From ce10dd97eadd1a29095523a5d718bbc5e4a2cbf0 Mon Sep 17 00:00:00 2001 From: Alex Wolf Date: Fri, 28 Jun 2024 15:16:15 -0400 Subject: [PATCH 01/12] Azure AI Services auth overview --- .../azure-ai-services-authentication.md | 131 ++++++++++++++++++ 1 file changed, 131 insertions(+) create mode 100644 docs/ai/conceptual/azure-ai-services-authentication.md diff --git a/docs/ai/conceptual/azure-ai-services-authentication.md b/docs/ai/conceptual/azure-ai-services-authentication.md new file mode 100644 index 0000000000000..932abb08d54e0 --- /dev/null +++ b/docs/ai/conceptual/azure-ai-services-authentication.md @@ -0,0 +1,131 @@ +--- +title: Authenticate to Azure OpenAI using .NET +description: Learn about the different options to authenticate to Azure OpenAI and other services using .NET +author: alexwolfmsft +ms.topic: concept-article +ms.date: 06/27/2024 + +--- + +# Authenticate to Azure AI Services using .NET + +Application requests to Azure AI Services must be authenticated. In this article you explore the options available to authenticate to Azure OpenAI and other AI services using .NET. Azure OpenAI and many other AI services offer two primary ways to authenticate apps and users: + +- **Key-based authentication** provides access to an Azure service using secret key values. These secrets are also known as API keys or access keys and are often included in connection strings. +- **Microsoft Entra ID** provides a comprehensive identity and access management solution to ensure that the correct identities can have the correct level of access to different Azure resources. + +The sections ahead provide conceptual overviews for these two approaches, rather than detailed implementation steps. For more detailed information about connecting to Azure services, visit the following resources: + +- [Authenticate .NET apps to Azure services](/dotnet/azure/sdk/authentication/) +- [Identity fundamentals](/entra/fundamentals/identity-fundamental-concepts) +- [What is Azure RBAC?](/azure/role-based-access-control/overview) + +> [!NOTE] +> The examples in this article focus primarily on connections to Azure OpenAI, but the same concepts and implementation steps directly apply to many other Azure AI Services as well. + +## Explore key-based authentication + +Access keys allow you to authenticate to an AI service such as OpenAI using a secret key provided by the service. Retrieve the secret key using tools such as the Azure Portal or Azure CLI and use it to configure your app code to connect to the AI service: + +```csharp +builder.Services.AddAzureOpenAIChatCompletion( + "deployment-model", + "your-endpoint", + "your-resource-key"); +var kernel = builder.Build(); +``` + +Using access keys is a straightforward option, but this approach should be used with caution. Keys are not the recommended authentication option for the following reasons: + +- Keys do not follow the principle of least privilege - they needlessly provide elevated permissions for a given task +- Keys can accidentally be checked into source control or stored in unsafe locations +- Keys can easily be shared or sent to parties who should not have access +- Keys often require manual administration and rotation + +For these reasons, consider using [Microsoft Entra ID](/#explore-microsoft-entra-id) for authentication, which is the recommended solution for most scenarios. + +## Explore Microsoft Entra ID + +Microsoft Entra ID is a cloud-based identity and access management service that provides a vast set of features for different business and app scenarios. Microsoft Entra ID is the recommended solution to connect to Azure OpenAI and other AI services and provides the following benefits: + +- Key-less authentication using user or app identities. +- Role-based-access-control (RBAC) to assign identities the minimum required permissions. +- Detects [different credentials across environments](/python/api/azure-identity/azure.identity.defaultazurecredential?view=azure-python) without requiring code changes. +- Automatically handles administrative tasks. + +The general flow to implement Entra ID authentication in your app generally include the following: + +- Local development: + 1. Authenticate to Azure using a local dev tool such as the Azure CLI or Visual Studio. + 1. Configure your code to use the `Azure.Identity` client library and `DefaultAzureCredential` class. + 1. Assign roles to the account you used to authenticate. + +- Azure hosted app: + 1. Deploy the app to Azure after it has been configured to use `Azure.Identity`. + 1. Assign a managed identity to the Azure hosted app. + 1. Assign roles to the managed identity. + +Key steps of this workflow are explored in the following sections. + +### Authenticate to Azure locally + +When developing apps locally that connect to Azure AI Services, authenticate to Azure using a tool such as Visual Studio or the Azure CLI. Your local credentials can be discovered by the `Azure.Identity` and used to authenticate your app to Azure services, as described in the [configure the app code](/#configure-your-app-code) section. + +For example, to authenticate to Azure locally using the Azure CLI, run the following command: + +```azurecli +az login +``` + +### Configure the app code + +Use the `Azure.Identity` client library from the Azure SDK to implement Entra ID authentication in your code. The `Azure.Identity` libraries include the `DefaultAzureCredential` class, which automatically discovers available Azure credentials based on the current environment and tooling available. You can see the full set of supported environment credentials and the order in which they are searched in the [Azure SDK for .NET](/dotnet/api/azure.identity.defaultazurecredential) documentation. + +For example, configure Semantic Kernel to authenticate using `DefaultAzureCredential` using the following code: + +```csharp +Kernel kernel = Kernel +.CreateBuilder() + .AddAzureOpenAITextGeneration( + "your-model", + "your-endpoint", + new DefaultAzureCredential()) + .Build(); +``` + +`DefaultAzureCredential` enables apps to be promoted from local development to test environments to production without code changes. For example, during development `DefaultAzureCredential` can discover and use your local user credentials from Visual Studio or the Azure CLI to authenticate to the AI service. When the app is deployed to Azure, `DefaultAzureCredential` can use the managed identity that is assigned with your app. + +### Assign roles to your identity + +[Azure role-based access control (Azure RBAC)](/azure/role-based-access-control) is a system that provides fine-grained access management of Azure resources. You'll need to assign a role to the security principal used by `DefaultAzureCredential` to connect to an Azure AI service, whether that's an individual user, group, service principal, or managed identity. Roles are a collection of permissions that allow the identity to perform various tasks, such as generate completions or create and delete resources. + +Assign roles such as **Cognitive Services OpenAI User** (role