Added new feature to integrate azure services using managed identities

.gitignore

@@ -35,3 +35,4 @@ next-env.d.ts
 .azure/
 infra/aad_setup.sh
 .vscode
+infra/main.parameters.example.json

README.md

@@ -1,3 +1,8 @@
+# What's new - January 2025
+A new year brings some much requested feature updates to one of our most popular AI chat repos!
+- **[Managed Identity-based security](/docs/10-managed-identities.md)**. This uses Azure's underlying RBAC and removes (almost) all keys/secrets.
+- `appreg_setup.ps1` helper script to **[create the App Registration for you](/docs/5-add-identity.md#azure-ad-authentication-provider)** in Entra (if you have the permissions). Less copypasta means happier devs 🥰 
+
 # Unleash the Power of Azure OpenAI
 
 1. [Introduction](#introduction)
@@ -10,6 +15,7 @@
 1. [Persona](/docs/6-persona.md)
 1. [Extensions](/docs/8-extensions.md)
 1. [Environment variables](/docs/9-environment-variables.md)
+1. [Managed Identity-based deployment](/docs/10-managed-identities.md)
 1. [Migration considerations](/docs/migration.md)
 
 # Introduction

docs/10-managed-identities.md

@@ -0,0 +1,59 @@
+# Using Managed Identities for Azure Chat Solution Accelerator
+
+### Introduction
+
+The Azure Chat Solution Accelerator powered by Azure OpenAI Service allows organizations to deploy a private chat tenant with enhanced security and control over their data. One of the new features is the support for [Managed Identities](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview), adding a layer of security by eliminating the need for managing service principals and secrets manually, and leveraging Azure's built-in role-based access controls.
+
+### Security Advantages of Managed Identities
+
+[**Managed Identities**](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) for Azure resources provide the following benefits:
+
+1. **Improved Security**:
+    - **No Secret Management**: Eliminates the need to manually store and manage credentials or keys.
+    - **Automatic Rotation**: Managed Identities’ credentials are rotated automatically, eliminating potential security risk from non-rotated credentials.
+    - **Scope Limited Access**: Access to Azure resources can be fine-grained, allowing least-privilege access policies.
+
+2. **Simplified Management**:
+    - **Platform Managed**: The Azure platform handles identity creation and lifecycle management.
+    - **Simplified Resource Access**: Applications can request tokens to access resources without handling secrets.
+
+### List of Services Using Managed Identities
+
+The following services within the Azure Chat Solution Accelerator use Managed Identities for authentication:
+
+1. **Azure OpenAI Service**
+2. **Azure Cosmos DB**
+3. **Azure Cognitive Services (e.g., Document Intelligence, Azure OpenAI Dalle)**
+4. **Azure Search Service**
+5. **Azure Storage Account**
+
+> **Note:** Currently, due to compatibility issues, the Speech Service does not utilize Managed Identities. There is no available documentation for using Entra ID authentication with the Speech Service, making it a `TODO` item.
+
+### Preferred Production Deployment
+
+Using Managed Identities is preferred for production deployments due to:
+
+1. **Enhanced Security**: Eliminates risks associated with secret management such as accidental exposure or non-rotation of credentials.
+2. **Compliance and Governance**: Managed Identities integrate with Azure's role-based access control (RBAC), facilitating easier audits and compliance management.
+3. **Operational Efficiency**: Reduces the operational overhead of managing secrets, while also providing a more straightforward implementation.
+
+### Deploy to Azure with Managed Identities
+
+To deploy the application to Azure App Service with Managed Identities, follow the standard deployment instructions available in the [Deploy to Azure - GitHub Actions](https://github.com/microsoft/azurechat) section of the repository. Ensure to:
+
+1. **Update the Parameter**:
+    - Set the parameter `disableLocalAuth` to `true` in [`infra/main.bicep`](/infra/main.bicep) (or [`infra/main.json`](/infra/main.json) for ARM deployment) to use Managed Identities.
+2. **Deploy as normal**:
+    - refer to the [README](../README.md)
+3. (optional) **Setup your local dev environment**: 
+    - Run this script to grant yourself RBAC permissions on the Azure resources so you can run AzureChat locally
+    - In Powershell:
+        ```
+        PS> .\scripts\appreg_setup.ps1
+        ```
+    - You can then [run locally](3-run-locally.md)
+
+
+### Conclusion
+
+By leveraging Managed Identities, you enhance the security posture of your Azure Chat deployment while simplifying secret management and access control. This guide outlines the security advantages and highlights the necessary parameter changes to ensure a secure and efficient production setup. For more details, review the complete code and configurations available in the repository's `infra` directory.

docs/3-run-locally.md

@@ -11,14 +11,14 @@ Clone this repository locally or fork to your Github account. Run all of the the
 ## Steps
 
 1. Change directory to the `src` folder
-2. Rename the file `.env.example` to `.env.local` and populate the environment variables based on the deployed resources in Azure.
+2. Rename/copy the file `.env.example` to `.env.local` and populate the environment variables based on the deployed resources in Azure.
 3. Install npm packages by running `npm install`
 4. Start the app by running `npm run dev`
 5. Access the app on [http://localhost:3000](http://localhost:3000)
 
 You should now be prompted to login with your chosen OAuth provider.
 
