Secure your Intelligent Applications with Microsoft Entra | BRK221

Microsoft Developer · Intermediate ·🔧 Backend Engineering ·2y ago

Key Takeaways

Secures intelligent applications with Microsoft Entra, using authentication and access control

Full Transcript

[Music] learning about securing your intelligent apps with Microsoft entra so I'm Pamela Fox and I'm from the python Cloud advoc advocacy team at Microsoft which means I do very much like python but you know I try to love other languages too I'm Matt I'm from the AI search team at Microsoft and I'm D delari I'm a tech for Microsoft authentication library and my job is to make o easier not easy easier all right and we are actually going to start with Den to give us a little primer about identity and access management Thank you Pam so uh I did in access management so as we called out from the very beginning it's not really easy a lot of folks struggle with a lot of the concepts and tying things together especially when it comes to web applications mobile applications like it doesn't matter so let's start with some Concepts two things that you need to familiarize yourself with so one there is authentication and authentication uh is insecurity the process by which we confirm that the user is who they say they are right so if you're going to I don't know xbox.com or outlook.com and log in your MSA the Microsoft Account we're verifying that if you're typing in your email and a password like are you actually let's say Den outlook. authorization on the other hand is ensuring that you have the right level of access to the resources that you're asking access for so more Concepts uh authentication usually uses a protocol called open ID connect or you might have heard it as oidc uh and usually different providers Implement endpoints that you can call to rest CPI that you can request you can pass some information uh like credentials and say is this the user uh who they claim to be so if I log in with Den al.com I verify that with you know Outlook is this actually Den then there is the authorization framework that is implemented through the oath to protocol an authorization is actually the application logging in on my behalf and saying Den is trying to access their XBox profile or their Azure resource are they allowed to do so now as you go through the presentation today there's going to be some terms that you need to also be aware of things like off flow and off flow is how exactly you are logging in to the application so there's a multitude of them you probably have seen there's outflows that require you to enter your username and password there's an outflow that requires you to log in with let's say a device code like iot devices or I keep using the Xbox example where you don't really have to type the entire password you get a code you then go to your browser you enter the code code and then you're authenticated the authorization server is the resource or some server running somewhere that ver verifies that this user that you're authenticated with can actually get a token it's a service that issues the actual token the client is the application that requests access to a protected resource like Azure key Volt or Azure storage so it can be a web app it could be a mobile application or uh it can be a service the resource owner is whoever owns the resource you're trying to access to so in the case of azure key bolt or in the case of azure storage it is azure the resource server on the other hand is the actual container that runs the code that you're trying to access and that contains information that the user requests you so all this out of the way the last thing I'll mention here is that there is three things you need to be aware of in terms of auth indication authorization so there's different application types spa or the single page applications they deserve their own little carve out because they act a little different than all the other applications and they're basically what the name is they're single page applications that don't need to request more and more information from the server you run once and then the view updates public client applications and you'll hear it in the oath kind of stack of concepts are applications that cannot secure curely store Secrets these are your web applications like websites they're your desktop apps mobile apps and they can store Secrets because all those apps can be reverse engineered somebody can dump the APK from your Android device and look inside and see well what's the certificate you're using what is the secret key so we call them public client by default they they cannot store a secret and then there's confidential client applications and these are the applications that run on the server so your end user never actually has access to the credentials there so you can use certificates you can use secrets you can use manage identities and the user will be non- theer because they never get actually access to them so now to see all this in action I'll hand it off to Pamela all right thank you den and if you know if you already forgot everything he said it's totally fine because we do have documentation about all this I actually binge read it on the airplane because what else are you going to do on an airplane uh so you know I think ooth is is pretty tricky so I it's something I have to constantly refresh myself uh even as I'm coding it with it every day so I'm going to start off with talking about how we can add user authentication like sign in sign out to our apps so we're going to start off with an AI app okay so I've actually got this running uh locally or inside GitHub code spaces locally right so you know here I can say all right write me an epic story about a unicorn crashing uh build conference okay and uh and then you know it's gonna it's GNA start typing and what's this doing you know it's sending off a request to the open AI servers and getting back a response let's see if I can see what is happening here oh and I'm logged out already this all right I will log out uh log back in so we're going to see a little a little entra in action here uh there we go and then log in um uh so this is this is the device code remember we were just talking about different flows this is called the device code flow so if you are working like in like GitHub code spaces you do actually have to use device code flow so it's means that I have to go through a whole riam roll in order to