# Assembled Notebook â€” Identity & Access Agents
_Generated 2025-11-08T01:05:04.242200Z_

> Synthesized from your Identity & Access diagram; the diagram itself is not embedded.

In [None]:
# %% [SETUP]
!pip install -U semantic-kernel
!pip -q uninstall -y pydrive2

In [None]:
# %% [SETUP-ENV]
import os, getpass
os.environ.setdefault('AZURE_OPENAI_ENDPOINT', 'https://4th-openai-resource.openai.azure.com')
os.environ.setdefault('AZURE_OPENAI_DEPLOYMENT', 'gpt-35-turbo')
os.environ.setdefault('AZURE_OPENAI_API_VERSION', '2024-10-21')
if not os.getenv('AZURE_OPENAI_API_KEY'):
    os.environ['AZURE_OPENAI_API_KEY'] = getpass.getpass('Enter AZURE_OPENAI_API_KEY (hidden): ').strip()
print('Azure OpenAI env ready (key is session-only).')

In [None]:
# %% [KERNEL]
import os
from semantic_kernel import Kernel
from semantic_kernel.connectors.ai.open_ai import AzureChatCompletion

kernel = Kernel()

service = AzureChatCompletion(
    service_id='azure',
    api_key=os.getenv('AZURE_OPENAI_API_KEY'),
    deployment_name=os.getenv('AZURE_OPENAI_DEPLOYMENT'),
    endpoint=os.getenv('AZURE_OPENAI_ENDPOINT'),
)
kernel.add_service(service)
print('Kernel ready (Azure OpenAI)')

In [None]:
# %% [TOOLS]

def tool_aad_app_register(**kwargs):
    """Create/read App Registration (client/server)."""
    return "stub:aad_app_register " + str(kwargs)

def tool_aad_service_principal(**kwargs):
    """Create/read Service Principal, admin consent."""
    return "stub:aad_service_principal " + str(kwargs)

def tool_aad_group_roles(**kwargs):
    """Assign RBAC roles to users/groups/SPNs."""
    return "stub:aad_group_roles " + str(kwargs)

def tool_mi_bind_system(**kwargs):
    """Bind System Assigned MI to workload."""
    return "stub:mi_bind_system " + str(kwargs)

def tool_mi_bind_user(**kwargs):
    """Assign User Assigned MI (UAMI) to workload."""
    return "stub:mi_bind_user " + str(kwargs)

def tool_mi_token_exchange(**kwargs):
    """Acquire tokens via MSI (Managed Identity)."""
    return "stub:mi_token_exchange " + str(kwargs)

def tool_kv_get_secret(**kwargs):
    """Read secret from Key Vault via MI."""
    return "stub:kv_get_secret " + str(kwargs)

def tool_kv_set_secret(**kwargs):
    """Write/rotate secret in Key Vault."""
    return "stub:kv_set_secret " + str(kwargs)

def tool_rbac_check(**kwargs):
    """Check data-plane RBAC for AOAI/Search/Blob."""
    return "stub:rbac_check " + str(kwargs)

def tool_pe_status(**kwargs):
    """Check Private Endpoint/VNet status."""
    return "stub:pe_status " + str(kwargs)

def tool_apim_invoke(**kwargs):
    """Invoke downstream via APIM with OAuth2."""
    return "stub:apim_invoke " + str(kwargs)

def tool_fn_call(**kwargs):
    """Call Azure Function adapter."""
    return "stub:fn_call " + str(kwargs)

def tool_app_call(**kwargs):
    """Call App Service / ContainerApp."""
    return "stub:app_call " + str(kwargs)

def tool_oauth2_client_credentials(**kwargs):
    """Obtain cross-tenant token via client credentials."""
    return "stub:oauth2_client_credentials " + str(kwargs)

def tool_dataverse_call(**kwargs):
    """Call Dataverse/OData with scoped token."""
    return "stub:dataverse_call " + str(kwargs)

def tool_legacy_api_call(**kwargs):
    """Call legacy API with scoped token."""
    return "stub:legacy_api_call " + str(kwargs)

def tool_emit_log(**kwargs):
    """Emit logs/metrics to Insights/Log Analytics."""
    return "stub:emit_log " + str(kwargs)