ID: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd') to the relevant identity using tools such as the Azure CLI, Bicep, or the Azure Portal. For example, use the `az role assignment create` command to assign a role using the Azure CLI: + +```azurecli +az role assignment create \ + --role "5e0bd9bd-7b93-4f28-af87-19fc36ad61bd" \ + --assignee-object-id "$PRINCIPAL_ID" \ + --scope /subscriptions/"$SUBSCRIPTION_ID"/resourceGroups/"$RESOURCE_GROUP" \ + --assignee-principal-type User +``` + +Learn more about Azure RBAC using the following resources: + +- [What is Azure RBAC?](/azure/role-based-access-control/overview) +- [Grant a user access](/azure/role-based-access-control/quickstart-assign-role-user-portal) +- [RBAC best practices](/azure/role-based-access-control/best-practices) + +### Assign a managed identity to your app + +In most scenarios, Azure hosted applications should use a [managed identity](/entra/identity/managed-identities-azure-resources/overview) to connect to other services such as Azure OpenAI. `DefaultAzureCredential` discovers the identity associated with your app and uses it to authenticate to other Azure services. Managed identities provide an automatically managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra authentication. Applications use managed identities to obtain Microsoft Entra tokens without having to manage any credentials. + +There are two types of managed identities you can assign to your app: + +- A **system-assigned identity** is tied to your application and is deleted if your app is deleted. An app can only have one system-assigned identity. +- A **user-assigned identity** is a standalone Azure resource that can be assigned to your app. An app can have multiple user-assigned identities. + +Assign roles to a managed identity just like you would an individual user account, such as the **Cognitive Services OpenAI User** role. learn more about working with managed identities using the following resources: + +- [Managed identities overview](/entra/identity/managed-identities-azure-resources/overview) +- [How to use managed identities for App Service and Azure Functions](/azure/app-service/overview-managed-identity) +- [Authenticate App Service to Azure OpenAI using Microsoft Entra ID](/dotnet/ai/how-to/app-service-aoai-auth?pivots=azure-portal) From 8cc9c92a0d183bcb6578ca1a25b1912f5cd9dc51 Mon Sep 17 00:00:00 2001 From: Alex Wolf Date: Fri, 28 Jun 2024 15:28:29 -0400 Subject: [PATCH 02/12] progress --- .../azure-ai-services-authentication.md | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/docs/ai/conceptual/azure-ai-services-authentication.md b/docs/ai/conceptual/azure-ai-services-authentication.md index 932abb08d54e0..08fd0b7f03b5e 100644 --- a/docs/ai/conceptual/azure-ai-services-authentication.md +++ b/docs/ai/conceptual/azure-ai-services-authentication.md @@ -9,10 +9,10 @@ ms.date: 06/27/2024 # Authenticate to Azure AI Services using .NET -Application requests to Azure AI Services must be authenticated. In this article you explore the options available to authenticate to Azure OpenAI and other AI services using .NET. Azure OpenAI and many other AI services offer two primary ways to authenticate apps and users: +Application requests to Azure AI Services must be authenticated. In this article you explore the options available to authenticate to Azure OpenAI and other AI services using .NET. These concepts apply to the Semantic Kernel Sdk, as well SDKs from specific services such as Azure OpenAI. Most AI services offer two primary ways to authenticate apps and users: -- **Key-based authentication** provides access to an Azure service using secret key values. These secrets are also known as API keys or access keys and are often included in connection strings. -- **Microsoft Entra ID** provides a comprehensive identity and access management solution to ensure that the correct identities can have the correct level of access to different Azure resources. +- **Key-based authentication** provides access to an Azure service using secret key values. These secrets are also known as API keys or access keys. +- **Microsoft Entra ID** provides a comprehensive identity and access management solution to ensure that the correct identities have the correct level of access to different Azure resources. The sections ahead provide conceptual overviews for these two approaches, rather than detailed implementation steps. For more detailed information about connecting to Azure services, visit the following resources: @@ -25,30 +25,30 @@ The sections ahead provide conceptual overviews for these two approaches, rather ## Explore key-based authentication -Access keys allow you to authenticate to an AI service such as OpenAI using a secret key provided by the service. Retrieve the secret key using tools such as the Azure Portal or Azure CLI and use it to configure your app code to connect to the AI service: +Access keys allow apps and tools to authenticate to an Azure AI service such as OpenAI using a secret key provided by the service. Retrieve the secret key using tools such as the Azure Portal or Azure CLI and use it to configure your app code to connect to the AI service: ```csharp builder.Services.AddAzureOpenAIChatCompletion( "deployment-model", - "your-endpoint", - "your-resource-key"); + "service-endpoint", + "service-key"); var kernel = builder.Build(); ``` -Using access keys is a straightforward option, but this approach should be used with caution. Keys are not the recommended authentication option for the following reasons: +Using keys is a straightforward option, but this approach should be used with caution. Keys are not the recommended authentication option for the following reasons: -- Keys do not follow the principle of least privilege - they needlessly provide elevated permissions for a given task -- Keys can accidentally be checked into source control or stored in unsafe locations -- Keys can easily be shared or sent to parties who should not have access -- Keys often require manual administration and rotation +- Keys do not follow [the principle of least privilege](/entra/identity-platform/secure-least-privileged-access) - they needlessly provide elevated permissions for a given task. +- Keys can accidentally be checked into source control or stored in unsafe locations. +- Keys can easily be shared or sent to parties who should not have access. +- Keys often require manual administration and rotation. -For these reasons, consider using [Microsoft Entra ID](/#explore-microsoft-entra-id) for authentication, which is the recommended solution for most scenarios. +Instead, consider using [Microsoft Entra ID](/#explore-microsoft-entra-id) for authentication, which is the recommended solution for most scenarios. ## Explore Microsoft Entra ID Microsoft Entra ID is a cloud-based identity and access management service that provides a vast set of features for different business and app scenarios. Microsoft Entra ID is the recommended solution to connect to Azure OpenAI and other AI services and provides the following benefits: -- Key-less authentication using user or app identities. +- Key-less authentication using [identities](/entra/fundamentals/identity-fundamental-concepts). - Role-based-access-control (RBAC) to assign identities the minimum required permissions. - Detects [different credentials across environments](/python/api/azure-identity/azure.identity.defaultazurecredential?view=azure-python) without requiring code changes. - Automatically handles administrative tasks. @@ -57,12 +57,12 @@ The general flow to implement Entra ID authentication in your app generally incl - Local development: 1. Authenticate to Azure using a local dev tool such as the Azure CLI or Visual Studio. - 1. Configure your code to use the `Azure.Identity` client library and `DefaultAzureCredential` class. + 1. Configure your code to use the [`Azure.Identity`](/dotnet/api/overview/azure/identity-readme) client library and `DefaultAzureCredential` class. 