do this which means I have to remember my ridicously long but super secure there we go uh password uh there we go all right and then there's going to be a couple more requests uh then we got to go to MFA this is why you do not want to implement this yourself this is why you want to use Entre to like do this for you right because who the heck wants to implement that huge number of steps did my face ID I got biometric I got a code like oh my gosh why that's so hard all right logged in uh and then let's see if now it will be able to access my uh as your openingi okay all right try it again uh story about unicorns go there we go I get more and more Curt as I go on there we go okay and so we can see it's streaming in the response from the server and if we look at the server code it's actually very short amount of python code right so making a request to the aure open Ai and getting back and then streaming it so we're actually yielding one chunk at a time this is a best practice in terms of user interface and then on the front end I'm using this new SDK that just came out the AI chat protocol SDK which makes it super easy on the front end to consume a stream so that you don't have to figure out how to code streaming yourself so I you know initiate the client and you know I just do a little for Loop to get back each chunk and display each chunk at you know one at a time and there we go we got it so this is uh does not have user ath right you can say that it just says you okay I wanted to actually show my name so I want to go from that app to an app that knows who I am right I want to add user signin to it so that's what I'm going to show in my section and what I'm really going to focus on is how to do this automatically right so we're not going to show any clip cops I hate clicking around the portal maybe some of you love it I hate clicking around the portal I always get something wrong I always forget what what it is I did I can never remember that magical incantation again so everything we show you has been automated with code so that you can then go take it and just run you know a couple commands and then hopefully be good to go so that's our big big Focus uh so the first thing that we need to be able to do is order to be able to use Microsoft entra you know user authentication we need to create a Microsoft entra application and then create a service principle for that application and you can think of the service Principle as actually just being like an instance of the application uh so that's what we need to create so that it knows who we are and is is comfortable doing these flows with our application so here is code from the python graph SDK there's very similar code in all your favorite languages and it'll actually probably look pretty similar to this too because it's all objectoriented uh but basically you know we create a graph service client we say okay this is the application we want to make we need to tell it stuff like redirect URLs where the redirect is going to go back to we need to tell it what Scopes we're interested in so if we want to do a user off then we're going to ask for the open ID scope and that means that we're going to get back the profile and if we want to be able to like refresh tokens then we ask for the offline access scope and that'll let us refresh tokens so this sets up the application with you know every like we're telling this is all the stuff we need to be able to do authentication and then we also do need to find make a way of uh credentialing oursel for that application right now there's two options there's secrets and there's certificates both of those options aren't great because you have to store a secret somewhere and I hate having to store Secrets it gives me the heebie jeebies right uh so uh I will show a way that's going to come out soon uh that you'll be able to use instead but for now you know we use a client secret and then we store it a key Vault uh and you know and then retrieve from that key Vault so we set up that you could also set up a certificate if you want to do that all right so now we've got that application registration now all we have to do is Implement ooth see easy easy so this is the classic ooth 2 uh flow and this is actually just oath 2 this diagram here shows you the you know oath 2 authorization code flow and what it looks like now to make this oidc which is how we do user signin uh and sign out we just add that our scope should be open ID we say okay we're doing this OA flow and we want the open ID scope so that tells the server like Hey we're doing an oidc login here and then when the server eventually comes back at the very end when we exchange our authorization code for a token it's going to give us both an access token and an ID token and that ID token will contain what we want that's going to have the good stuff the name the email you know the stuff that's available in that profile so really like O2 versus oadc oadc is just a particular subset of o2 that's going to give us that experience and that information that we want so this is what we need to implement all right now this is still looks like a lot to implement so what can we do we got a few options the first option is that if you are deploying to as your app service or as your container apps you can use a feature called the built-in authentication feature that will do that whole oath dance for you it'll take care of the redirect and the token exchange and and all that for you and that's really really cool so if you are deploying on those platforms you can take advantage of that feature and that will give you sign in sign out on your deployed application in production the second option is that if you need this sign in sign out to work you know anywhere on any host maybe you're on you know some other aure host or maybe you're not hosting on aure or something or maybe you're just developing on Local Host post and you want to be able to have sign in sign out there then you will need to use an SDK uh the MSL SDK in order to set up this flow and do the particular steps so I'm going to show both options here uh so first one is using that built-in notation on app service or container apps this is always going to be easier so if this does it for you then that's great so the first thing we need to do is configure that built-in ocation feature so what I'm showing here is a language called bicep bicep is an infrastructure as code language uh it's similar to terraform if you've heard of terraform except bicep is particular to Azure also if you've heard of arm bicep is just it just compiles down to arm so bicep is like syntactic sugar for arm arm is Json right so if you think about it you got an arm and then it's stronger you get a bicep that's the joke okay so uh so that's bicep but I absolutely love it I became such a fan girl because when you have bicep you can declare everything you want to make so when you've got like 10 different resources that you need to set up instead of having to like click through the portal or write a you know an aure CLI script you can declare everything in bicep and then run a single command that's going to provision everything and it's even going to be able to provision things in parallel based on like the dependency graph of what what can be visioned when so anytime I can do something in bicep I do and it's also language agnostic so if you have people at your company some of you are in Python some of you in net you write all your infrastructure as code in bicep and you can all agree to either love or hate bicep but then at least you don't have to fight over your like main language right so this is the configuration for container apps authorization uh built-in feature so you can see we tell it like okay if someone's unauthenticated you need to redirect a login because you also have options for if you do want to now allow Anonymous it's an option uh and then we set up our identity provider and we say we're using entra so we say as your active directory formerly known as so we say that uh we specify our client ID so that's the client ID from the app that we made in the previous step that Entre application registration and then we tell it where our client secret is stored so we store the client secret uh in you know in a key Vault secret and and inside the container app secrets and we point it at there so it knows where to find it so that it can do you know credential set up those credentials and then finally we tell it the open ID issuer and so that you can see at the very top where it says you know uh you know it depends on whether you're doing to see multi-tenant or single tenant and all this stuff but for like your basic single tenant app it's going to be like the microsoft.com login and then your tenant ID and that's where it's going to send everything so that's what we need to configure at you know most basic in order to set up this feature and yeah let's just check it out so all right here we go this is the same app but now it's deployed wow look at that there's my name uh acronym for build conference please you don't have to say please to llms they don't care uh but more microsof let's see it's pretty similar all right so this is running on a your container apps so let me like like you know show the flow so I'm going to attempt to log out which always scares me in these demos because what if the log out doesn't work but okay I'm going to log out all right hang on a moment while we get logged out and there we go as you can tell I did not code that web page um doesn't look like the rest of the site but you can see that this is a container app uh special url. off that's the built-in feature and then I can go back to my main page and it's going to force me to log in so if you just need to make sure there is a login gate in front of your page you just do this built-in off and then it'll force people to log in I'm logging into my special tenant which I think only Matt and I are in that tenant it's a very special tenant we're like looking for more people to join it um uh oh it doesn't recognize my face oh come on here we go all right and there we go logged in so that is the you know the the built-on authorization experience for container apps and you can do the same thing on on app service all right so that worked now the question is how the heck did I get my name right because I just said like oh you know the container app says everything for you uh and does this whole dance so how did I even get my name so what that happens is that container apps will inject information into special headers and then you can inspect those headers and extract uh extract details that were you know conveyed during the authorization process so I'll show you the code for that is that you know uh when we get uh go to the index page we extract the username so we look for this special super special header and it makes sure that only it sets this only it can set this header so it's going to be XMS client principal we get this token out of there and we can extract the claims from the token and in this case we extract the the name from there so we could also extract other stuff that we got from that oadc process so that's how we can have the container apps do that whole ooth dance and still get back information that we would normally get from the ID token Okay cool so that that works and if you do want to get started with that you can you know go to this sample here that's linked from the slide and uh and just run ASD up and maybe it'll work should work all right so uh I also wanted to show external ID so enter external ID is how you can to let people you know just anyone in in the world uh come into your app and uh super cool if you want to make something that's consumer facing right so here I have the same app but uh now it is deployed in my external tenant so here's my uh external ID tenant and uh like I can set up the you know identity providers I did this all you know via VIA python like a good person uh but I can show you it in the portal right so I've enabled uh this email onetime password passcode flow which is a super popular flow this is like what I use to log into most apps these days is like you just get a onetime passcode on your phone so if you want to enable that kind of experience for your app then you can use entra external ID so that's what I've done here so once again I will attempt to log out so I can show you show you this flow uh so I'm going to log out and you can see it's a little different looking right you can see like my trial tenant and you can make all this a lot fancier looking um I hopefully you can also make that fancier looking I actually haven't looked into that yet to see how you customize that I'm sure the Entre team can tell me all right so now I'm going to sign in and now you'll notice I'm picking what looks like a Gmail account it's not really a Gmail account