TOOLS = {

    'tool_aad_app_register': tool_aad_app_register,

    'tool_aad_service_principal': tool_aad_service_principal,

    'tool_aad_group_roles': tool_aad_group_roles,

    'tool_mi_bind_system': tool_mi_bind_system,

    'tool_mi_bind_user': tool_mi_bind_user,

    'tool_mi_token_exchange': tool_mi_token_exchange,

    'tool_kv_get_secret': tool_kv_get_secret,

    'tool_kv_set_secret': tool_kv_set_secret,

    'tool_rbac_check': tool_rbac_check,

    'tool_pe_status': tool_pe_status,

    'tool_apim_invoke': tool_apim_invoke,

    'tool_fn_call': tool_fn_call,

    'tool_app_call': tool_app_call,

    'tool_oauth2_client_credentials': tool_oauth2_client_credentials,

    'tool_dataverse_call': tool_dataverse_call,

    'tool_legacy_api_call': tool_legacy_api_call,

    'tool_emit_log': tool_emit_log,

}
print('Tools:', list(TOOLS.keys()))

In [None]:
# %% [AGENTS]

class Agent_aad_admin:
    def __init__(self, kernel):
        self.kernel = kernel
        self.name = "AAD Admin"
        self.system_message = "Manage App Registrations, SPNs, and role assignments."
        self.skills = ["tool_aad_app_register", "tool_aad_service_principal", "tool_aad_group_roles", "tool_emit_log"]
    async def run(self, user_text: str) -> str:
        try:
            result = await self.kernel.invoke_prompt(self.system_message + "\n\nUser: " + user_text)
            return str(result)
        except Exception as e:
            return f"[AAD Admin stub] Adjust SK call. Error: {e}"
    def available_tools(self):
        return [t for t in self.skills if t in TOOLS]
    def call(self, tool_name: str, **kwargs):
        fn = TOOLS.get(tool_name)
        if not fn:
            raise ValueError(f"Tool not found: {tool_name}")
        return fn(**kwargs)

class Agent_mi_manager:
    def __init__(self, kernel):
        self.kernel = kernel
        self.name = "Managed Identity Manager"
        self.system_message = "Bind system/user identities and obtain MSI tokens."
        self.skills = ["tool_mi_bind_system", "tool_mi_bind_user", "tool_mi_token_exchange", "tool_emit_log"]
    async def run(self, user_text: str) -> str:
        try:
            result = await self.kernel.invoke_prompt(self.system_message + "\n\nUser: " + user_text)
            return str(result)
        except Exception as e:
            return f"[Managed Identity Manager stub] Adjust SK call. Error: {e}"
    def available_tools(self):
        return [t for t in self.skills if t in TOOLS]
    def call(self, tool_name: str, **kwargs):
        fn = TOOLS.get(tool_name)
        if not fn:
            raise ValueError(f"Tool not found: {tool_name}")
        return fn(**kwargs)

class Agent_kv_broker:
    def __init__(self, kernel):
        self.kernel = kernel
        self.name = "Key Vault Broker"
        self.system_message = "Broker secret access via MI (no raw key exfiltration)."
        self.skills = ["tool_kv_get_secret", "tool_kv_set_secret", "tool_emit_log"]
    async def run(self, user_text: str) -> str:
        try:
            result = await self.kernel.invoke_prompt(self.system_message + "\n\nUser: " + user_text)
            return str(result)
        except Exception as e:
            return f"[Key Vault Broker stub] Adjust SK call. Error: {e}"
    def available_tools(self):
        return [t for t in self.skills if t in TOOLS]
    def call(self, tool_name: str, **kwargs):
        fn = TOOLS.get(tool_name)
        if not fn:
            raise ValueError(f"Tool not found: {tool_name}")
        return fn(**kwargs)

