Events
Mar 17, 9 PM - Mar 21, 10 AM
Join the meetup series to build scalable AI solutions based on real-world use cases with fellow developers and experts.
Register nowThis browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
This article demonstrates how to use Microsoft Entra ID managed identities and the Microsoft.Extensions.AI library to authenticate an Azure hosted app to an Azure OpenAI resource.
A managed identity from Microsoft Entra ID allows your app to easily access other Microsoft Entra protected resources such as Azure OpenAI. The identity is managed by the Azure platform and doesn't require you to provision, manage, or rotate any secrets.
Managed identities provide an automatically managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra authentication. Applications can use managed identities to obtain Microsoft Entra tokens without having to manage any credentials. Your application can be assigned two types of identities:
Navigate to your app's page in the Azure portal, and then scroll down to the Settings group.
Select Identity.
On the System assigned tab, toggle Status to On, and then select Save.
Note
The preceding screenshot demonstrates this process on an Azure App Service, but the steps are similar on other hosts such as Azure Container Apps.
Run the az webapp identity assign
command to create a system-assigned identity:
az webapp identity assign --name <appName> --resource-group <groupName>
In the Azure Portal, navigate to the scope that you want to grant Azure OpenAI access to. The scope can be a Management group, Subscription, Resource group, or a specific Azure OpenAI resource.
In the left navigation pane, select Access control (IAM).
Select Add, then select Add role assignment.
On the Role tab, select the Cognitive Services OpenAI User role.
On the Members tab, select the managed identity.
On the Review + assign tab, select Review + assign to assign the role.
You can use the Azure CLI to assign the Cognitive Services OpenAI User role to your managed identity at varying scopes.
az role assignment create --assignee "<managedIdentityObjectID>" \
--role "Cognitive Services OpenAI User" \
--scope "/subscriptions/<subscriptionId>/resourcegroups/<resourceGroupName>/providers/<providerName>/<resourceType>/<resourceSubType>/<resourceName>"
Add the following NuGet packages to your app:
dotnet add package Azure.Identity
dotnet add package Azure.AI.OpenAI
dotnet add package Microsoft.Extensions.Azure
dotnet add package Microsoft.Extensions.AI
dotnet add package Microsoft.Extensions.AI.OpenAI
The preceding packages each handle the following concerns for this scenario:
In the Program.cs
file of your app, create a DefaultAzureCredential
object to discover and configure available credentials:
// For example, will discover Visual Studio or Azure CLI credentials
// in local environments and managed identity credentials in production deployments
var credential = new DefaultAzureCredential(
new DefaultAzureCredentialOptions
{
// If necessary, specify the tenant ID,
// user-assigned identity client or resource ID, or other options
}
);
Create an AI service and register it with the service collection:
string endpoint = builder.Configuration["AZURE_OPENAI_ENDPOINT"];
string deployment = builder.Configuration["AZURE_OPENAI_GPT_NAME"];
builder.Services.AddChatClient(
new AzureOpenAIClient(new Uri(endpoint), credential)
.AsChatClient(deployment));
Inject the registered service for use in your endpoints:
app.MapGet("/test-prompt", async (IChatClient chatClient) =>
{
return await chatClient.GetResponseAsync("Test prompt", new ChatOptions());
})
.WithName("Test prompt");
Tip
Learn more about ASP.NET Core dependency injection and how to register other AI services types in the Azure SDK for .NET dependency injection documentation.
.NET feedback
.NET is an open source project. Select a link to provide feedback:
Events
Mar 17, 9 PM - Mar 21, 10 AM
Join the meetup series to build scalable AI solutions based on real-world use cases with fellow developers and experts.
Register nowTraining
Module
Introduction to using Managed Identity to authenticate to Azure OpenAI with .NET - Training
How to implement role based access control and managed identity authentication to Azure OpenAI with .NET.
Certification
Microsoft Certified: Azure AI Engineer Associate - Certifications
Design and implement an Azure AI solution using Azure AI services, Azure AI Search, and Azure Open AI.