this is a Microsoft account I happen to be logged into that has my gmail address uh you could configure this with Google if you want Google login specifically you can see that that's an option here I didn't configure that so here is just anyone you know with anything all right so we just sent a code so now I'm going to go over to my Gmail and hope that everything is legit uh pretty legit okay all right and and here's my verification code and then I can put it in here and so that is the onetime passcode experience so if you're making something consumer facing you want an easy way for them to to log in you could do set up this onetime passcode and it's a really similar setup it's the same repo as the as the other one I showed uh and uh and then you can there we go I want ponies I'm sorry I have a four-year-old and a one-year-old so you have to ex excuse me um okay so there we go so that is that is set up all right so the next step is how would we use the MSL SDK so if we're going to be doing this ourselves then we do have to code this flow here and specifically we need to do the parts that I've highlighted in purple right so we need to you know we get a request from the user then okay you know the user's not logged in we need to initiate that authorization code flow and then when it comes back to our redirect we need to handle that redirect and in that redirect we grab the authorization code we exchange it for our ID token and then we get back the details from that ID token so you can use the MSL SDK that is available in you know all your favorite languages and so here we would make a confidential client application because this is running on our server so we can pass in our credentials and say here's our confidential client application uh here we're going to initiate the flow and this is the redirect youru should go back to and then a lot of stuff happens and then we do the final leg of the oo dance where we exchange that off token authorization token for the access token that's still going to be a lot of work so to make it easier there's this open source package called identity where you it already off the bat has support for uh this is in Python so it has support for popular python Frameworks flask D Jango Court uh probably fast API coming soon and we just add a decorator so that's a really nice way like that you could just set this up add a decorator and just say this route requires login and then it'll just work uh so that's what I've got running running in the browser over here so what you can see is that this is a local host URL right Local Host 50505 and you can see that I am logged uh logged into it so now I'm able to have the login log out experience locally and that's because I'm actually using that MSL SDK inside my own code so if you do need the local development experience or you need to deploy to a post that's not container apps or app service then this is what you want to use instead and once again you can use this and you know typically do something like this in all your favorite languages you can just check the you know documentation for python you can get started with the sample we put together and then it'll also work once you deploy it right the great thing is if it's working locally it's going to work once you deploy it all right upcoming improvements so I told you like okay when you make an application registration you have to use a secret or certific ifate but we don't like to be storing Secrets right that can lead to Shenanigans so um this is a way that we're going to be able to not use secret so first of all we can now use Microsoft graph bicep in order to programmatically create graph applications in bicep so that python code I showed before with the MS graph esate we can now do this in bicep but then the next step which is really cool is that we can use a managed identity as a Federated identity credential for that application and completely avoid having client Secrets or certificates so this is so cool when this worked I was like shocked so this does not this is like I guess like the announcement see we are announced something right uh this is not available yet for you know um uh General use yet but it is coming very soon down the line so look forward to this it means that we'll be able to move away from client secrets and certificates and be able to start using manage identities for everything which which is of course all of our goals in life is to do that uh so this is super exciting you can see my PR that adds it to a repo if you want to see how it would work once it's supported and then when you want to use it with built-in off instead of pointing it at an actual secret you would just tell it like hey use the manage identity so you'd literally put that exact string and it'll be like oh okay I'll just use the manage identity so that's super cool it shows you don't need to actually have a client secret it's just going to use your manage identity and you'll also be able to use it with like the you know confidential client application and all that stuff you'll just be able to pass into manage identity the big drawback of this is that you won't be able to use this locally because locally you don't actually have a managed identity so this is going to work when deployed it's not going to work locally but still for lots of applications it's going to be really exciting and I'm I'm just super excited about it okay all right good so that was my spiel about how to add user off now uh and to be fair like we call this like you know securing your AI apps with entra you can use everything I just showed it doesn't matter if you're doing an AI app that's just about how you can add user Roth to anything we made it an AI app because everyone loves AI right now but you can use that technique for any app it could be completely non-ai app whatsoever but now Matt is going to go into something very AI specific thanks so much Pam I appreciate it so in the past 20 minutes we all have become entry experts we understand a lot about Authentication and what we want to do is we want to bring it back to kind of the AI use case so I have a very similar application to the one Pamela showed uh this is actually an open source sample you can deploy it yourself in your own tenant and try it out I essentially want a kind of chat style application where I'm chatting with an llm in this case I'm using GPT 35 turbo but I want to talk about my documents and I want to