This repository demonstrates an example scenario that allows users to interact with a Bot based on a Genie Space using Microsoft Teams. It expands the following scenario: Help secure your Microsoft Teams channel bot and web app behind a firewall and, as the original, implements the pillars of the Azure Well-Architected Framework.
The Bot code is based on this repository authored by Luiz Carrossoni.
- An existing Databricks workspace with Azure Private Link back-end and front-end connections enabled with a Genie Space accessible via API.
- An environment with a Bash shell and a recent version of the Azure CLI installed. The Bash version of the Azure Cloud Shell is an option.
There are two authentication options from the Bot Application to the Genie API: an Azure Managed Identity or a Databricks Personal Access Token (PAT). The former is recommended and, if used, the environment variable DATABRICKS_TOKEN should be set to an empty string. Conversely, if using a PAT, set said variable appropriately.
Once deployed, the authentication method can be changed by modifying the DATABRICKS_TOKEN environment variable in the Web App.
The bot application can be tested and debugged locally. To do so, rename bot/env-sample to .env and replace the values with yours. The Bot Framework Emulator can be used as a client. Refer to this link for guidance. If using an Azure Managed Identity for authentication, ensure you are logged in to Azure (az login) with a user that has access to the Genie Space API.
- Clone this repo and change directory:
git clone https://github.com/maucaro/secure_bot.git && cd secure_bot - Locally test the Bot application (optional).
- Rename
setenv-samples.shtosetenv.shand modify it with your values and to conform to your naming standards. - Search for 'TO DO:' in the repository's files and adjust as necessary.
- Run
initial.sh; this creates the Resource Group, Managed Identity and the Azure Container Registry. - Run
build.sh; this creates the custom Docker image by using the Azure Container Registry. - Run
bot.sh; this creates the App Service Plan, the App Service and the Bot definition. The App Service will pull the custom image and run it. It will take a few minutes before the app is operational. After a few minutes, you may monitor the progress through App Service -> Deployment Center -> Deployment -> Logs. - If using an Azure Managed Identity, ensure it has appropriate permissions to the Genie Space; refer to this link.
- Rename
appManifest\manifest-sample.jsontoappManifest\manifest.jsonand update it with the ClientId of the Managed Identity (in the 'id' and and 'bots.botId' fiellds), and with your custom domain in 'validDomains'. Modify other settings according to your needs and preferences. - Zip the files in the
appManifestfolder, upload the app to Teams and test it; if successful, continue. - Run
network.sh - Map a custom domain for the Web App; add a DNS A record pointing the custom domain to the Firewall's public IP.
- Run
private_endpoint.sh - Run
route_table.sh - Run
network_rules.sh - Run
peering.sh - Change Bot configuration's endpoint to the custom domain
- If using PAT for authentication, Azure Key Vault should be used to store it.
- Access to ACR may be further restricted using this guidance.
- The Bot code only allows interactions from users in the configured Entra ID Tenant. For more granular control, organizations would need to manage access to the Teams App as described here.