# Document Redaction with Azure AI Language PII Native Document Analysis

This sample demonstrates how to use the Azure AI Language service to redact any Personally Identifiable Information (PII) from a provided PDF document using the preview **Native Document Support** features. You can find more information on these new capabilities in [our documentation for analyzing native documents](https://learn.microsoft.com/en-us/azure/ai-services/language-service/native-document-support/use-native-documents?tabs=pii).

> **IMPORTANT**: This feature only supports documents that are digitized (i.e. non-scanned documents) in `.txt`, `.docx`, or `.pdf` format. If you are working with scanned documents, explore the [document redaction with Azure OpenAI sample](./document-redaction-gpt.ipynb).

![Data Redaction](../../../images/redaction-language-pii.png)

This is achieved by the following process:

- Ensure that your prepared documents are uploaded to an Azure Blob Storage container, in `.txt`, `.docx`, or `.pdf` format, that the Azure AI Language service can access. 
  - For keyless authentication using Azure RBAC, ensure that you [grant storage account access to your Azure AI service resource](https://learn.microsoft.com/en-us/azure/ai-services/language-service/native-document-support/managed-identities#grant-storage-account-access-for-your-language-resource). 
  - _Note_: Infrastructure deployed by this sample repository automatically provides the necessary role assignments for the Azure AI service to access the storage account.
- Analyze the document by calling the `analyze-documents/jobs` endpoint with a PII redaction task payload.
- Retrieve the redacted document from the Azure Blob Storage container output.

## Use Cases

- Pre-processing of documents for compliance with data privacy regulations ahead of downstream processing (e.g., classification, extraction, summarization, translation, etc.)

## Objectives

By the end of this sample, you will have learned how to:

- Prepare a document for redaction by uploading it to an Azure Blob Storage container.
- Redact PII from the document using the Azure AI Language service.

## Useful Tips

- Combine this technique with a [document classification](../classification/README.md) approach to determine if the document contains PII before redaction.
- You can also combine this technique with a post-processing [document data extraction](../extraction/README.md) approach to extract specific information from the document after redaction.

## Setup

### Import modules

This sample takes advantage of the following .NET dependencies:

- **Azure.Storage.Blobs** to interface with an Azure Blob Storage container.
- **Azure.Identity** to securely authenticate with deployed Azure Services using Microsoft Entra ID credentials.
- **pdf2image-dotnet** to display the final redacted document in the sample notebook.
- **SkiaSharp** to display the final redacted document in the sample notebook.

The following local components are also used:

- [**LanguageNativePIIClient**](../../modules/samples/language/LanguageNativePIIClient.csx) to interact with the Azure AI Language service for Native Document PII redaction.
  - _Note: This class has been created as a wrapper around the Azure AI Language service API, as the SDK does not yet support the Native Document PII redaction feature._
- [**AppSettings**](../../modules/samples/AppSettings.csx) to access environment variables from the `.env` file.

In [52]:
#r "nuget: Azure.Identity, 1.13.2"
#r "nuget: Azure.AI.OpenAI, 2.1.0"
#r "nuget: Azure.AI.DocumentIntelligence, 1.0.0"
#r "nuget: Azure.Storage.Blobs, 12.24.0"
#r "nuget: DotNetEnv, 3.1.1"
#r "nuget: pdf2image-dotnet, 1.0.0"
#r "nuget: SkiaSharp, 3.116.1"
#r "nuget: SkiaSharp.NativeAssets.Linux, 3.116.1"

#!import ../modules/samples/AppSettings.csx
#!import ../modules/samples/helpers/StopwatchContext.csx
#!import ../modules/samples/language/LanguageNativePIIClient.csx

using System;
using System.IO;
using System.Text.Json;
using System.Collections.Generic;
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.Storage.Blobs;
using DotNetEnv;
using Pdf2Image;
using SkiaSharp;

Loading extensions from `/home/vscode/.nuget/packages/skiasharp/3.116.1/interactive-extensions/dotnet/SkiaSharp.DotNet.Interactive.dll`

### Configure the Azure services

To use the preview Native Document PII redaction feature of Azure AI Language, the `LanguageNativePIIClient` custom wrapper is used to interact with the service. The client setup mimics the approach to Azure official SDKs (i.e., requires an Azure AI Language service endpoint and a token credential).

To access the Azure Storage account, the SDK is used to create client instances using a deployed storage account name and authentication credentials.

For this sample, the credentials of the Azure CLI are used to authenticate with the deployed services.

In [53]:
string workingDir = Path.GetFullPath("../../../");
AppSettings settings = new AppSettings(new Dictionary<string, string>(Env.Load(Path.Combine(workingDir, ".env"))));
string samplePath = Path.Combine(workingDir, "samples/dotnet/redaction/");
string sampleName = "document-redaction-language-native-document";

DefaultAzureCredential credential = new DefaultAzureCredential(
    new DefaultAzureCredentialOptions { 
        ExcludeWorkloadIdentityCredential = true,
        ExcludeAzureDeveloperCliCredential = true,
        ExcludeEnvironmentCredential = true,
        ExcludeManagedIdentityCredential = true,
        ExcludeAzurePowerShellCredential = true,
        ExcludeSharedTokenCacheCredential = true,
        ExcludeInteractiveBrowserCredential = true
    }
);

LanguageNativePIIClient languageNativePiiClient = new LanguageNativePIIClient(
    new Uri(settings.AIServicesEndpoint),
    credential
);

var storageAccountName = settings.StorageAccountName;

var blobServiceClient = new BlobServiceClient(
    new Uri($"https://{storageAccountName}.blob.core.windows.net"), 
    credential
);

## Prepare the document for redaction

To redact PII from a document, the document must first be uploaded to an Azure Blob Storage container. The document must be in `.txt`, `.docx`, or `.pdf` format.

For this sample, an [Invoice](../../assets/invoices/invoice_1.pdf) is used as the document to be redacted.

> **Note**: When using keyless authentication with Azure Storage accounts, the Azure AI service must be granted access to the storage account. This is done by assigning the `Storage Blob Data Contributor` role to the Azure AI service to allow the AI service to retrieve and create documents in the storage account.

In [54]:
string path = Path.Combine(workingDir, "samples/assets/invoices/");
string metadataFName = "invoice_2.json"; // Change this to the file you want to evaluate
string metadataFPath = Path.Combine(path, metadataFName);

Dictionary<string, JsonElement> data = JsonSerializer.Deserialize<Dictionary<string, JsonElement>>(File.ReadAllText(metadataFPath));

string pdfFName = data["fname"].GetString();
string pdfFPath = Path.Combine(path, pdfFName);

In [55]:
var blobContainerName = "redaction-samples";
var inputBlobContainerFolder = "raw";
var outputBlobContainerFolder = "processed";

// Create the sample blob container if it doesn't exist
var blobContainerClient = blobServiceClient.GetBlobContainerClient(blobContainerName);
blobContainerClient.CreateIfNotExists();

// Upload the sample PDF file to the blob container in the input folder
var inputBlobClient = blobContainerClient.GetBlobClient($"{inputBlobContainerFolder}/{pdfFName}");

using (var fileStream = File.OpenRead(pdfFPath))
{
    inputBlobClient.Upload(fileStream, true);
}

## Redact PII from the document

To redact PII from the document, the Azure AI Language service is used to analyze the document and redact any PII found.

The following code blocks initiate the analysis process by preparing a redaction task payload and calling the `analyze-documents/jobs` endpoint of the Azure AI Language service.