add the concept of a user identity so if I am just asking a generic question like what's included in my northw Health Plus plan but I'm not logged in I I don't really want to give a response to the user so I ask the LM a question and it kind of just gives me an answer like I don't really know I'm sorry but when I'm logged in I want to use that identity to give a different answer now oh I know who you are I can tell you about the Northwind Health Plus pant uh and I can see that I actually sign in a document so I can actually go and look at that so what's interesting about this is it's a very similar setup but there's a couple extra steps so there's a very common pattern we talk about about uh AI applications today uh you typically want to kind of build a front end separate from your back end application a very common pattern that has emerged is I've got a single page application uh in my case I use typescript with react and what I found is is that oh uh I want to be able to log in I want to do everything locally on the client Well turns out that you actually need a separate entra ID application for this use case my app my backend app I'm actually running on a local host in the console this also has an app associated with it in in entra and we have an interesting problem we now have two entra apps and I need to be able to connect them together so a very common flow that we use is called uh on behalf of I think I've lost my SL it keeps going back and forth between the main thing and his thing I don't know is is it no tickle it okay here we go we're back so basically what I need to do is I need to use a very special off to flow called on behalf of the and Microsoft authentication Library SDK makes it super easy it's literally just one line of code but essentially what I do is I log in on the client side and then I pass that token through an authorization header to the back end I validate that a token is indeed from The Client app and then I use the on behalf of Flo to exchange it for an API token for my uh resource once I've exchanged the token I'm able to actually call any API I want on behalf of the user uh provided I've asked for that in the application manifest so this is a very powerful flow and it's very commonly used in apps like this where there's both a front end and a back end as distinct components so let's kind of rewind a bit back earlier in the presentation and we kind of talked about tokens tokens are super powerful they're issued by entra you you don't really need to worry about kind of like the mechanics that are issued but the great thing about tokens is is that they can contain arbitrary data and this arbitrary data has a lot of information to say about the users that's logged in I've taken a token and I've kind of cleaned it up and I'm showing you some example claims claims are just key value pairs so for example just by looking at the token I can see the display name of the users that's logged in I can see something called their object identifier this is super useful for authentication because it's a unique guid that's directly kind of corresponding to the user account uh nobody else is going to have this it uniquely identifies as a user I can also get group memberships so in entra you can Define this kind of concept called groups where rather than trying to refer to users one by one you can say oh this user is part of this group and it's basically a very powerful way of saying hey rather than having to refer to indivual users I can basically refer to collections of them so we now have a problem right I've got a chat app I've got a bunch of documents I want to talk to uh if I'm using AI search I've got a concept called an index an index is kind of just a collection of documents you can search over so the general way this works is I have a question like what is my Northwind Health Plus plan I search my index relevant documents and I send that back to the language model to kind of synthesize a response but I kind of want to go a bit deeper right I don't want to give back all the documents I just want to give the ones the user has access to so I can do this very simply in AI search by just adding an extra field I'm going to add a collection of strings called uh object identifiers and a collection of strings called groups and I'm going to use this special attribute called filterable uh AI search doesn't just support full text and and Vector embedding search it supports a really powerful concept called filtering when I use filtering what I can do is I can now really efficiently search these object identifiers I can restrict my search so that I'm not just searching for Northwind Health Plus plan in my index I'm going to restrict that search to only go over documents that are associated with that user or the user's groups so doing this this way allows us to connect those token claims back to the search index so we've basically what we've done is we've kind of had entra takes care of authorizing the user and it takes care of telling them who we are and by by using this filtering we've basically implemented authorization so we're now saying hey we know who you are we know what you have access to based on what's stored in the search index I can also really easily update this because Access Control isn't static maybe one day somebody has access to a document and the next day they don't uh things change and AI search supports the ability to update kind of single properties into documents so if I've got a lot of properties in my document I don't need to re-update all of them I can do something called a merge based update where I basically give it hey for the document about northw Health Plus plans here is the new list of users that can access it and here's the new list of groups that can access it so it's kind of a complete endtoend story for connecting token claims and all that great stuff we made about entra back to AI search and your chat application on your documents there's another asra service called Data Lake Gen 2 storage uh and it's a very powerful extension to storage accounts what it does is it allows you to associate access control with for uh directories and with files so now what I can do is I can say basically in a storage account I can have a giant list of documents and each one of those documents themselves can have access control in our sample application we provided a lot of sample code that basically shows you how to parse this Access