In July, we put on a 6-part live stream series all about securing your AI apps on Azure, covering topics like keyless authentication, user login with Microsoft Entra, RAG data access control, and private network deployment. If you missed the live streams, you can still catch up by watching the recordings, downloading the slides, and trying out the sample projects.
Using Keyless Auth with Azure AI Services
Ready to go keyless and never worry about compromised keys again? All the Azure AI services support keyless authentication using role-based access control, making it possible for you to authenticate to the services with either your logged in local user identity or your deployed app's managed identity. We'll show you how to use keyless authentication with Azure OpenAI, demonstrating how to set up the access controls in the Portal, with the Azure CLI, or with infrastructure-as-code (Bicep). Then we'll connect to that Azure OpenAI service in our application code, using both the OpenAI SDK and the popular Langchain SDK. Our examples will be in Python, but you can use keyless auth with most modern OpenAI packages.
:link: Helpful links:
- Slides
- GitHub project: Keyless Azure OpenAI Deployment
- GitHub project: Keyless OpenAI Chat App on Azure Container Apps
Add User Login to AI Apps using Built-in Auth
Building an AI app on Azure and want to know the easiest way to let users sign-in? We'll show you how to setup built-in authentication on Azure App Service and Azure Container Apps. With built-in auth, employees can sign-in to either a workforce tenant or, thanks to Entra External ID, consumers can sign-in with a one-time passcode, username/password, or Google/Facebook login. Then your Azure app can display user details like their name, with minimal code changes. We'll demonstrate how to setup built-in auth to your apps using either the Graph SDK and the newly released Graph Bicep provider, and provide links to samples with full code provided.
:link: Helpful links:
Add User Login to AI Apps using MSAL SDK
Need a user sign-in feature for your AI app? We'll show you how to setup an OAuth2 OIDC flow in Python using the the MSAL SDK with the open source identity package. You can use this approach to either enable employees to sign-in to a workforce tenant or, thanks to Entra External ID, let customers sign-in with a one-time passcode, username/password, or Google/Facebook login. Then your app can use user details from the Graph SDK, like their name and email. We'll also demonstrate how to automate the creation of Microsoft Entra applications using the Graph SDK.
:link: Helpful links:
Handling User Auth for a SPA App on Azure
Many modern web applications use a SPA architecture: a single-page web app for the frontend and an API for the backend. In this talk, we'll discover how you can add user authentication to a SPA app using Microsoft Entra, using the MSAL.JS SDK on the frontend and the MSAL Python SDK on the backend. Learn how to set up Entra applications correctly, one for the client and one for the server, and how to use the on-behalf-of-flow on the server for handling tokens sent from the client. Our example application will be an AI RAG application with a React frontend and Python backend, but you can apply the same principles to any SPA applications that need user authentication.
:link: Helpful links:
Data Access Control for AI RAG Apps on Azure
If you're trying to get an LLM to accurately answer questions about your own documents, you need RAG: Retrieval Augmented Generation. With a RAG approach, the app first searches a knowledge base for relevant matches to a user's query, then sends the results to the LLM along with the original question. What if you have documents that should only be accessed by a subset of your users, like a group or a single user? Then you need data access controls to ensure that document visibility is respected during the RAG flow. In this session, we'll show an approach using Azure AI Search with data access controls to only search the documents that can be seen by the logged in user. We'll also demonstrate a feature for user-uploaded documents that uses data access controls along with Azure Data Lake Storage Gen2.
:link: Helpful links:
Deploying an AI App to a Private Network on Azure
To ensure that your AI app can only be accessed within your enterprise network, you should deploy it to an Azure virtual network with private endpoints for each Azure service used. In this session, we'll show how to deploy an AI RAG application to a virtual network that includes App Service, AI Search, OpenAI, Document Intelligence, and Blob storage, and we'll do it entirely with infrastructure-as-code (Bicep) so that you can do the same deployment. Then we'll log in to the virtual network using Azure Bastion with a virtual machine to demonstrate that we can access the RAG app from inside the network, and only inside the network.
:link: Helpful links: