OpenAI Chat Application with Microsoft Entra Authentication (Python)

This repository includes a Python app that uses Azure OpenAI to generate responses to user messages, and Microsoft Entra for user authentication.

The project includes all the infrastructure and configuration needed to setup Microsoft Entra authentication, provision Azure OpenAI resources (with keyless access), and deploy the app to Azure Container Apps using the Azure Developer CLI.

We recommend first going through the deployment steps before running this app locally, since the local app needs credentials for Microsoft Entra and Azure OpenAI to work properly.

Features

• A Python Quart backend that uses the identity and msal packages to authenticate users with Microsoft Entra, and the openai package to generate responses to user messages. Sessions are stored in Redis.
• A basic HTML/JS frontend that streams responses from the backend using JSON Lines over a ReadableStream.
• Bicep files for provisioning Azure resources, including an Azure OpenAI resource, Azure Container Apps, Azure Container Registry, Azure Cache for Redis, and Azure Log Analytics.
• Python scripts that use the msgraph-sdk package to create a Microsoft Entra application and service principal, and to grant the service principal permissions to the application.

Opening the project

You have a few options for getting started with this template. The quickest way to get started is GitHub Codespaces, since it will setup all the tools for you, but you can also set it up locally.

GitHub Codespaces

You can run this template virtually by using GitHub Codespaces. The button will open a web-based VS Code instance in your browser:

1. Open the template (this may take several minutes):

   

2. Open a terminal window

3. Continue with the deployment steps

VS Code Dev Containers

A related option is VS Code Dev Containers, which will open the project in your local VS Code using the Dev Containers extension:

1. Start Docker Desktop (install it if not already installed)

2. Open the project:

   

3. In the VS Code window that opens, once the project files show up (this may take several minutes), open a terminal window.

4. Continue with the deployment steps

Local Environment

If you're not using one of the above options for opening the project, then you'll need to:

1. Make sure the following tools are installed:

   • Azure Developer CLI (azd)
   • Python 3.10+
   • Redis
   • Docker Desktop
   • Git

2. Download the project code:

   azd init -t openai-chat-app-entra-auth-local

3. Open the project folder

4. Create a Python virtual environment and activate it.

5. Install required Python packages:

   pip install -r requirements-dev.txt

6. Install the app as an editable package:

   python3 -m pip install -e src

7. Start a redis server:

   brew services start redis

8. Continue with the deployment steps

Deployment

Once you've opened the project in Codespaces, in Dev Containers, or locally, you can deploy it to Azure.

Azure account setup

1. Sign up for a free Azure account and create an Azure Subscription.
2. Request access to Azure OpenAI Service by completing the form at https://aka.ms/oai/access and awaiting approval.
3. Check that you have the necessary permissions:

• Your Azure account must have Microsoft.Authorization/roleAssignments/write permissions, such as Role Based Access Control Administrator, User Access Administrator, or Owner. If you don't have subscription-level permissions, you must be granted RBAC for an existing resource group and deploy to that existing group.
• Your Azure account also needs Microsoft.Resources/deployments/write permissions on the subscription level.

Deployment with Azure Developer CLI

1. Sign in to your Azure account:

   azd auth login

   If you have any issues with that command, you may also want to try azd auth login --use-device-code.

2. If you will be setting up Entra authentication in a different tenant, login with that tenant as well:

   azd auth login --tenant-id AUTH-TENANT-ID

3. Create a new azd environment:

   azd env new

   This will create a folder under .azure/ in your project to store the configuration for this deployment. You may have multiple azd environments if desired.

4. Set the AZURE_AUTH_TENANT_ID azd environment variable to whichever tenant ID you want to use for Entra authentication:

   azd env set AZURE_AUTH_TENANT_ID your-tenant-id

5. Provision and deploy all the resources:

   azd up

   It will prompt you to provide an azd environment name (like "chat-app") and select a subscription from your Azure account. Then it will provision the resources in your account and deploy the latest code. Provisioning may take ~30 minutes, especially given the time taken to provision an Azure Cache for Redis. If you get an error with deployment, changing the location can help, as there may be availability constraints for the OpenAI resource.

6. When azd has finished deploying, you'll see an endpoint URI in the command output. Visit that URI, and you should see the chat app! 🎉

7. When you've made any changes to the app code, you can just run:

   azd deploy

CI/CD pipeline

This project includes a Github workflow for deploying the resources to Azure on every push to main. That workflow requires several Azure-related authentication secrets to be stored as Github action secrets. To set that up, run:

azd pipeline config

Local development

Assuming you've run the steps in Opening the project and have run azd up, you can now run the Quart app locally using the development server:

python -m quart --app src.quartapp run --port 50505 --reload

This will start the app on port 50505, and you can access it at http://localhost:50505.

To save costs during development, you may point the app at a local LLM server.

Costs

Pricing varies per region and usage, so it isn't possible to predict exact costs for your usage. The majority of the Azure resources used in this infrastructure are on usage-based pricing tiers. However, Azure Container Registry has a fixed cost per registry per day.

You can try the Azure pricing calculator for the resources:

• Azure OpenAI Service: S0 tier, ChatGPT model. Pricing is based on token count. Pricing
• Azure Container App: Consumption tier with 0.5 CPU, 1GiB memory/storage. Pricing is based on resource allocation, and each month allows for a certain amount of free usage. Pricing
• Azure Container Registry: Basic tier. Pricing
• Azure Cache for Redis: Basic tier. Pricing
• Log analytics: Pay-as-you-go tier. Costs based on data ingested. Pricing

⚠️ To avoid unnecessary costs, remember to take down your app if it's no longer in use, either by deleting the resource group in the Portal or running azd down.

Security Guidelines

This template uses Managed Identity for authenticating to the Azure services used (Azure OpenAI, Azure Cache for Redis). It uses an Azure Key Vault to store the client secret for the Microsoft Entra application.

Additionally, we have added a GitHub Action that scans the infrastructure-as-code files and generates a report containing any detected issues. To ensure continued best practices in your own repository, we recommend that anyone creating solutions based on our templates ensure that the Github secret scanning setting is enabled.

You may want to consider additional security measures, such as:

• Protecting the Azure Cache for Redis instance with a firewall and/or Virtual Network.
• Protecting the Azure Container Apps instance with a firewall and/or Virtual Network.
• Using certificates instead of client secrets for the Microsoft Entra application.

Resources

• OpenAI Chat App with Managed Identity: Similar to this project, but doesn't include Microsoft Entra authentication.
• RAG chat with Azure AI Search + Python: A more advanced chat app that uses Azure AI Search to ground responses in domain knowledge.
• Develop Python apps that use Azure AI services