Authorization - Azure Open AI chat bot: Can we restrict access to specific users in our organization via Azure AD?

Question

Authorization - Azure Open AI chat bot: Can we restrict access to specific users in our organization via Azure AD?

azureuser01 1

I am interested in restricting access to the Azure Open AI chat bot to specific users in our organization. Can this be done using Azure Active Directory (Azure AD)? If so, how would I go about doing this?

I would like to restrict access to the chat bot to only those users who have a legitimate need to use it.

Answer 1

Pramod Valavala 17,466 Microsoft Employee

@azureuser01 If you are trying to control access to the Azure OpenAI Service resource itself, you could leverage the built-in roles for Azure RBAC to control access.

But if your users are expected to use the REST API with their own credentials instead, then you could follow the same steps required for managed identity, except that you would assign the role to a user or security group instead.

azureuser01 1 Reputation point

2023-09-05T19:35:20.0933333+00:00

@Pramod Valavala We deployed the chat model as a web app, following the instructions in the "Deploy your model" section of this article https://learn.microsoft.com/en-us/azure/ai-services/openai/use-your-data-quickstart?tabs=command-line&pivots=programming-language-studio. However, we have found that all internal users are able to access the web app and interact with the chatbot, even though we have only assigned Reader/Contributor/Owner role assignments to 1-2 users.
Pramod Valavala 17,466 Reputation points Microsoft Employee

2023-09-05T22:37:31.13+00:00

@azureuser01 The sample web app that gets deployed to an App Service can be protected with Azure AD as mentioned in the docs but does not support authorization as such.

You would have to customize this app to support authorization. One approach would be to add an App Role and assign users to the role, checking the same here.
azureuser01 1 Reputation point

2023-09-06T00:06:19.0533333+00:00

I'll give that a try, thank you.
azureuser01 1 Reputation point

2023-09-07T18:49:29.21+00:00

Update to your comment: The App Role approach didn't work, but see my answer below

Answer 2

azureuser01 1

@Pramod Valavala With the help of my team, we found the KB article that allowed us to successfully assign access control for the Azure OpenAI Web App chat bot.

https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users

Answer 3

azureuser01 1

@Pramod Valavala With the help of my team we were able to find the KB article to successfully provide access Control for our Azure OpenAI chat bot

https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users

Authorization - Azure Open AI chat bot: Can we restrict access to specific users in our organization via Azure AD?

3 answers

Activity