class Agent_workload_orchestrator:
    def __init__(self, kernel):
        self.kernel = kernel
        self.name = "Workload Orchestrator"
        self.system_message = "Hop across PVA\u2192APIM\u2192App\u2192Function enforcing policies."
        self.skills = ["tool_apim_invoke", "tool_app_call", "tool_fn_call", "tool_emit_log"]
    async def run(self, user_text: str) -> str:
        try:
            result = await self.kernel.invoke_prompt(self.system_message + "\n\nUser: " + user_text)
            return str(result)
        except Exception as e:
            return f"[Workload Orchestrator stub] Adjust SK call. Error: {e}"
    def available_tools(self):
        return [t for t in self.skills if t in TOOLS]
    def call(self, tool_name: str, **kwargs):
        fn = TOOLS.get(tool_name)
        if not fn:
            raise ValueError(f"Tool not found: {tool_name}")
        return fn(**kwargs)

class Agent_data_plane_accessor:
    def __init__(self, kernel):
        self.kernel = kernel
        self.name = "Data Plane Accessor"
        self.system_message = "Check RBAC and connect to AOAI/Search/Blob (w/ PE)."
        self.skills = ["tool_rbac_check", "tool_pe_status", "tool_emit_log"]
    async def run(self, user_text: str) -> str:
        try:
            result = await self.kernel.invoke_prompt(self.system_message + "\n\nUser: " + user_text)
            return str(result)
        except Exception as e:
            return f"[Data Plane Accessor stub] Adjust SK call. Error: {e}"
    def available_tools(self):
        return [t for t in self.skills if t in TOOLS]
    def call(self, tool_name: str, **kwargs):
        fn = TOOLS.get(tool_name)
        if not fn:
            raise ValueError(f"Tool not found: {tool_name}")
        return fn(**kwargs)

class Agent_cross_tenant_broker:
    def __init__(self, kernel):
        self.kernel = kernel
        self.name = "Cross-Tenant Broker"
        self.system_message = "Use client credentials to call Tenant B services."
        self.skills = ["tool_oauth2_client_credentials", "tool_dataverse_call", "tool_legacy_api_call", "tool_emit_log"]
    async def run(self, user_text: str) -> str:
        try:
            result = await self.kernel.invoke_prompt(self.system_message + "\n\nUser: " + user_text)
            return str(result)
        except Exception as e:
            return f"[Cross-Tenant Broker stub] Adjust SK call. Error: {e}"
    def available_tools(self):
        return [t for t in self.skills if t in TOOLS]
    def call(self, tool_name: str, **kwargs):
        fn = TOOLS.get(tool_name)
        if not fn:
            raise ValueError(f"Tool not found: {tool_name}")
        return fn(**kwargs)


# Instances

agent_aad_admin = Agent_aad_admin(kernel)

agent_mi_manager = Agent_mi_manager(kernel)

agent_kv_broker = Agent_kv_broker(kernel)

agent_workload_orchestrator = Agent_workload_orchestrator(kernel)

agent_data_plane_accessor = Agent_data_plane_accessor(kernel)

agent_cross_tenant_broker = Agent_cross_tenant_broker(kernel)

print('Agents:', ['agent_aad_admin', 'agent_mi_manager', 'agent_kv_broker', 'agent_workload_orchestrator', 'agent_data_plane_accessor', 'agent_cross_tenant_broker'])

In [None]:
# %% [WIRES]
WIRES = {
  "AAD Admin": {
    "tools": [
      "tool_aad_app_register",
      "tool_aad_service_principal",
      "tool_aad_group_roles",
      "tool_emit_log"
    ]
  },
  "Managed Identity Manager": {
    "tools": [
      "tool_mi_bind_system",
      "tool_mi_bind_user",
      "tool_mi_token_exchange",
      "tool_emit_log"
    ]
  },
  "Key Vault Broker": {
    "tools": [
      "tool_kv_get_secret",
      "tool_kv_set_secret",
      "tool_emit_log"
    ]
  },
  "Workload Orchestrator": {
    "tools": [
      "tool_apim_invoke",
      "tool_app_call",
      "tool_fn_call",
      "tool_emit_log"
    ]
  },
  "Data Plane Accessor": {
    "tools": [
      "tool_rbac_check",
      "tool_pe_status",
      "tool_emit_log"
    ]
  },
  "Cross-Tenant Broker": {
    "tools": [
      "tool_oauth2_client_credentials",
      "tool_dataverse_call",
      "tool_legacy_api_call",
      "tool_emit_log"
    ]
  }
}
print('Wiring entries:', len(WIRES))