The redaction task payload is defined as follows:

```json
{ 
    "displayName": "<Your Job Name>", 
    "analysisInput": { 
        "documents": [ 
            { 
                "language": "en", // The language code for the document.
                "id": "Doc-1", // A user-defined unique ID for the document. 
                "source": { 
                    "location": "https://<Your Storage Account Name>.blob.core.windows.net/<Your Container Name>/<Your Document Name>.pdf"
                }, 
                "target": { 
                    "location": "https://<Your Storage Account Name>.blob.core.windows.net/<Your Container Name>/redacted"
                }
            } 
        ] 
    }, 
    "tasks": [ 
        { 
            "kind": "PiiEntityRecognition", 
            "taskName": "Redact PII", // A user-defined name for the task to run. 
            "parameters": { 
                "redactionPolicy": { 
                    "policyKind": "entityMask"  // Optional. Defines redactionPolicy; changes behavior based on value. Options: noMask, characterMask (default), and entityMask. 
                }, 
                "piiCategories": [ 
                    "Person", 
                    "Organization" 
                ],  // Optional. Defines the PII categories to redact.
                "excludeExtractionData": false  // Default is false. If true, only the redacted document is stored, without extracted entities data. 
            } 
        } 
    ] 
} 
```

> **Note**: The `piiCategories` field is optional and can be used to specify the PII categories to redact. If not specified, all PII categories are redacted. You can find more information about the PII categories in the [Azure AI Language documentation](https://learn.microsoft.com/en-us/rest/api/language/text-analysis-runtime/analyze-text?view=rest-language-2024-11-01&tabs=HTTP#piicategory).

In [56]:
AnalyzeNativePIIResult result;

StopwatchContext piiSw;

using (piiSw = new StopwatchContext())
{
    result = await languageNativePiiClient.AnalyzeDocumentAsync(
        new AnalyzeNativePIIOptions(
        displayName: "Document PII Redaction Example",
        analysisInput: new AnalyzeInputOptions(
            documents:
            [
                new AnalyzeInputDocument(
                    id: pdfFName,
                    source: new AnalyzeInputDocumentLocation($"https://{storageAccountName}.blob.core.windows.net/{blobContainerName}/{inputBlobContainerFolder}/{pdfFName}"),
                    target: new AnalyzeInputDocumentLocation($"https://{storageAccountName}.blob.core.windows.net/{blobContainerName}/{outputBlobContainerFolder}"),
                    language: "en")
            ]),
        tasks:
        [
            new AnalyzeNativePIIInputTask(
                taskName: "Redact PII",
                parameters: new AnalyzeInputTaskParameters(
                    redactionPolicy: new AnalyzeInputTaskRedactionPolicy(AnalyzeInputTaskRedactionPolicy.CharacterMask),
                    piiCategories: new []{"Person", "PhoneNumber", "Address", "Email"},
                    excludeExtractionData: true))
        ]));
}

## Visualize the outputs

To provide context for the execution of the code, the following code blocks visualize the outputs of the redaction process.

This includes:

- The contents of the redacted document.
- The execution time of the redaction process.

In [57]:
var totalElapsed = piiSw.Elapsed;

In [58]:
// Display the outputs of the redaction process.
var output = new
{
    ExecutionTime = $"{totalElapsed.TotalSeconds:0.00} seconds"
};

display(output);

Unnamed: 0,Unnamed: 1
ExecutionTime,16.52 seconds


In [59]:
// Download the blob PDF with the redacted PII
var redactedPdfUrl = result.Tasks.Items.First().Results.Documents.First().Targets.First().Location;
var redactedBlobPath = redactedPdfUrl.Split($"{storageAccountName}.blob.core.windows.net/{blobContainerName}/")[1];

var redactedBlobClient = blobContainerClient.GetBlobClient(redactedBlobPath);
var redactedPdfFPath = Path.Combine(samplePath, $"{sampleName}_redacted_{pdfFName}");

using (var redactedFileStream = File.OpenWrite(redactedPdfFPath))
{
    redactedBlobClient.DownloadTo(redactedFileStream);
}

In [None]:
// Display the redacted PDF file as images
var documentBytes = File.ReadAllBytes(redactedPdfFPath);

var pageImages = await Pdf2ImageConverter.FromBytesAsync(documentBytes);

foreach (var redactedPageImage in pageImages)
{
    var redactedPageImageStream = new SKMemoryStream(redactedPageImage);
    var redactedPageImageBitmap = SKBitmap.Decode(redactedPageImageStream);

    display(redactedPageImageBitmap);
}