1. Assign roles to the account you used to authenticate. - Azure hosted app: - 1. Deploy the app to Azure after it has been configured to use `Azure.Identity`. - 1. Assign a managed identity to the Azure hosted app. + 1. Deploy the app to Azure after configuring it to use `Azure.Identity`. + 1. Assign a [managed identity](/entra/identity/managed-identities-azure-resources/overview) to the Azure hosted app. 1. Assign roles to the managed identity. Key steps of this workflow are explored in the following sections. @@ -79,7 +79,7 @@ az login ### Configure the app code -Use the `Azure.Identity` client library from the Azure SDK to implement Entra ID authentication in your code. The `Azure.Identity` libraries include the `DefaultAzureCredential` class, which automatically discovers available Azure credentials based on the current environment and tooling available. You can see the full set of supported environment credentials and the order in which they are searched in the [Azure SDK for .NET](/dotnet/api/azure.identity.defaultazurecredential) documentation. +Use the [`Azure.Identity`](/dotnet/api/overview/azure/identity-readme) client library from the Azure SDK to implement Entra ID authentication in your code. The `Azure.Identity` libraries include the `DefaultAzureCredential` class, which automatically discovers available Azure credentials based on the current environment and tooling available. You can see the full set of supported environment credentials and the order in which they are searched in the [Azure SDK for .NET](/dotnet/api/azure.identity.defaultazurecredential) documentation. For example, configure Semantic Kernel to authenticate using `DefaultAzureCredential` using the following code: @@ -93,13 +93,13 @@ Kernel kernel = Kernel .Build(); ``` -`DefaultAzureCredential` enables apps to be promoted from local development to test environments to production without code changes. For example, during development `DefaultAzureCredential` can discover and use your local user credentials from Visual Studio or the Azure CLI to authenticate to the AI service. When the app is deployed to Azure, `DefaultAzureCredential` can use the managed identity that is assigned with your app. +`DefaultAzureCredential` enables apps to be promoted from local development to test environments to production without code changes. For example, during development `DefaultAzureCredential` uses your local user credentials from Visual Studio or the Azure CLI to authenticate to the AI service. When the app is deployed to Azure, `DefaultAzureCredential` uses the managed identity that is assigned with your app. ### Assign roles to your identity [Azure role-based access control (Azure RBAC)](/azure/role-based-access-control) is a system that provides fine-grained access management of Azure resources. You'll need to assign a role to the security principal used by `DefaultAzureCredential` to connect to an Azure AI service, whether that's an individual user, group, service principal, or managed identity. Roles are a collection of permissions that allow the identity to perform various tasks, such as generate completions or create and delete resources. -Assign roles such as **Cognitive Services OpenAI User** (role ID: '5e0bd9bd-7b93-4f28-af87-19fc36ad61bd') to the relevant identity using tools such as the Azure CLI, Bicep, or the Azure Portal. For example, use the `az role assignment create` command to assign a role using the Azure CLI: +Assign roles such as **Cognitive Services OpenAI User** (role ID: `5e0bd9bd-7b93-4f28-af87-19fc36ad61bd`) to the relevant identity using tools such as the Azure CLI, Bicep, or the Azure Portal. For example, use the `az role assignment create` command to assign a role using the Azure CLI: ```azurecli az role assignment create \ From a99d96d36a9d97f7db7cbecd4917ea552e38246f Mon Sep 17 00:00:00 2001 From: Alex Wolf Date: Fri, 28 Jun 2024 16:44:49 -0400 Subject: [PATCH 03/12] updates --- .../azure-ai-services-authentication.md | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/docs/ai/conceptual/azure-ai-services-authentication.md b/docs/ai/conceptual/azure-ai-services-authentication.md index 08fd0b7f03b5e..890895e61c814 100644 --- a/docs/ai/conceptual/azure-ai-services-authentication.md +++ b/docs/ai/conceptual/azure-ai-services-authentication.md @@ -9,9 +9,9 @@ ms.date: 06/27/2024 # Authenticate to Azure AI Services using .NET -Application requests to Azure AI Services must be authenticated. In this article you explore the options available to authenticate to Azure OpenAI and other AI services using .NET. These concepts apply to the Semantic Kernel Sdk, as well SDKs from specific services such as Azure OpenAI. Most AI services offer two primary ways to authenticate apps and users: +Application requests to Azure AI Services must be authenticated. In this article you explore the options available to authenticate to Azure OpenAI and other AI services using .NET. These concepts apply to the Semantic Kernel SDK, as well as SDKs from specific services such as Azure OpenAI. Most AI services offer two primary ways to authenticate apps and users: -- **Key-based authentication** provides access to an Azure service using secret key values. These secrets are also known as API keys or access keys. +- **Key-based authentication** provides access to an Azure service using secret key values. These secrets are also called other terms such as API keys or access keys depending on the service. - **Microsoft Entra ID** provides a comprehensive identity and access management solution to ensure that the correct identities have the correct level of access to different Azure resources. The sections ahead provide conceptual overviews for these two approaches, rather than detailed implementation steps. For more detailed information about connecting to Azure services, visit the following resources: @@ -23,7 +23,7 @@ The sections ahead provide conceptual overviews for these two approaches, rather > [!NOTE] > The examples in this article focus primarily on connections to Azure OpenAI, but the same concepts and implementation steps directly apply to many other