Securing your AI Apps on Azure: Recordings and Slides!

In July, we hosted a six-part livestream series on securing AI apps in Azure. Topics covered include keyless authentication, user sign-in with Microsoft Entra, RAG data access control, and private network deployments. If you missed the livestream, you can catch up by watching the recording, downloading the slides, and trying out the sample project.

Want to go keyless and never worry about leaking your keys again? All Azure AI services support keyless authentication using role-based access control, so you can authenticate to the service with either a signed-in local user identity or a managed identity for your deployed app. We’ll show you how to use keyless authentication with Azure OpenAI, and how to set up access control in the portal, Azure CLI, or in your infrastructure code (Bicep). Then, connect to that Azure OpenAI service from your application code using both the OpenAI SDK and the popular Langchain SDK. The examples are in Python, but most modern OpenAI packages can use keyless authentication.

:link: Helpful links:

Want to learn the easiest way to build AI apps in Azure and sign in with your users? We’ll show you how to set up built-in authentication in Azure App Service and Azure Container Apps. With built-in authentication, your employees can sign in to your Workforce tenant, and your consumers can sign in with a one-time password, username/password, or Google/Facebook login, thanks to Entra External ID. Then, you can display user details like their name in your Azure app with minimal code changes. We’ll show you how to set up built-in authentication in your app using the Graph SDK and the newly released Graph Bicep provider, and provide links to complete code samples.

:link: Helpful links:

Need user sign-in functionality for your AI app? Let me show you how to set up an OAuth2 OIDC flow in Python using the MSAL SDK with the open source identity package. You can use this approach to let your employees sign in to your Workforce tenant, or your customers sign in with a one-time password, username/password, or Google/Facebook login thanks to Entra External ID. You can then use the user details (such as name and email) from the Graph SDK in your app. I’ll also show you how to automate the creation of a Microsoft Entra application using the Graph SDK.

:link: Helpful links:

Many modern web applications use the SPA architecture. They have a single page web app on the frontend and an API on the backend. In this talk, you will learn how to add user authentication to your SPA app using Microsoft Entra, using the MSAL.JS SDK on the frontend and the MSAL Python SDK on the backend. You will learn how to properly set up Entra applications for both client and server, and how to use on-behalf-of-flow on the server to process tokens sent by the client. The example application is an AI RAG application with a React frontend and a Python backend, but the same principles can be applied to any SPA application that requires user authentication.

:link: Helpful links:

If you want LLM to accurately answer questions about their documents, you need RAG: Retrieval Augmented Generation. With the RAG approach, the app first searches the knowledge base for matches related to the user’s query and then sends the results back to LLM along with the original question. What if you have documents that should be accessible only to some users, such as a group or a single user? Then you need data access control to ensure that document visibility is respected during the RAG flow. In this session, we will demonstrate an approach using Azure AI Search with data access control to retrieve only documents that the logged-in user can see. We will also demonstrate user-uploaded documents with data access control along with Azure Data Lake Storage Gen2.

:link: Helpful links:

To ensure that your AI apps are only accessible from within your enterprise network, you need to deploy them in an Azure virtual network that has private endpoints for each of the Azure services used. In this session, we will show you how to deploy an AI RAG application to a virtual network that contains App Service, AI Search, OpenAI, Document Intelligence, and Blob Storage, all using infrastructure code (Bicep) to perform the same deployment. We will then use Azure Bastion as a virtual machine to log into the virtual network, demonstrating that the RAG app is only accessible from within your network.

:link: Helpful links: