OpenAI Chat Application with Microsoft Entra Authentication (Python)

This repository includes a Python app that uses Azure OpenAI to generate responses to user messages and uses Microsoft Entra for user authentication. The user sign-in functionality uses the built-in authentication feature of Azure Container Apps, which supports both Microsoft Entra ID and Microsoft Entra External ID.

The project includes all the infrastructure and configuration needed to setup Microsoft Entra authentication, provision Azure OpenAI resources (with keyless access), and deploy the app to Azure Container Apps using the Azure Developer CLI.

We recommend first going through the deploying steps before running this app locally, since the local app needs credentials for Azure OpenAI to work properly.

• Features
• Opening the project
• Deploying
• Development server
• Costs
• Security Guidelines
• Resources

Features

• A Python Quart backend that uses the openai package to generate responses to user messages.
• A basic HTML/JS frontend that streams responses from the backend using JSON Lines over a ReadableStream.
• Bicep files for provisioning Azure resources, including an Azure OpenAI resource, Azure Container Apps (with authentication configuration), and Azure Container Registry.
• Python scripts that use the msgraph-sdk package to create a Microsoft Entra application and service principal, and to grant the service principal permissions to the application.

Opening the project

This project has Dev Container support, so it will be be setup automatically if you open it in Github Codespaces or in local VS Code with the Dev Containers extension.

If you're not using one of those options for opening the project, then you'll need to:

1. Create a Python virtual environment and activate it.

2. Install the requirements:

   python -m pip install -r requirements-dev.txt

3. Install the app as an editable package:

   python -m pip install -e src

Deploying

Once you've opened the project in Codespaces, in Dev Containers, or locally, you can deploy it to Azure.

Azure account setup

1. Sign up for a free Azure account and create an Azure Subscription.

2. Request access to Azure OpenAI Service by completing the form at https://aka.ms/oai/access and awaiting approval.

3. Check that you have the necessary permissions:

   • Your Azure account must have Microsoft.Authorization/roleAssignments/write permissions, such as Role Based Access Control Administrator, User Access Administrator, or Owner. If you don't have subscription-level permissions, you must be granted RBAC for an existing resource group and deploy to that existing group.
   • Your Azure account also needs Microsoft.Resources/deployments/write permissions on the subscription level.

Microsoft Entra ID setup

We have integrated the sample with Entra ID to require authentication. This feature allows users within your organization to log in and how to process their identity within the sample. If a user is logged in, they'll see their name in the chat app.

To configure, follow these steps:

1. Create a new azd environment:

   azd env new

   This will create a folder under .azure/ in your project to store the configuration for this deployment. You may have multiple azd environments if desired.

2. Set the AZURE_AUTH_TENANT_ID azd environment variable to the tenant ID you want to use for Entra authentication:

   azd env set AZURE_AUTH_TENANT_ID your-tenant-id

3. Login to the azd CLI with the Entra tenant ID:

   azd auth login --tenant-id AUTH-TENANT-ID

4. Then proceed with the deployment steps below.

Microsoft Entra External ID setup

If you want to allow external users to sign up and sign in to the application using their email address or social identity such as Google, Apple or Facebook, you can use Microsoft Entra External ID. If you don't have an External ID tenant already, you can create a trial tenant using your Microsoft or Work account.

To deploy, you will need the tenant ID of your External ID. In the instructions below, replace <YOUR_TENANT_ID> with the tenant ID you obtain from the Entra Portal.

To configure, follow these steps:

1. Create a new azd environment:

   azd env new

   This will create a folder under .azure/ in your project to store the configuration for this deployment. You may have multiple azd environments if desired.

2. Set the AZURE_AUTH_TENANT_ID azd environment variable to whichever tenant ID you want to use for Entra authentication:

   azd env set AZURE_AUTH_TENANT_ID your-tenant-id

3. Set AZURE_AUTH_LOGIN_ENDPOINT to the login endpoint for the External ID tenant. That will typically look like "TenantNameHere.ciamlogin.com".

   azd env set AZURE_AUTH_LOGIN_ENDPOINT your-login-endpoint

4. Login to the azd CLI with the External ID tenant ID:

   azd auth login --tenant-id AUTH-TENANT-ID

5. Run the script that will setup permissions needed for the rest of the deployment process. Both PowerShell and Bash scripts are provided:

   ./scripts/setup_for_external_id.ps1

   ./scripts/setup_for_external_id.sh

6. Now proceed with the deployment steps below.

Deploying with azd

Once you have either setup Microsoft Entra ID or Microsoft Entra External ID, you can proceed to deploy the app.

1. If the Azure resources will be created in a different tenant than the Entra tenant, you must now login to Azure with that account:

   azd auth login --tenant-id AZURE-TENANT-ID

2. (Optional) This is the point where you can customize the deployment by setting environment variables, in order to use existing Azure resources.

3. Provision and deploy all the resources:

   azd up

   It will prompt you to provide an azd environment name (like "chat-app") and select a subscription from your Azure account. Then it will provision the resources in your account and deploy the latest code. If you get an error or timeout with deployment, changing the location can help, as there may be availability constraints.

4. When azd has finished deploying, you'll see an endpoint URI in the command output. Visit that URI, and you should see the chat app! 🎉

5. When you've made any changes to the app code, you can just run:

   azd deploy

Continuous deployment with GitHub Actions

This project includes a Github workflow for deploying the resources to Azure on every push to main. That workflow requires several Azure-related authentication secrets to be stored as Github action secrets. To set that up, run:

azd pipeline config

Development server

Assuming you've run the steps in Opening the project and the steps in Deploying, you can now run the Python app in your development environment:

1. Copy .env.sample into .env:

   cp .env.sample .env

2. For use with Azure OpenAI, run this command to get the Azure OpenAI endpoint URI from your deployed resource group and paste it in the .env file:

   azd env get-value AZURE_OPENAI_ENDPOINT

3. For use with OpenAI.com, either set the value of OPENAICOM_API_KEY in the .env file to your OpenAI API key, or set the environment values of both OPENAICOM_API_KEY_SECRET_NAME and AZURE_KEY_VAULT_NAME in the .env file.

4. For use with a local LLM server (to save costs during development), see our guide.

5. Run the app:

   python -m quart --app src.quartapp run --port 50505 --reload

   This will start the app on port 50505, and you can access it at http://localhost:50505.

Costs

Pricing varies per region and usage, so it isn't possible to predict exact costs for your usage. The majority of the Azure resources used in this infrastructure are on usage-based pricing tiers. However, Azure Container Registry has a fixed cost per registry per day.

You can try the Azure pricing calculator for the resources:

• Azure OpenAI Service: S0 tier, ChatGPT model. Pricing is based on token count. Pricing
• Azure Container App: Consumption tier with 0.5 CPU, 1GiB memory/storage. Pricing is based on resource allocation, and each month allows for a certain amount of free usage. Pricing
• Azure Container Registry: Basic tier. Pricing
• Log analytics: Pay-as-you-go tier. Costs based on data ingested. Pricing

⚠️ To avoid unnecessary costs, remember to take down your app if it's no longer in use, either by deleting the resource group in the Portal or running azd down.

Security Guidelines

By default, this template uses Managed Identity for authenticating to the Azure OpenAI service. It uses an Azure Key Vault to store the client secret for the Microsoft Entra application.

Additionally, we have added a GitHub Action that scans the infrastructure-as-code files and generates a report containing any detected issues. To ensure continued best practices in your own repository, we recommend that anyone creating solutions based on our templates ensure that the Github secret scanning setting is enabled.

You may want to consider additional security measures, such as:

• Protecting the Azure Container Apps instance with a firewall and/or Virtual Network.
• Using certificates instead of client secrets for the Microsoft Entra application.

Resources

• OpenAI Chat Application with Microsoft Entra Authentication (Python): Similar to this project, but sets up authentication using the MSAL SDK instead of the built-in authentication feature of Azure Container Apps. This is necessary if you want to deploy an app to a different environment or use authentication during development.
• OpenAI Chat App with Managed Identity: Similar to this project, but doesn't include Microsoft Entra authentication.
• RAG chat with Azure AI Search + Python: A more advanced chat app that uses Azure AI Search to ground responses in domain knowledge.
• Develop Python apps that use Azure AI services