Azure AI Services as well. -## Explore key-based authentication +## Authentication using keys Access keys allow apps and tools to authenticate to an Azure AI service such as OpenAI using a secret key provided by the service. Retrieve the secret key using tools such as the Azure Portal or Azure CLI and use it to configure your app code to connect to the AI service: @@ -31,45 +31,45 @@ Access keys allow apps and tools to authenticate to an Azure AI service such as builder.Services.AddAzureOpenAIChatCompletion( "deployment-model", "service-endpoint", - "service-key"); + "service-key"); // Secret key var kernel = builder.Build(); ``` Using keys is a straightforward option, but this approach should be used with caution. Keys are not the recommended authentication option for the following reasons: -- Keys do not follow [the principle of least privilege](/entra/identity-platform/secure-least-privileged-access) - they needlessly provide elevated permissions for a given task. +- Keys do not follow [the principle of least privilege](/entra/identity-platform/secure-least-privileged-access) - they provide elevated permissions regardless of who uses them or for what task. - Keys can accidentally be checked into source control or stored in unsafe locations. -- Keys can easily be shared or sent to parties who should not have access. +- Keys can easily be shared with or sent to parties who should not have access. - Keys often require manual administration and rotation. Instead, consider using [Microsoft Entra ID](/#explore-microsoft-entra-id) for authentication, which is the recommended solution for most scenarios. -## Explore Microsoft Entra ID +## Authentication using Microsoft Entra ID Microsoft Entra ID is a cloud-based identity and access management service that provides a vast set of features for different business and app scenarios. Microsoft Entra ID is the recommended solution to connect to Azure OpenAI and other AI services and provides the following benefits: - Key-less authentication using [identities](/entra/fundamentals/identity-fundamental-concepts). - Role-based-access-control (RBAC) to assign identities the minimum required permissions. - Detects [different credentials across environments](/python/api/azure-identity/azure.identity.defaultazurecredential?view=azure-python) without requiring code changes. -- Automatically handles administrative tasks. +- Automatically handles administrative maintenance tasks such as rotating underlying keys. -The general flow to implement Entra ID authentication in your app generally include the following: +The workflow to implement Entra ID authentication in your app generally includes the following: - Local development: - 1. Authenticate to Azure using a local dev tool such as the Azure CLI or Visual Studio. + 1. Sign-in to Azure using a local dev tool such as the Azure CLI or Visual Studio. 1. Configure your code to use the [`Azure.Identity`](/dotnet/api/overview/azure/identity-readme) client library and `DefaultAzureCredential` class. - 1. Assign roles to the account you used to authenticate. + 1. Assign Azure roles to the account you signed-in with to enable access to the AI service. - Azure hosted app: - 1. Deploy the app to Azure after configuring it to use `Azure.Identity`. + 1. Deploy the app to Azure after configuring it to authenticate using the `Azure.Identity` client library. 1. Assign a [managed identity](/entra/identity/managed-identities-azure-resources/overview) to the Azure hosted app. - 1. Assign roles to the managed identity. + 1. Assign Azure roles to the managed identity to enable access to the AI service. Key steps of this workflow are explored in the following sections. ### Authenticate to Azure locally -When developing apps locally that connect to Azure AI Services, authenticate to Azure using a tool such as Visual Studio or the Azure CLI. Your local credentials can be discovered by the `Azure.Identity` and used to authenticate your app to Azure services, as described in the [configure the app code](/#configure-your-app-code) section. +When developing apps locally that connect to Azure AI Services, authenticate to Azure using a tool such as Visual Studio or the Azure CLI. Your local credentials can be discovered by the `Azure.Identity` client library and used to authenticate your app to Azure services, as described in the [configure the app code](/#configure-your-app-code) section. For example, to authenticate to Azure locally using the Azure CLI, run the following command: @@ -79,7 +79,7 @@ az login ### Configure the app code -Use the [`Azure.Identity`](/dotnet/api/overview/azure/identity-readme) client library from the Azure SDK to implement Entra ID authentication in your code. The `Azure.Identity` libraries include the `DefaultAzureCredential` class, which automatically discovers available Azure credentials based on the current environment and tooling available. You can see the full set of supported environment credentials and the order in which they are searched in the [Azure SDK for .NET](/dotnet/api/azure.identity.defaultazurecredential) documentation. +Use the [`Azure.Identity`](/dotnet/api/overview/azure/identity-readme) client library from the Azure SDK to implement Entra ID authentication in your code. The `Azure.Identity` libraries include the `DefaultAzureCredential` class, which automatically discovers available Azure credentials based on the current environment and tooling available. Visit the [Azure SDK for .NET](/dotnet/api/azure.identity.defaultazurecredential) documentation for the full set of supported environment credentials and the order in which they are searched. For example, configure Semantic Kernel to authenticate using `DefaultAzureCredential` using the following code: @@ -93,11 +93,11 @@ Kernel kernel = Kernel .Build(); ``` -`DefaultAzureCredential` enables apps to be promoted from local development to test environments to production without code changes. For example, during development `DefaultAzureCredential` uses your local user credentials from Visual Studio or the Azure CLI to authenticate to the AI service. When the app is deployed to Azure, `DefaultAzureCredential` uses the managed identity that is assigned with your app. +`DefaultAzureCredential` enables apps to be promoted from local development to production without code changes. For example, during development `DefaultAzureCredential` uses your local user credentials from Visual Studio or the Azure CLI to authenticate to the AI service. When the app is deployed to Azure, `DefaultAzureCredential` uses the managed identity that is assigned with your app. ### Assign roles to your identity -[Azure role-based access control (Azure RBAC)](/azure/role-based-access-control) is a system that provides fine-grained access management of Azure resources. You'll need to assign a role to the security principal used by `DefaultAzureCredential` to connect to an Azure AI service, whether that's an individual user, group, service principal, or managed identity. Roles are a collection of permissions that allow the identity