-> [!NOTE]
+> **NOTE**  
 > If using Basic Auth (DEV ONLY) any username you enter will create a new user id (hash of username@localhost). You can use this to simulate multiple users. Once successfully logged in, you can start creating new conversations.
 
 [Next](/docs/4-deploy-to-azure.md)

docs/5-add-identity.md

@@ -49,6 +49,20 @@ We'll create two GitHub apps: one for testing locally and another for production
 
 ### 🟡 Development App Setup
 
+### Automated Approach 🆕
+You can use the helper script to create the App Registration and populate the keys automatically!
+Assuming you have the permissions for the manual approach (next section).
+1. In Powershell, run:
+   ```
+   PS> .\scripts\appreg_setup.ps1 -webappname <webappname> [-showsecret]
+   ```
+   - The `webappname` is the resource name of the Azure Web App resource, e.g. `myenv-webapp-e6g73wtcmam74`
+   - `-showsecret` will display the app secret at the end of the script (only if you need it)
+2. It might take a minute or two for the Web App to pickup the new config and restart
+3. Enjoy automation!
+
+### Manual Approach
+
 1. Navigate to [Azure AD Apps setup](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps)
 2. Create a [New Registration](https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/CreateApplicationBlade/quickStartType~/null/isMSAApp~/false)
 3. Fill in the following details

infra/main.bicep

@@ -1,5 +1,8 @@
 targetScope = 'subscription'
 
+// Activates/Deactivates Authentication using keys. If true it will enforce RBAC using managed identities
+param disableLocalAuth bool = false
+
 @minLength(1)
 @maxLength(64)
 @description('Name of the the environment which is used to generate a short unique hash used in all resources.')
@@ -88,9 +91,37 @@ module resources 'resources.bicep' = {
     storageServiceSku: storageServiceSku
     storageServiceImageContainerName: storageServiceImageContainerName
     location: location
+    disableLocalAuth:disableLocalAuth
   }
 }
 
 output APP_URL string = resources.outputs.url
+output AZURE_WEBAPP_NAME string = resources.outputs.webapp_name
 output AZURE_LOCATION string = location
 output AZURE_TENANT_ID string = tenant().tenantId
+output AZURE_RESOURCE_GROUP string = rg.name
+
+output AZURE_OPENAI_API_INSTANCE_NAME string = resources.outputs.openai_name
+output AZURE_OPENAI_API_DEPLOYMENT_NAME string = chatGptDeploymentName
+output AZURE_OPENAI_API_VERSION string = openAIApiVersion
+output AZURE_OPENAI_API_EMBEDDINGS_DEPLOYMENT_NAME string = embeddingDeploymentName
+
+output AZURE_OPENAI_DALLE_API_INSTANCE_NAME string = resources.outputs.openai_dalle_name
+output AZURE_OPENAI_DALLE_API_DEPLOYMENT_NAME string = dalleDeploymentName
+output AZURE_OPENAI_DALLE_API_VERSION string = dalleApiVersion
+
+output AZURE_COSMOSDB_ACCOUNT_NAME string = resources.outputs.cosmos_name
+output AZURE_COSMOSDB_URI string = resources.outputs.cosmos_endpoint
+output AZURE_COSMOSDB_DB_NAME string = resources.outputs.database_name
+output AZURE_COSMOSDB_CONTAINER_NAME string = resources.outputs.history_container_name
+output AZURE_COSMOSDB_CONFIG_CONTAINER_NAME string = resources.outputs.config_container_name
+
+output AZURE_SEARCH_NAME string = resources.outputs.search_name
+output AZURE_SEARCH_INDEX_NAME string = searchServiceIndexName
+
+output AZURE_DOCUMENT_INTELLIGENCE_NAME string = resources.outputs.form_recognizer_name
+output AZURE_DOCUMENT_INTELLIGENCE_ENDPOINT string = 'https://${resources.outputs.form_recognizer_name}.cognitiveservices.azure.com/'
+
+output AZURE_SPEECH_REGION string = location
+output AZURE_STORAGE_ACCOUNT_NAME string = resources.outputs.storage_name
+output AZURE_KEY_VAULT_NAME string = resources.outputs.key_vault_name