App Service delegated permissions to Azure OpenAI and Document Intelligence

Sverre 0 Reputation points

My webapp runs in an App Service configured with EasyAuth. The webapp is registered on the identity platform through an App Registration. The webapp uses the APIs for Document Intelligence and Azure OpenAI Service. I'd like for the webapp to acquire bearer tokens for these APIs on behalf of logged-in users.

I've tried implementing an Oauth on-behalf-of flow for this, but I haven't been successful yet. Many docs regarding App Service delegated permissions refer to API permissions in the App Registration, but as far as I know there are no configurable permissions for Document Intelligence or Azure OpenAI Service there. Such API permissions seem to be necessary for acquiring tokens with correct audience and scope fields in a delegated permission scenario.

Is there an established pattern for what I'm trying to implement?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,776 questions
Azure AI services
Azure AI services
A group of Azure services, SDKs, and APIs designed to make apps more intelligent, engaging, and discoverable.
2,338 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,301 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. brtrach-MSFT 15,091 Reputation points Microsoft Employee

    @Sverre Here are the steps you can follow to configure API permissions for your App Registration:

    Go to the Azure portal and navigate to your App Registration.

    1. Click on "API permissions" in the left-hand menu.
    2. Click on "Add a permission" and select the API you want to configure permissions for (e.g. Azure OpenAI Service or Document Intelligence).
    3. Select the appropriate permission type (e.g. "Application" or "Delegated") and click "Add permissions".
    4. Grant admin consent for the new permissions by clicking on "Grant admin consent for {your tenant}".

    Once you have configured API permissions for your App Registration, you can use the on-behalf-of flow to acquire bearer tokens for Azure OpenAI Service and Document Intelligence on behalf of logged-in users. Here's an example of how you can implement this flow:

    1. When a user logs in to your web app, use EasyAuth to authenticate the user and obtain an access token for your web app.
    2. Use the on-behalf-of flow to exchange the user's access token for a bearer token for Azure OpenAI Service or Document Intelligence.
    3. Use the bearer token to call the Azure OpenAI Service or Document Intelligence API on behalf of the user.

    Here's an example of how you can implement the on-behalf-of flow in C#:

    var client = new HttpClient();
    var token = await HttpContext.GetTokenAsync("access_token");
    var userAssertion = new UserAssertion(token);
    var confidentialClient = new ConfidentialClientApplication(clientId, clientSecret, redirectUri, new ClientCredential(clientSecret), null, new TokenCache(), new HttpManager());
    var result = await confidentialClient.AcquireTokenOnBehalfOfAsync(scopes, userAssertion);
    var bearerToken = result.AccessToken;

    Note that you need to replace clientId, clientSecret, redirectUri, and scopes with the appropriate values for your App Registration and the Azure OpenAI Service or Document Intelligence API you are calling.

    0 comments No comments