to perform various tasks, such as generate completions or create and delete resources. +[Azure role-based access control (Azure RBAC)](/azure/role-based-access-control) is a system that provides fine-grained access management of Azure resources. You'll need to assign a role to the security principal used by `DefaultAzureCredential` to connect to an Azure AI service, whether that's an individual user, group, service principal, or managed identity. Azure roles are a collection of permissions that allow the identity to perform various tasks, such as generate completions or create and delete resources. Assign roles such as **Cognitive Services OpenAI User** (role ID: `5e0bd9bd-7b93-4f28-af87-19fc36ad61bd`) to the relevant identity using tools such as the Azure CLI, Bicep, or the Azure Portal. For example, use the `az role assignment create` command to assign a role using the Azure CLI: @@ -117,7 +117,7 @@ Learn more about Azure RBAC using the following resources: ### Assign a managed identity to your app -In most scenarios, Azure hosted applications should use a [managed identity](/entra/identity/managed-identities-azure-resources/overview) to connect to other services such as Azure OpenAI. `DefaultAzureCredential` discovers the identity associated with your app and uses it to authenticate to other Azure services. Managed identities provide an automatically managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra authentication. Applications use managed identities to obtain Microsoft Entra tokens without having to manage any credentials. +In most scenarios, Azure hosted applications should use a [managed identity](/entra/identity/managed-identities-azure-resources/overview) to connect to other services such as Azure OpenAI. Managed identities provide an automatically managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra authentication. `DefaultAzureCredential` discovers the identity associated with your app and uses it to authenticate to other Azure services. There are two types of managed identities you can assign to your app: @@ -127,5 +127,5 @@ There are two types of managed identities you can assign to your app: Assign roles to a managed identity just like you would an individual user account, such as the **Cognitive Services OpenAI User** role. learn more about working with managed identities using the following resources: - [Managed identities overview](/entra/identity/managed-identities-azure-resources/overview) -- [How to use managed identities for App Service and Azure Functions](/azure/app-service/overview-managed-identity) - [Authenticate App Service to Azure OpenAI using Microsoft Entra ID](/dotnet/ai/how-to/app-service-aoai-auth?pivots=azure-portal) +- [How to use managed identities for App Service and Azure Functions](/azure/app-service/overview-managed-identity) From 80baa960d85e02e5a229ba654c97aca501530911 Mon Sep 17 00:00:00 2001 From: Alex Wolf Date: Fri, 28 Jun 2024 16:48:41 -0400 Subject: [PATCH 04/12] TOC entry --- docs/ai/toc.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/ai/toc.yml b/docs/ai/toc.yml index 6b7a8028ed855..f8c3a74a6556a 100644 --- a/docs/ai/toc.yml +++ b/docs/ai/toc.yml @@ -7,6 +7,8 @@ items: href: azure-ai-for-dotnet-developers.md - name: What is Semantic Kernel? href: semantic-kernel-dotnet-overview.md +- name: Authenticate to Azure AI Services with .NET + href: conceptual/understanding-tokens.md - name: Quickstarts items: - name: Summarize text From f07348a82d180bb627b2b9a71f401641d81964c7 Mon Sep 17 00:00:00 2001 From: Alex Wolf Date: Mon, 1 Jul 2024 09:13:38 -0400 Subject: [PATCH 05/12] Tweaks --- docs/ai/conceptual/azure-ai-services-authentication.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/docs/ai/conceptual/azure-ai-services-authentication.md b/docs/ai/conceptual/azure-ai-services-authentication.md index 890895e61c814..f5274fb7275a2 100644 --- a/docs/ai/conceptual/azure-ai-services-authentication.md +++ b/docs/ai/conceptual/azure-ai-services-authentication.md @@ -2,9 +2,8 @@ title: Authenticate to Azure OpenAI using .NET description: Learn about the different options to authenticate to Azure OpenAI and other services using .NET author: alexwolfmsft -ms.topic: concept-article +ms.topic: conceptual ms.date: 06/27/2024 - --- # Authenticate to Azure AI Services using .NET @@ -65,7 +64,7 @@ The workflow to implement Entra ID authentication in your app generally includes 1. Assign a [managed identity](/entra/identity/managed-identities-azure-resources/overview) to the Azure hosted app. 1. Assign Azure roles to the managed identity to enable access to the AI service. -Key steps of this workflow are explored in the following sections. +The key concepts of this workflow are explored in the following sections. ### Authenticate to Azure locally @@ -93,11 +92,11 @@ Kernel kernel = Kernel .Build(); ``` -`DefaultAzureCredential` enables apps to be promoted from local development to production without code changes. For example, during development `DefaultAzureCredential` uses your local user credentials from Visual Studio or the Azure CLI to authenticate to the AI service. When the app is deployed to Azure, `DefaultAzureCredential` uses the managed identity that is assigned with your app. +`DefaultAzureCredential` enables apps to be promoted from local development to production without code changes. For example, during development `DefaultAzureCredential` uses your local user credentials from Visual Studio or the Azure CLI to authenticate to the AI service. When the app is deployed to Azure, `DefaultAzureCredential` uses the managed identity that is assigned to your app. ### Assign roles to your identity -[Azure role-based access control (Azure RBAC)](/azure/role-based-access-control) is a system that provides fine-grained access management of Azure resources. You'll need to assign a role to the security principal used by `DefaultAzureCredential` to connect to an Azure AI service, whether that's an individual user, group, service principal, or managed identity. Azure roles are a collection of permissions that allow the identity to perform various tasks, such as generate completions or create and delete resources. +[Azure role-based access control (Azure RBAC)](/azure/role-based-access-control) is a system that provides fine-grained access management of Azure resources. Assign a role to the security principal used by `DefaultAzureCredential` to connect to an Azure AI service, whether that's an individual user, group, service principal, or managed identity. Azure roles are a collection of permissions that allow the identity to perform various tasks, such as generate completions or create and delete resources. Assign roles such as **Cognitive Services OpenAI User** (role ID: `5e0bd9bd-7b93-4f28-af87-19fc36ad61bd`) to the relevant identity using tools such as the Azure CLI, Bicep, or the Azure Portal. For example, use the `az role assignment create` command to assign a role using the Azure CLI: From 6de73071073161fa98b9c579da6cb2d8bb29e7d8 Mon Sep 17 00:00:00 2001 From: alexwolfmsft <93200798+alexwolfmsft@users.noreply.github.com> Date: Tue, 2 Jul 2024 10:01:34 -0400 Subject: [PATCH 06/12] Apply suggestions from code review Co-authored-by: David Pine --- docs/ai/conceptual/azure-ai-services-authentication.md | 10 +++++----- docs/ai/toc.yml | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/ai/conceptual/azure-ai-services-authentication.md b/docs/ai/conceptual/azure-ai-services-authentication.md index f5274fb7275a2..191bcf397958c 100644 --- a/docs/ai/conceptual/azure-ai-services-authentication.md +++ b/docs/ai/conceptual/azure-ai-services-authentication.md @@ -10,7 +10,7 @@ ms.date: 06/27/2024 Application requests to Azure AI Services must be authenticated. In this article you explore the options available to authenticate to Azure OpenAI and other AI services using .NET. These concepts apply to the Semantic Kernel SDK, as well as SDKs from specific services such as Azure OpenAI. Most AI services offer two primary ways to authenticate apps and users: -- **Key-based authentication** provides access to an Azure service using secret key values. These secrets are also called other terms such as API keys or access keys depending on the service. +- **Key-based authentication** provides access to an Azure service using secret key values. These secret values are sometimes known as API keys or access keys depending on the service. - **Microsoft Entra ID** provides a comprehensive identity and access management solution to ensure that the correct identities have the correct level of access to different Azure resources. The sections ahead provide conceptual overviews for these two approaches, rather than detailed implementation steps. For more detailed information about connecting to Azure services, visit the following resources: @@ -34,11 +34,11 @@ builder.Services.AddAzureOpenAIChatCompletion( var kernel = builder.Build(); ``` -Using keys is a straightforward option, but this approach should be used with caution. Keys are not the recommended authentication option for the following reasons: +Using keys is a straightforward option, but this approach should be used with caution. Keys aren't the recommended authentication option for the following reasons: -- Keys do not follow [the principle of least privilege](/entra/identity-platform/secure-least-privileged-access) - they provide elevated permissions regardless of who uses them or for what task. +- Keys don't follow [the principle of least privilege](/entra/identity-platform/secure-least-privileged-access)—they provide elevated permissions regardless of who uses them or for what task. - Keys can accidentally be checked into source control or stored in unsafe locations. -- Keys can easily be shared with or sent to parties who should not have access. +- Keys can easily be shared with or sent to parties who shouldn't have access. - Keys often require manual administration and rotation. Instead, consider using [Microsoft Entra ID](/#explore-microsoft-entra-id) for authentication, which is the recommended solution for most scenarios. @@ -84,7 +84,7 @@ For example, configure Semantic Kernel to authenticate using `DefaultAzureCreden ```csharp Kernel kernel = Kernel -.CreateBuilder() + .CreateBuilder() .AddAzureOpenAITextGeneration( "your-model", "your-endpoint", diff --git a/docs/ai/toc.yml b/docs/ai/toc.yml index f8c3a74a6556a..2d69ff14cf1ff 100644 --- a/docs/ai/toc.yml +++ b/docs/ai/toc.yml @@ -8,7 +8,7 @@ items: - name: What is Semantic Kernel? href: semantic-kernel-dotnet-overview.md - name: Authenticate to Azure AI Services with .NET - href: conceptual/understanding-tokens.md + href: conceptual/azure-ai-services-authentication.md - name: Quickstarts items: - name: Summarize text From 03dde96334a1c35172487ac714c8030e7699c98f Mon Sep 17 00:00:00 2001 From: Alex Wolf Date: Tue, 2 Jul 2024 10:03:46 -0400 Subject: [PATCH 07/12] fixed toc --- docs/ai/toc.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ai/toc.yml b/docs/ai/toc.yml index 2d69ff14cf1ff..51b42c38d58f3 100644 --- a/docs/ai/toc.yml +++ b/docs/ai/toc.yml @@ -8,7 +8,7 @@ items: - name: What is Semantic Kernel? href: semantic-kernel-dotnet-overview.md - name: Authenticate to Azure AI Services with .NET - href: conceptual/azure-ai-services-authentication.md + href: azure-ai-services-authentication.md - name: Quickstarts items: - name: Summarize text From f82c21247b2c734e6760cb67c0199ca90b1d2e1f Mon Sep 17 00:00:00 2001 From: alexwolfmsft <93200798+alexwolfmsft@users.noreply.github.com> Date: Tue, 2 Jul 2024 10:21:32 -0400 Subject: [PATCH 08/12] Apply suggestions from code review Co-authored-by: Scott Addie <10702007+scottaddie@users.noreply.github.com> --- .../conceptual/azure-ai-services-authentication.md | 14 +++++++------- docs/ai/toc.yml | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/ai/conceptual/azure-ai-services-authentication.md b/docs/ai/conceptual/azure-ai-services-authentication.md index 191bcf397958c..defd444e1233c 100644 --- a/docs/ai/conceptual/azure-ai-services-authentication.md +++ b/docs/ai/conceptual/azure-ai-services-authentication.md @@ -8,7 +8,7 @@ ms.date: 06/27/2024 # Authenticate to Azure AI Services using .NET -Application requests to Azure AI Services must be authenticated. In this article you explore the options available to authenticate to Azure OpenAI and other AI services using .NET. These concepts apply to the Semantic Kernel SDK, as well as SDKs from specific services such as Azure OpenAI. Most AI services offer two primary ways to authenticate apps and users: +Application requests to Azure AI Services must be authenticated. In this article, you explore the options available to authenticate to Azure OpenAI and other AI services using .NET. These concepts apply to the Semantic Kernel SDK, as well as SDKs from specific services such as Azure OpenAI. Most AI services offer two primary ways to authenticate apps and users: - **Key-based authentication** provides access to an Azure service using secret key values. These secret values are sometimes known as API keys or access keys depending on the service. - **Microsoft Entra ID** provides a comprehensive identity and access management solution to ensure that the correct identities have the correct level of access to different Azure resources. @@ -52,23 +52,23 @@ Microsoft Entra ID is a cloud-based identity and access management service that - Detects [different credentials across environments](/python/api/azure-identity/azure.identity.defaultazurecredential?view=azure-python) without requiring code changes. - Automatically handles administrative maintenance tasks such as rotating underlying keys. -The workflow to implement Entra ID authentication in your app generally includes the following: +The workflow to implement Microsoft Entra authentication in your app generally includes the following: - Local development: 1. Sign-in to Azure using a local dev tool such as the Azure CLI or Visual Studio. 1. Configure your code to use the [`Azure.Identity`](/dotnet/api/overview/azure/identity-readme) client library and `DefaultAzureCredential` class. 