Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Eable entra ID authentication #910

Merged
merged 9 commits into from
Jun 20, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 20 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ Please see the [section below](#add-an-identity-provider) for important informat
These variables are required:
- `AZURE_OPENAI_RESOURCE`
- `AZURE_OPENAI_MODEL`
- `AZURE_OPENAI_KEY`
- `AZURE_OPENAI_KEY` (optional if using Entra ID)

These variables are optional:
- `AZURE_OPENAI_TEMPERATURE`
Expand All @@ -58,7 +58,7 @@ NOTE: You may find you need to set: MacOS: `export NODE_OPTIONS="--max-old-space
- `DATASOURCE_TYPE` (should be set to `AzureCognitiveSearch`)
- `AZURE_SEARCH_SERVICE`
- `AZURE_SEARCH_INDEX`
- `AZURE_SEARCH_KEY`
- `AZURE_SEARCH_KEY` (optional if using Entra ID)

These variables are optional:
- `AZURE_SEARCH_USE_SEMANTIC_SEARCH`
Expand Down Expand Up @@ -188,6 +188,20 @@ The Citation panel is defined at the end of `frontend/src/pages/chat/Chat.tsx`.

```

### Using Entra ID

The app uses Azure OpenAI on your data [(see documentation)](https://learn.microsoft.com/en-us/azure/ai-services/openai/references/on-your-data). To enable Entra ID for intra-service authentication

1. Enable managed identity on Azure OpenAI
2. Configure AI search to allow access from Azure OpenAI
1. Enable Role Based Access control on the used AI search instance [(see documentation)](https://learn.microsoft.com/en-us/azure/search/search-security-enable-roles)
2. Assign `Search Index Data Reader` and `Search Service Contributor` to the identity of the Azure OpenAI instance
3. Do not configure `AZURE_SEARCH_KEY` and `AZURE_OPENAI_KEY` to use Entra ID authentication.
4. Configure the webapp identity
1. Enable managed identity in the app service that hosts the webapp
2. Go to the Azure OpenAI instance and assign the role `Cognitive Services OpenAI User` to the identity of the webapp

Note: RBAC assignments can take a few minutes before becoming effective.

### Best Practices
We recommend keeping these best practices in mind:
Expand All @@ -207,7 +221,7 @@ Note: settings starting with `AZURE_SEARCH` are only needed when using Azure Ope
| --- | --- | ------------- |
|AZURE_SEARCH_SERVICE||The name of your Azure AI Search resource|
|AZURE_SEARCH_INDEX||The name of your Azure AI Search Index|
|AZURE_SEARCH_KEY||An **admin key** for your Azure AI Search resource|
|AZURE_SEARCH_KEY||An **admin key** for your Azure AI Search resource.|
|AZURE_SEARCH_USE_SEMANTIC_SEARCH|False|Whether or not to use semantic search|
|AZURE_SEARCH_QUERY_TYPE|simple|Query type: simple, semantic, vector, vectorSimpleHybrid, or vectorSemanticHybrid. Takes precedence over AZURE_SEARCH_USE_SEMANTIC_SEARCH|
|AZURE_SEARCH_SEMANTIC_SEARCH_CONFIG||The name of the semantic search configuration to use if using semantic search.|
Expand All @@ -220,11 +234,11 @@ Note: settings starting with `AZURE_SEARCH` are only needed when using Azure Ope
|AZURE_SEARCH_VECTOR_COLUMNS||List of fields in your Azure AI Search index that contain vector embeddings of your documents to use when formulating a bot response. Represent these as a string joined with "|", e.g. `"product_description|product_manual"`|
|AZURE_SEARCH_PERMITTED_GROUPS_COLUMN||Field from your Azure AI Search index that contains AAD group IDs that determine document-level access control.|
|AZURE_SEARCH_STRICTNESS|3|Integer from 1 to 5 specifying the strictness for the model limiting responses to your data.|
|AZURE_OPENAI_RESOURCE||the name of your Azure OpenAI resource|
|AZURE_OPENAI_RESOURCE||the name of your Azure OpenAI resource (only one of AZURE_OPENAI_RESOURCE/AZURE_OPENAI_ENDPOINT is required)|
|AZURE_OPENAI_MODEL||The name of your model deployment|
|AZURE_OPENAI_ENDPOINT||The endpoint of your Azure OpenAI resource.|
|AZURE_OPENAI_ENDPOINT||The endpoint of your Azure OpenAI resource (only one of AZURE_OPENAI_RESOURCE/AZURE_OPENAI_ENDPOINT is required)|
|AZURE_OPENAI_MODEL_NAME|gpt-35-turbo-16k|The name of the model|
|AZURE_OPENAI_KEY||One of the API keys of your Azure OpenAI resource|
|AZURE_OPENAI_KEY||One of the API keys of your Azure OpenAI resource (optional if using Entra ID)|
|AZURE_OPENAI_TEMPERATURE|0|What sampling temperature to use, between 0 and 2. Higher values like 0.8 will make the output more random, while lower values like 0.2 will make it more focused and deterministic. A value of 0 is recommended when using your data.|
|AZURE_OPENAI_TOP_P|1.0|An alternative to sampling with temperature, called nucleus sampling, where the model considers the results of the tokens with top_p probability mass. We recommend setting this to 1.0 when using your data.|
|AZURE_OPENAI_MAX_TOKENS|1000|The maximum number of tokens allowed for the generated answer.|
Expand Down
2 changes: 1 addition & 1 deletion app.py
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,7 @@ def init_openai_client():
aoai_api_key = app_settings.azure_openai.key
ad_token_provider = None
if not aoai_api_key:
logging.debug("No AZURE_OPENAI_KEY found, using Azure AD auth")
logging.debug("No AZURE_OPENAI_KEY found, using Azure Entra ID auth")
ad_token_provider = get_bearer_token_provider(
DefaultAzureCredential(), "https://cognitiveservices.azure.com/.default"
)
Expand Down
2 changes: 1 addition & 1 deletion backend/settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ class _AzureOpenAISettings(BaseSettings):
)

model: str
key: str
key: Optional[str] = None
resource: Optional[str] = None
endpoint: Optional[str] = None
temperature: float = 0
Expand Down
Loading