user within your external tenant.<\/p>\n<\/li>\n
- \n
Once signed in, you can now interact with the app as shown below:<\/p>\n<\/li>\n<\/ul>\n
![\"Azure](\"https:\/\/devblogs.microsoft.com\/identity\/wp-content\/uploads\/sites\/74\/2024\/11\/Azure-open-AI-chat-app-and-Microsoft-Entra.png\")
<\/p>\n
Let\u2019s recap<\/h2>\n
You have now successfully set up External ID as an identity provider for your container application using Open AI and Python.<\/p>\n
In this blog post, you have learned how to:<\/p>\n
\n- create an OpenAI application using Python.<\/li>\n
- add authentication to your Function App using External ID.<\/li>\n
- configure external authentication by creating and adding a user flow with customized branding. <\/li>\n
- sign up and sign in an External ID user with email and password on your website. <\/li>\n<\/ul>\n
Stay connected<\/h2>\n
To learn more or test out features in the Microsoft Entra portfolio, visit our\u202fdeveloper center<\/a>. Make sure you subscribe to the\u202fIdentity developer blog<\/a>\u202ffor more insights and to keep up with the latest on all things Identity. And, follow us on\u202fYouTube<\/a>\u202ffor video overviews, tutorials, and deep dives.<\/p>\n
- \n
- Install Python<\/a> (Python 3+ recommended).<\/li>\n
- After installing Python, install pip<\/a> if it doesn\u2019t exist.<\/li>\n
- Docker<\/a> for Windows\/Linux. <\/li>\n
- An external tenant with a subscription. \n
- \n
- If you don\u2019t have one, you can create one using our\u202f30-day free trial<\/a>\u202for\u202fcreate an external tenant<\/a>\u202fwith an Azure subscription.<\/li>\n<\/ul>\n<\/li>\n
- (Optional): Quota<\/a> increase on open AI. This can be done by going to the quotas tab and asking for an increase in gpt-4o-mini.<\/li>\n<\/ul>\n
<\/p>\nWe are going to set up our architecture using two tenants:<\/p>\n
- \n
- a workforce\/default tenant where we will create the Azure infrastructure, and <\/li>\n
- an external tenant where we will work on creating all the Entra resources.<\/li>\n<\/ul>\n
Setting up the virtual environment<\/h3>\n
You will install all dependencies and set up the environment on your local machine to run the Python scripts.<\/p>\n
- \n
- \n
Clone the following repository:<\/p>\n
git clone https:\/\/github.com\/Azure-Samples\/openai-chat-app-entra-auth-builtin.git<\/p>\n<\/li>\n
- \n
Cd to where the openai chat application is<\/p>\n
cd openai-chat-app-entra-auth-builtin<\/p>\n<\/li>\n
- \n
Create a Python virtual environment. This will create
tutorial-env<\/code> if it doesn\u2019t exist and create directories inside it containing a copy of the Python interpreter and various supporting files.<\/p>\npython -m venv tutorial-env<\/p>\n<\/li>\n
- \n
Now, activate the environment by running:<\/p>\n<\/li>\n<\/ul>\n
Windows<\/strong><\/p>\n
tutorial-env\\Scripts\\activate\n<\/code><\/pre>\nLinux\/MacOS<\/strong><\/p>\n
source tutorial-env\/bin\/activate\n<\/code><\/pre>\n- \n
- \n
Install the requirements:<\/p>\n
python -m pip install -r requirements-dev.txt<\/p>\n<\/li>\n<\/ul>\n
Setting up Microsoft Entra External ID<\/h3>\n
You will create an app and an associated user flow in an external tenant.<\/p>\n
To request tokens from the Microsoft Identity platform, you will need to create a service principal that can programmatically create an app registration, application roles, and a user flow, and link your app to the user flow. This is because azd doesn\u2019t let you create an app and user flow directly. However, you can create a service principal with azd, which you can then use with the Microsoft Graph SDK to set up an application and user flow in Microsoft Entra.<\/p>\n
Next, we\u2019ll run a script that will do the following:<\/p>\n
- \n
- \n
Create a service principal in the external tenant.<\/p>\n<\/li>\n
- \n
Create an application.<\/p>\n<\/li>\n
- \n
Granting application roles.<\/p>\n<\/li>\n
- \n
Creating a user flow.<\/p>\n<\/li>\n
- \n
Link the application to the user flow.<\/p>\n<\/li>\n
- \n
Create a new azd environment<\/p>\n
azd env new<\/p>\n<\/li>\n<\/ul>\n
This will create the folder under
.azure\/<\/code> in your project to store the configuration for this deployment.<\/p>\n- \n