1. Assign Azure roles to the account you signed-in with to enable access to the AI service. -- Azure hosted app: +- Azure-hosted app: 1. Deploy the app to Azure after configuring it to authenticate using the `Azure.Identity` client library. - 1. Assign a [managed identity](/entra/identity/managed-identities-azure-resources/overview) to the Azure hosted app. + 1. Assign a [managed identity](/entra/identity/managed-identities-azure-resources/overview) to the Azure-hosted app. 1. Assign Azure roles to the managed identity to enable access to the AI service. The key concepts of this workflow are explored in the following sections. ### Authenticate to Azure locally -When developing apps locally that connect to Azure AI Services, authenticate to Azure using a tool such as Visual Studio or the Azure CLI. Your local credentials can be discovered by the `Azure.Identity` client library and used to authenticate your app to Azure services, as described in the [configure the app code](/#configure-your-app-code) section. +When developing apps locally that connect to Azure AI Services, authenticate to Azure using a tool such as Visual Studio or the Azure CLI. Your local credentials can be discovered by the `Azure.Identity` client library and used to authenticate your app to Azure services, as described in the [Configure the app code](/#configure-your-app-code) section. For example, to authenticate to Azure locally using the Azure CLI, run the following command: @@ -78,7 +78,7 @@ az login ### Configure the app code -Use the [`Azure.Identity`](/dotnet/api/overview/azure/identity-readme) client library from the Azure SDK to implement Entra ID authentication in your code. The `Azure.Identity` libraries include the `DefaultAzureCredential` class, which automatically discovers available Azure credentials based on the current environment and tooling available. Visit the [Azure SDK for .NET](/dotnet/api/azure.identity.defaultazurecredential) documentation for the full set of supported environment credentials and the order in which they are searched. +Use the [`Azure.Identity`](/dotnet/api/overview/azure/identity-readme) client library from the Azure SDK to implement Microsoft Entra authentication in your code. The `Azure.Identity` libraries include the `DefaultAzureCredential` class, which automatically discovers available Azure credentials based on the current environment and tooling available. Visit the [Azure SDK for .NET](/dotnet/api/azure.identity.defaultazurecredential) documentation for the full set of supported environment credentials and the order in which they are searched. For example, configure Semantic Kernel to authenticate using `DefaultAzureCredential` using the following code: @@ -116,7 +116,7 @@ Learn more about Azure RBAC using the following resources: ### Assign a managed identity to your app -In most scenarios, Azure hosted applications should use a [managed identity](/entra/identity/managed-identities-azure-resources/overview) to connect to other services such as Azure OpenAI. Managed identities provide an automatically managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra authentication. `DefaultAzureCredential` discovers the identity associated with your app and uses it to authenticate to other Azure services. +In most scenarios, Azure hosted applications should use a [managed identity](/entra/identity/managed-identities-azure-resources/overview) to connect to other services such as Azure OpenAI. Managed identities provide an fully managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra authentication. `DefaultAzureCredential` discovers the identity associated with your app and uses it to authenticate to other Azure services. There are two types of managed identities you can assign to your app: diff --git a/docs/ai/toc.yml b/docs/ai/toc.yml index 51b42c38d58f3..3716479974d6a 100644 --- a/docs/ai/toc.yml +++ b/docs/ai/toc.yml @@ -7,7 +7,7 @@ items: href: azure-ai-for-dotnet-developers.md - name: What is Semantic Kernel? href: semantic-kernel-dotnet-overview.md -- name: Authenticate to Azure AI Services with .NET +- name: Authenticate to Azure AI services with .NET href: azure-ai-services-authentication.md - name: Quickstarts items: From 66e20aabc65fd334603055706ca4fe45b3b0f479 Mon Sep 17 00:00:00 2001 From: Alex Wolf Date: Tue, 2 Jul 2024 10:28:18 -0400 Subject: [PATCH 09/12] fixes --- docs/ai/conceptual/azure-ai-services-authentication.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/ai/conceptual/azure-ai-services-authentication.md b/docs/ai/conceptual/azure-ai-services-authentication.md index defd444e1233c..ebf413a25885d 100644 --- a/docs/ai/conceptual/azure-ai-services-authentication.md +++ b/docs/ai/conceptual/azure-ai-services-authentication.md @@ -6,7 +6,7 @@ ms.topic: conceptual ms.date: 06/27/2024 --- -# Authenticate to Azure AI Services using .NET +# Azure AI services authentication and authorization using .NET Application requests to Azure AI Services must be authenticated. In this article, you explore the options available to authenticate to Azure OpenAI and other AI services using .NET. These concepts apply to the Semantic Kernel SDK, as well as SDKs from specific services such as Azure OpenAI. Most AI services offer two primary ways to authenticate apps and users: @@ -49,7 +49,7 @@ Microsoft Entra ID is a cloud-based identity and access management service that - Key-less authentication using [identities](/entra/fundamentals/identity-fundamental-concepts). - Role-based-access-control (RBAC) to assign identities the minimum required permissions. -- Detects [different credentials across environments](/python/api/azure-identity/azure.identity.defaultazurecredential?view=azure-python) without requiring code changes. +- Detects [different credentials across environments](/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet) without requiring code changes. - Automatically handles administrative maintenance tasks such as rotating underlying keys. The workflow to implement Microsoft Entra authentication in your app generally includes the following: From e5cfd21d6c286bbba03c2de9d202c210e6f8d7c4 Mon Sep 17 00:00:00 2001 From: Alex Wolf Date: Tue, 2 Jul 2024 10:32:08 -0400 Subject: [PATCH 10/12] fixes --- docs/ai/{conceptual => }/azure-ai-services-authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename docs/ai/{conceptual => }/azure-ai-services-authentication.md (99%) diff --git a/docs/ai/conceptual/azure-ai-services-authentication.md b/docs/ai/azure-ai-services-authentication.md similarity index 99% rename from docs/ai/conceptual/azure-ai-services-authentication.md rename to docs/ai/azure-ai-services-authentication.md index ebf413a25885d..3ead0b42938d6 100644 --- a/docs/ai/conceptual/azure-ai-services-authentication.md +++ b/docs/ai/azure-ai-services-authentication.md @@ -49,7 +49,7 @@ Microsoft Entra ID is a cloud-based identity and access management service that - Key-less authentication using [identities](/entra/fundamentals/identity-fundamental-concepts). - Role-based-access-control (RBAC) to assign identities the minimum required permissions. -- Detects [different credentials across environments](/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet) without requiring code changes. +- Detects [different credentials across environments](/dotnet/api/azure.identity.defaultazurecredential) without requiring code changes. - Automatically handles administrative maintenance tasks such as rotating underlying keys. The workflow to implement Microsoft Entra authentication in your app generally includes the following: From 9c75e079a39fb034cb0acce9242368fee4ac38c6 Mon Sep 17 00:00:00 2001 From: alexwolfmsft <93200798+alexwolfmsft@users.noreply.github.com> Date: Wed, 3 Jul 2024 08:57:20 -0400 Subject: [PATCH 11/12] Apply suggestions from code review Co-authored-by: Scott Addie <10702007+scottaddie@users.noreply.github.com> --- docs/ai/azure-ai-services-authentication.