In [None]:

# %% [DEMO]
import os, getpass, types, asyncio
from semantic_kernel import Kernel
from semantic_kernel.connectors.ai.open_ai import AzureChatCompletion

os.environ.setdefault("AZURE_OPENAI_ENDPOINT",    "https://4th-openai-resource.openai.azure.com")
os.environ.setdefault("AZURE_OPENAI_DEPLOYMENT",  "gpt-35-turbo")
os.environ.setdefault("AZURE_OPENAI_API_VERSION", "2024-10-21")
if not os.getenv("AZURE_OPENAI_API_KEY"):
    os.environ["AZURE_OPENAI_API_KEY"] = getpass.getpass("Enter AZURE_OPENAI_API_KEY (hidden): ").strip()

try:
    kernel
except NameError:
    kernel = Kernel()
try:
    kernel.remove_service("azure")
except Exception:
    pass
kernel.add_service(AzureChatCompletion(
    service_id="azure",
    api_key=os.getenv("AZURE_OPENAI_API_KEY"),
    deployment_name=os.getenv("AZURE_OPENAI_DEPLOYMENT"),
    endpoint=os.getenv("AZURE_OPENAI_ENDPOINT"),
    api_version=os.getenv("AZURE_OPENAI_API_VERSION"),
))

async def _run_with_azure(self, user_text: str):
    prompt = (getattr(self, "system_message", "") or "") + "\\n\\nUser: " + str(user_text)
    result = await self.kernel.invoke_prompt(prompt, service_id="azure")
    return str(result)

patched = []
for name, obj in list(globals().items()):
    if name.startswith("agent_"):
        try:
            obj.kernel = kernel
            obj.run = types.MethodType(_run_with_azure, obj)
            patched.append(name)
        except Exception:
            pass
print("Patched run() for:", patched if patched else "(none)")

async def demo():
    aad = globals().get("agent_aad_admin")
    mi  = globals().get("agent_mi_manager")
    kv  = globals().get("agent_kv_broker")
    wo  = globals().get("agent_workload_orchestrator")
    dpa = globals().get("agent_data_plane_accessor")
    ct  = globals().get("agent_cross_tenant_broker")

    if aad:
        print(aad.call("tool_aad_app_register", name="server-api", roles=[".default"]))
        print(aad.call("tool_aad_service_principal", app_id="0000-000", consent=True))

    if mi:
        print(mi.call("tool_mi_bind_system", workload="Functions"))
        print(mi.call("tool_mi_token_exchange", resource="https://vault.azure.net/.default"))

    if kv:
        print(kv.call("tool_kv_get_secret", name="AOAI-KEY", version="latest"))

    if dpa:
        print(dpa.call("tool_rbac_check", principal="mi-fn", service="AOAI", role="Cognitive Services User"))
        print(dpa.call("tool_pe_status", service="AI Search", vnet="prod-hub-vnet"))

    if ct:
        print(ct.call("tool_oauth2_client_credentials", tenant="tenantB", scope="https://org.crm.dynamics.com/.default"))
        print(ct.call("tool_dataverse_call", url="https://org.crm.dynamics.com/api/data/v9.2/WhoAmI", method="GET"))

    print("LLM demo:")
    try:
        out = await aad.run("Summarize how MI + KeyVault + RBAC enable access to AOAI/Search/Blob across tenants.")
        print(out)
    except Exception as e:
        print("[demo] invoke failed:", e)

await demo()