- \n
Set the
AZURE_AUTH_TENANT_ID<\/code> azd environment variable to the external tenant you want to use for authentication. This can be found on the Entra portal under tenant properties.<\/p>\n<\/li>\n- \n
Set the
AZURE_AUTH_LOGIN_ENDPOINT<\/code> for the External ID tenant, which usually appears asTenantName.ciamlogin.com<\/code>. You can find it on the Entra portal, under Settings<\/strong> \u2699\ufe0f. Simply pick the tenantname and add .ciamlogin.com<\/p>\nazd env set AZURE_AUTH_TENANT_ID your-tenant-id<\/p>\n<\/li>\n
- \n
Login to azd CLI with the External ID tenant ID:<\/p>\n
azd auth login –tenant-id AUTH-TENANT-ID<\/p>\n<\/li>\n<\/ul>\n
Run the script that will set up the app registration, service principals, roles, and permissions on Entra:<\/p>\n
Linux<\/strong><\/p>\n
.\/scripts\/setup_for_external_id.ps1 \n\n.\/scripts\/setup_for_external_id.sh \n<\/code><\/pre>\nWindows<\/strong><\/p>\n
In PowerShell, run:<\/em><\/p>\n
.\\setup_for_external_id.ps1\n<\/code><\/pre>\nIn Git Bash, run the shell script:<\/em><\/p>\n
.\/setup_for_external_id.sh\n<\/code><\/pre>\nDeploying the application<\/h3>\n
You will deploy resources in the workforce (or default) tenant using a Bicep file which will include the provisioning of a resource group, Azure Key Vault, Log Analytics, and your application as an Azure Container App.<\/p>\n
Once you have set up Microsoft Entra External ID you can now log in to your Azure tenant to deploy your app.<\/p>\n
- \n
- \n
Log in to the default or workforce tenant on the Azure portal where you want to deploy your application. This will be a different tenant from your external tenant.<\/p>\n
azd auth login –tenant-id AZURE-TENANT-ID<\/p>\n<\/li>\n
- \n
Set your quota capacity to 8 as that\u2019s currently the max quota available , unless you request an increase.<\/p>\n
azd env set AZURE_OPENAI_DEPLOYMENT_CAPACITY 8<\/p>\n<\/li>\n
- \n
You can customize the deployment by setting the environment variables to use existing Azure resources.<\/p>\n<\/li>\n
- \n
Provision and deploy all the resources.<\/p>\n
azd up<\/p>\n<\/li>\n
- \n
When azd has finished deploying you will see an endpoint URL in the command output. Visit the URL and you should see the chat app running with External ID.<\/p>\n<\/li>\n<\/ul>\n
<\/p>\n- \n
- \n
When you make any changes to the app, you can run:<\/p>\n
azd deploy<\/p>\n<\/li>\n<\/ul>\n
Running the application<\/h3>\n
Once deployment has completed, you will be able to run your application using the endpoint provided after the azd deployment.<\/p>\n
<\/p>\n- \n
- \n
Run the endpoint in the browser. It should look like:<\/p>\n
https:\/\/containername.randomname.
.azurecontainerapps.io<\/p>\n<\/li>\n - \n
In the browser, sign up or sign in to your Open AI application with a user within your external tenant.<\/p>\n<\/li>\n
- \n
Once signed in, you can now interact with the app as shown below:<\/p>\n<\/li>\n<\/ul>\n
<\/p>\nLet\u2019s recap<\/h2>\n
You have now successfully set up External ID as an identity provider for your container application using Open AI and Python.<\/p>\n
In this blog post, you have learned how to:<\/p>\n
- \n
- create an OpenAI application using Python.<\/li>\n
- add authentication to your Function App using External ID.<\/li>\n
- configure external authentication by creating and adding a user flow with customized branding. <\/li>\n
- sign up and sign in an External ID user with email and password on your website. <\/li>\n<\/ul>\n
Stay connected<\/h2>\n
To learn more or test out features in the Microsoft Entra portfolio, visit our\u202fdeveloper center<\/a>. Make sure you subscribe to the\u202fIdentity developer blog<\/a>\u202ffor more insights and to keep up with the latest on all things Identity. And, follow us on\u202fYouTube<\/a>\u202ffor video overviews, tutorials, and deep dives.<\/p>\n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- (Optional): Quota<\/a> increase on open AI. This can be done by going to the quotas tab and asking for an increase in gpt-4o-mini.<\/li>\n<\/ul>\n
- After installing Python, install pip<\/a> if it doesn\u2019t exist.<\/li>\n