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/ai/azure-ai-services-authentication.md b/docs/ai/azure-ai-services-authentication.md index 3ead0b42938d6..b804e2890d96f 100644 --- a/docs/ai/azure-ai-services-authentication.md +++ b/docs/ai/azure-ai-services-authentication.md @@ -20,11 +20,11 @@ The sections ahead provide conceptual overviews for these two approaches, rather - [What is Azure RBAC?](/azure/role-based-access-control/overview) > [!NOTE] -> The examples in this article focus primarily on connections to Azure OpenAI, but the same concepts and implementation steps directly apply to many other Azure AI Services as well. +> The examples in this article focus primarily on connections to Azure OpenAI, but the same concepts and implementation steps directly apply to many other Azure AI services as well. ## Authentication using keys -Access keys allow apps and tools to authenticate to an Azure AI service such as OpenAI using a secret key provided by the service. Retrieve the secret key using tools such as the Azure Portal or Azure CLI and use it to configure your app code to connect to the AI service: +Access keys allow apps and tools to authenticate to an Azure AI service, such as Azure OpenAI, using a secret key provided by the service. Retrieve the secret key using tools such as the Azure portal or Azure CLI and use it to configure your app code to connect to the AI service: ```csharp builder.Services.AddAzureOpenAIChatCompletion( @@ -34,12 +34,12 @@ builder.Services.AddAzureOpenAIChatCompletion( var kernel = builder.Build(); ``` -Using keys is a straightforward option, but this approach should be used with caution. Keys aren't the recommended authentication option for the following reasons: +Using keys is a straightforward option, but this approach should be used with caution. Keys aren't the recommended authentication option because they: -- Keys don't follow [the principle of least privilege](/entra/identity-platform/secure-least-privileged-access)—they provide elevated permissions regardless of who uses them or for what task. -- Keys can accidentally be checked into source control or stored in unsafe locations. -- Keys can easily be shared with or sent to parties who shouldn't have access. -- Keys often require manual administration and rotation. +- Don't follow [the principle of least privilege](/entra/identity-platform/secure-least-privileged-access)—they provide elevated permissions regardless of who uses them or for what task. +- Can accidentally be checked into source control or stored in unsafe locations. +- Can easily be shared with or sent to parties who shouldn't have access. +- Often require manual administration and rotation. Instead, consider using [Microsoft Entra ID](/#explore-microsoft-entra-id) for authentication, which is the recommended solution for most scenarios. @@ -68,7 +68,7 @@ The key concepts of this workflow are explored in the following sections. ### Authenticate to Azure locally -When developing apps locally that connect to Azure AI Services, authenticate to Azure using a tool such as Visual Studio or the Azure CLI. Your local credentials can be discovered by the `Azure.Identity` client library and used to authenticate your app to Azure services, as described in the [Configure the app code](/#configure-your-app-code) section. +When developing apps locally that connect to Azure AI services, authenticate to Azure using a tool such as Visual Studio or the Azure CLI. Your local credentials can be discovered by the `Azure.Identity` client library and used to authenticate your app to Azure services, as described in the [Configure the app code](/#configure-your-app-code) section. For example, to authenticate to Azure locally using the Azure CLI, run the following command: @@ -116,7 +116,7 @@ Learn more about Azure RBAC using the following resources: ### Assign a managed identity to your app -In most scenarios, Azure hosted applications should use a [managed identity](/entra/identity/managed-identities-azure-resources/overview) to connect to other services such as Azure OpenAI. Managed identities provide an fully managed identity in Microsoft Entra ID for applications to use when connecting to resources that support Microsoft Entra authentication. `DefaultAzureCredential` discovers the identity associated with your app and uses it to authenticate to other Azure services. +In most scenarios, Azure-hosted apps should use a [managed identity](/entra/identity/managed-identities-azure-resources/overview) to connect to other services such as Azure OpenAI. Managed identities provide a fully managed identity in Microsoft Entra ID for apps to use when connecting to resources that support Microsoft Entra authentication. `DefaultAzureCredential` discovers the identity associated with your app and uses it to authenticate to other Azure services. There are two types of managed identities you can assign to your app: From 9e01af30f57ccebb37d000910eb22d98c6701f08 Mon Sep 17 00:00:00 2001 From: Alex Wolf Date: Wed, 3 Jul 2024 09:04:40 -0400 Subject: [PATCH 12/12] pr fixes --- docs/ai/azure-ai-services-authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ai/azure-ai-services-authentication.md b/docs/ai/azure-ai-services-authentication.md index b804e2890d96f..caf5d5d9777d6 100644 --- a/docs/ai/azure-ai-services-authentication.md +++ b/docs/ai/azure-ai-services-authentication.md @@ -49,7 +49,7 @@ Microsoft Entra ID is a cloud-based identity and access management service that - Key-less authentication using [identities](/entra/fundamentals/identity-fundamental-concepts). - Role-based-access-control (RBAC) to assign identities the minimum required permissions. -- Detects [different credentials across environments](/dotnet/api/azure.identity.defaultazurecredential) without requiring code changes. +- Can use the [`Azure.Identity`](/dotnet/api/overview/azure/identity-readme) client library to detect [different credentials across environments](/dotnet/api/azure.identity.defaultazurecredential) without requiring code changes. - Automatically handles administrative maintenance tasks such as rotating underlying keys. The workflow to implement Microsoft Entra authentication in your app generally includes the following: