Authenticate and authorize App Service to Azure OpenAI using Microsoft Entra and the Semantic Kernel SDK

This article demonstrates how to use Microsoft Entra-managed identities to authenticate and authorize an App Service application to an Azure OpenAI resource.

This article also demonstrates how to use the Semantic Kernel SDK to easily implement Microsoft Entra authentication in your .NET application.

By using a managed identity from Microsoft Entra, your App Service application can easily access protected Azure OpenAI resources without having to manually provision or rotate any secrets.

Prerequisites

Add a managed identity to App Service

Your application can be granted two types of identities:

  • A system-assigned identity is tied to your application and is deleted if your app is deleted. An app can have only one system-assigned identity.
  • A user-assigned identity is a standalone Azure resource that can be assigned to your app. An app can have multiple user-assigned identities.

Add a system-assigned identity

  1. Navigate to your app's page in the Azure portal, and then scroll down to the Settings group.
  2. Select Identity.
  3. On the System assigned tab, toggle Status to On, and then select Save.

Run the az webapp identity assign command to create a system-assigned identity:

az webapp identity assign --name <appName> --resource-group <groupName>

Add a user-assigned identity

To add a user-assigned identity to your app, create the identity, and then add its resource identifier to your app config.

  1. Create a user-assigned managed identity resource by following these instructions.

  2. In the left navigation pane of your app's page, scroll down to the Settings group.

  3. Select Identity.

  4. Select User assigned > Add.

  5. Locate the identity that you created earlier, select it, and then select Add.

    Important

    After you select Add, the app restarts.

  1. Create a user-assigned identity:

    az identity create --resource-group <groupName> --name <identityName>
    
  2. Assign the identity to your app:

    az webapp identity assign --resource-group <groupName> --name <appName> --identities <identityId>
    

Add an Azure OpenAI user role to your managed identity

  1. In the Azure Portal, navigate to the scope that you want to grant Azure OpenAI access to. The scope can be a Management group, Subscription, Resource group, or a specific Azure OpenAI resource.
  2. In the left navigation pane, select Access control (IAM).
  3. Select Add, then select Add role assignment.
  4. On the Role tab, select the Cognitive Services OpenAI User role.
  5. On the Members tab, select the managed identity.
  6. On the Review + assign tab, select Review + assign to assign the role.

Resource scope

az role assignment create --assignee "<managedIdentityObjectID>" \
--role "Cognitive Services OpenAI User" \
--scope "/subscriptions/<subscriptionId>/resourcegroups/<resourceGroupName>/providers/<providerName>/<resourceType>/<resourceSubType>/<resourceName>"

Resource group scope

az role assignment create --assignee "<managedIdentityObjectID>" \
--role "Cognitive Services OpenAI User" \
--scope "/subscriptions/<subscriptionId>/resourcegroups/<resourceGroupName>"

Subscription scope

az role assignment create --assignee "<managedIdentityObjectID>" \
--role "Cognitive Services OpenAI User" \
--scope "/subscriptions/<subscriptionId>"

Management group scope

az role assignment create --assignee "<managedIdentityObjectID>" \
--role "Cognitive Services OpenAI User" \
--scope "/providers/Microsoft.Management/managementGroups/<managementGroupName>"

Implement token-based authentication by using Semantic Kernel SDK

  1. Initialize a DefaultAzureCredential object to assume your app's managed identity:

    // Initialize a DefaultAzureCredential.
    // This credential type will try several authentication flows in order until one is available.
    // Will pickup Visual Studio or Azure CLI credentials in local environments.
    // Will pickup managed identity credentials in production deployments.
    TokenCredential credentials = new DefaultAzureCredential(
        new DefaultAzureCredentialOptions
        {
            // If using a user-assigned identity specify either:
            // ManagedIdentityClientId or ManagedIdentityResourceId.
            // e.g.: ManagedIdentityClientId = "myIdentityClientId".
        }
    );
    
  2. Build a Kernel object that includes the Azure OpenAI Chat Completion Service, and use the previously created credentials:

    // Retrieve the endpoint and deployment obtained from the Azure OpenAI deployment.
    // Must use the deployment name not the underlying model name.
    IConfigurationRoot config = new ConfigurationBuilder().AddUserSecrets<Program>().Build();
    string endpoint = config["AZURE_OPENAI_ENDPOINT"]!;
    string deployment = config["AZURE_OPENAI_GPT_NAME"]!;
    
    // Build a Kernel that includes the Azure OpenAI Chat Completion Service.
    // Include the previously created token credential.
    Kernel kernel = Kernel
        .CreateBuilder()
        .AddAzureOpenAIChatCompletion(deployment, endpoint, credentials)
        .Build();
    
  3. Use the Kernel object to invoke prompt completion through Azure OpenAI:

    // Use the Kernel to invoke prompt completion through Azure OpenAI.
    // The Kernel response will be null if the model can't be reached.
    string? result = await kernel.InvokePromptAsync<string>("Please list three Azure services");
    Console.WriteLine($"Output: {result}");
    
    // Continue sending and receiving messages between the user and AI.
    // ...