Control information and update the Azure search index with it this is a really powerful concept because it allows you to Define your Access Control information in a single place and kind of replicate ated out to the AI search index so you don't have to worry about keeping them uh up to date yourself you can kind of have a single process that synchronizes the access control from data Lake storage directly to AI search uh there's very easy to use Python SDK for data L Storage Gen 2 that basically allows you to fetch Access Control lists for individual files in case you want to do a kind of outof band update uh and you can also deploy this as a custom skill in the a search index pipeline so that you can actually automatically update in a schedule uh there's two general paths towards updating your data with Access Control information uh as I mentioned before what you can do is you can ingest the documents directly from a data source that has access control information and then once the index has been updated all their filters will work uh just automatically sometimes your data is stored without Access Control information uh you might have kind of old documents that are stored in independent space uh but using the merge technique I showed earlier you'll be able to kind of join it against that Access Control Store sorry I lost the slide uh you'll be able to join these documents with the access control information and update it separately it really depends on your use case and how your chat application is set up but either approach is valid uh basically what you want to do is you want to make sure that documents enter the SE search index either with the access control information already assigned or there's like a very short time period that you need to update it uh there's another valid question that comes up a lot which is you're more than H welcome to use an index per user rather than this filtering approach the only problem with defining an index per user is is that AI search Services have a finite number of indexes per search Service uh we offer something called a high density tier in our standard three service S3 uh which offers a th index uh th indexes per partition and you can scale up to three partitions uh the only drawback of using this tier is is that you only have 100 gigabytes of data per index so for applications with large amounts of users we highly recommend taking the filtering based approach and combining it with an entra app on the back end and the front end so that you can implement this authentication and authorization yourself uh search filtering is very powerful uh it you can have tens of thousands of of user IDs or group IDs associated with a document and you'll get kind of very quick search results so uh going on to next steps and just general questions and answering uh we P you want to take this over all right so uh so yes we showed some samples there and we'll have more links to them other things you might want to consider in terms of security is using managed identity to access all the azzure services at least all of them that do support it so all the samples that we have do use managed identity whenever possible so that means never passing in an API key okay uh so that's always what we recommend and that does use entra behind the scenes right it is actually doing an ooth dance behind the scenes there in order to avoid using API keys so we recommend that and we've got documentation about that that you can read if you're new to manage identity another thing you can do is use a virtual Network private endpoint to isolate your AI apps Matt actually just did a massive po request to add it to that demo that he was showing and so that's putting everything inside a virtual Network and setting up private endpoints for everything the cognitive Services The Blob storage like you I mean you said you had fun with that bicep so I'm glad you had fun with it uh but that means like now you got a great example of how it is you can actually put everything inside a virtual Network so if you are making something for the Enterprise you definitely want to consider that cuz means it's not going to escape your your network at all uh so these are the samples that we showed today uh there's the one with the built-in off there's the one with the local off and then there's the rag chat sample and so this can you know shows you the the range of things you can do the interesting about the rag chat sample is that it uses both built-in off and local o because I think it was because originally you implemented local o and then James was like hey why don't you Implement you know built-in off too like okay sure so you get the option like if you wanted to turn off one or the other you could uh but that rag chat sample it just does everything it's like the kitchen sink so uh if you're looking you know to figure out how to do uh every possible thing it's in there uh but we also have you know these these smaller samples to get started with and there's lots of other AI samples that you can get started with too and we're trying to make our samples available generally in Java JavaScript python. net those are the top languages we you know hear that developers want so we've got samples for assistance and open Ai and fine-tuning and model catalog and all that stuff to help you get started Den all right uh thank you Pamela well Pamela and Matt made uh A and A Z really exciting let's give him a round of applause that that's great um for folks that want to learn more so we just launched uh the new Microsoft entra developer uh Center so go there to learn everything about entra uh and of course entro microsoft.com if you want to uh experiment with yourself uh and then we're very excited about support for uh microsof graph uh and bicep so you should also check out the documentation there if you have more questions about entra security how to do Au authentication authorization stop by upstairs we have a booth uh in the security section so big sign this is Microsoft entra go there uh and then uh make sure to uh check out the session after this presentation if you ever want to come back to it we're going to have the slides uh uploaded within the next 24 hours that that's what I hear so um all right uh do we have time we have time for questionss we do have time okay so if you do have questions just raise your hand and we'll run the mic over to you any questions back there I when will you add the ability to add permissions to user sign manage identities in entra user assign managed identities tell me more what's what's the scenario so the scenario is you uh users in our or want to access data inside a Ventra and they don't want to use app registrations because of the expiring Secrets they want to user sign managed identities because the secret Stone expired ah yes so that is what pamelo was referring to as the Federated identity credentials so we are testing that capability internally as we speak uh no announcements yet but stay tuned that it's coming well it's like so I'm I'm able to add uh user sign manage identities to entra and then when I go in there to permissions I can't specify permissions I have to do it through the azer CLI writing some kind of ugly scripts to assign for example graph permissions and so there there's just not the ability to to add that in entry you can if you have an app registration you can go in and set API permissions and go in and say graph and assign you know all of the permissions that you need but with user with manag identities you you can't do that uh let's chat after this presentation or stop by our booth I'd be happy to dig into the scenario over there oh she's gonna run the mic to you just make sure everyone on uh is it the internet can hear uh middle so for this uh situation here um how do you do the dev locally then you don't [Laughter] yeah I know oh and I did I had that originally written that you don't I don't know what happened to it but uh yeah so that is the drawback of it I have expressed My Boo as well to the folks back we even had a meeting with them where we were like Hey how do we do this locally right now yeah we don't uh there's we haven't figured it out no not yet yeah yeah so I saying I think that when I would use this for is that if I'm doing built-in off where my o is already only on prod I would definitely set this up immediately as soon as it's supported because that's straightforward um you know I'm already not doing local off but yeah the story is getting more complicated if we're so I think one one thing you could do is that locally you could you know like I was saying in our rag chat app we support both MSL based local off and built-in off so locally you could have a Dev te scenario where you're using something that has a secret or certificate and that could be a different client then then when you go to prod you could use a client that's configured with this one and so your prod client could use managed identity with built-in off and your local story could use a client with a client secret and and that's a go-to story we all ha yeah yeah the the dev team is well aware and this is something that it's top of mind for a lot of folks now so we had uh one question from the online audience and I think it's from Matt and uh can we use the same access control that you've shown for one Lake uh yes so basically it's all a matter of if you know how to parse out the access control from your documents there's two general ways of doing it number one you could just write a simple scrap that just kind of TRS all your documents and does it uh the other option is to use our built-in indexer pipeline which now supports one Lake uh and you could there's an extensibility Point called a custom skill and you can put that same uh Access Control parsing logic in there and just kind of merge it in uh the this both strategies are equally valid it's just up to your scenario but yeah as long as you understand how your access control is represented which is really the key part it's very easy to add it to the AI search index any other questions all right cool well then stop by upstairs thank you folks e e

Original Description

Join this session to learn how to automatically setup authentication for your intelligent apps, and how to add access control to your app and data. See how to register your AI apps via Microsoft Graph API or Bicep and discover best practices for token validation and refresh with MSAL libraries. We'll walk through how to choose the right OAuth flows for server-side or Single-page applications, use App Service’s built-in authentication and filter output based on the authenticated user. 𝗦𝗽𝗲𝗮𝗸𝗲𝗿𝘀: * James Casey * Den Delimarsky * Pamela Fox * Matt Gotteiner * Josh Oh * Anthony Shaw 𝗦𝗲𝘀𝘀𝗶𝗼𝗻 𝗜𝗻𝗳𝗼𝗿𝗺𝗮𝘁𝗶𝗼𝗻: This video is one of many sessions delivered for the Microsoft Build 2024 event. View the full session schedule and learn more about Microsoft Build at https://build.microsoft.com BRK221 | English (US) | Security #MSBuild
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from Microsoft Developer · Microsoft Developer · 0 of 60

← Previous Next →
1 Prepare for the DP-300 exam & the Azure Database Administrator Associate cert | Data Exposed
Prepare for the DP-300 exam & the Azure Database Administrator Associate cert | Data Exposed
Microsoft Developer
2 What I Wish I Knew ... about landing a job in tech
What I Wish I Knew ... about landing a job in tech
Microsoft Developer
3 Igniting Developer Innovation with Vector Search
Igniting Developer Innovation with Vector Search
Microsoft Developer
4 Combining the power of vector search with Azure OpenAI then revolutionize image search with vectors!
Combining the power of vector search with Azure OpenAI then revolutionize image search with vectors!
Microsoft Developer
5 What I Wish I Knew ... about finding your place in tech
What I Wish I Knew ... about finding your place in tech
Microsoft Developer
6 Fluent UI React Insights: Accessible by default
Fluent UI React Insights: Accessible by default
Microsoft Developer
7 Signing Container Images with Notary Project
Signing Container Images with Notary Project
Microsoft Developer
8 What I Wish I Knew ... about finding your place in tech
What I Wish I Knew ... about finding your place in tech
Microsoft Developer
9 What programming languages does GitHub Copilot support?
What programming languages does GitHub Copilot support?
Microsoft Developer
10 What I Wish I Knew ... about how much your job can change
What I Wish I Knew ... about how much your job can change
Microsoft Developer
11 What I Wish I Knew ... about how much your job can change
What I Wish I Knew ... about how much your job can change
Microsoft Developer
12 How do I become more confident about AI?
How do I become more confident about AI?
Microsoft Developer
13 How do I become more confident about AI?
How do I become more confident about AI?
Microsoft Developer
14 Performance Demos of SQL’s Intelligent Query Processing Feedback capabilities | Data Exposed
Performance Demos of SQL’s Intelligent Query Processing Feedback capabilities | Data Exposed
Microsoft Developer
15 What I Wish I Knew ... about coming to Microsoft
What I Wish I Knew ... about coming to Microsoft
Microsoft Developer
16 What I Wish I Knew ... about coming to Microsoft
What I Wish I Knew ... about coming to Microsoft
Microsoft Developer
17 Revolutionizing Image Search with Vectors
Revolutionizing Image Search with Vectors
Microsoft Developer
18 Igniting developer innovation with Vector search and Azure OpenAI
Igniting developer innovation with Vector search and Azure OpenAI
Microsoft Developer
19 Getting Started with Azure AI Studio's Prompt Flow - Part 2
Getting Started with Azure AI Studio's Prompt Flow - Part 2
Microsoft Developer
20 What I Wish I Knew ... about finding my career path
What I Wish I Knew ... about finding my career path
Microsoft Developer
21 What I Wish I Knew ... about finding my career path
What I Wish I Knew ... about finding my career path
Microsoft Developer
22 Windows Terminal's journey to Open Source
Windows Terminal's journey to Open Source
Microsoft Developer
23 Can I trust the code that GitHub Copilot generates?
Can I trust the code that GitHub Copilot generates?
Microsoft Developer
24 What I Wish I Knew ... about interviewing
What I Wish I Knew ... about interviewing
Microsoft Developer
25 What I Wish I Knew ... about interviewing
What I Wish I Knew ... about interviewing
Microsoft Developer
26 What is the Microsoft TechSpark Program?
What is the Microsoft TechSpark Program?
Microsoft Developer
27 SQL Server 2022: Accelerate query performance while reducing query compile time - w/ no code changes
SQL Server 2022: Accelerate query performance while reducing query compile time - w/ no code changes
Microsoft Developer
28 What I Wish I Knew ... about discovering computer science
What I Wish I Knew ... about discovering computer science
Microsoft Developer
29 What I Wish I Knew ... about discovering computer science
What I Wish I Knew ... about discovering computer science
Microsoft Developer
30 Call center transcription and analysis using Azure AI
Call center transcription and analysis using Azure AI
Microsoft Developer
31 How to use Text Analytics for health in Azure AI Language
How to use Text Analytics for health in Azure AI Language
Microsoft Developer
32 Azure OpenAI-powered summarization in Azure AI Language
Azure OpenAI-powered summarization in Azure AI Language
Microsoft Developer
33 Accelerate data labeling using Azure OpenAI and Azure AI Language
Accelerate data labeling using Azure OpenAI and Azure AI Language
Microsoft Developer
34 Building a Private ChatGPT with Azure OpenAI
Building a Private ChatGPT with Azure OpenAI
Microsoft Developer
35 What I Wish I Knew ... about how to interview
What I Wish I Knew ... about how to interview
Microsoft Developer
36 What I Wish I Knew ... about how to interview
What I Wish I Knew ... about how to interview
Microsoft Developer
37 Getting Started with Azure AI Studio's Prompt Flow - Part 3
Getting Started with Azure AI Studio's Prompt Flow - Part 3
Microsoft Developer
38 Intelligent Apps with Azure Kubernetes Service (AKS)
Intelligent Apps with Azure Kubernetes Service (AKS)
Microsoft Developer
39 Getting Started with Azure Blob Storage | Data Exposed: MVP Edition
Getting Started with Azure Blob Storage | Data Exposed: MVP Edition
Microsoft Developer
40 Chat + Your Data + Plugins
Chat + Your Data + Plugins
Microsoft Developer
41 What I Wish I Knew ... about different career paths
What I Wish I Knew ... about different career paths
Microsoft Developer
42 What I Wish I Knew ... about different career paths
What I Wish I Knew ... about different career paths
Microsoft Developer
43 Advanced Dev Tunnels Features | OD122
Advanced Dev Tunnels Features | OD122
Microsoft Developer
44 Learn Live - Manage performance and availability in Azure Cosmos DB for PostgreSQL
Learn Live - Manage performance and availability in Azure Cosmos DB for PostgreSQL
Microsoft Developer
45 Plan your SQL Migration to Azure with confidence | Data Exposed
Plan your SQL Migration to Azure with confidence | Data Exposed
Microsoft Developer
46 What I Wish I Knew ... about social skills in a tech career
What I Wish I Knew ... about social skills in a tech career
Microsoft Developer
47 What I Wish I Knew ... about social skills in a tech career
What I Wish I Knew ... about social skills in a tech career
Microsoft Developer
48 All About Vectors, Search, and Function Calling in Azure OpenAI - Labor Day Special
All About Vectors, Search, and Function Calling in Azure OpenAI - Labor Day Special
Microsoft Developer
49 Introduction to project ORAS
Introduction to project ORAS
Microsoft Developer
50 What I Wish I Knew ... about finding the right major
What I Wish I Knew ... about finding the right major
Microsoft Developer
51 What I Wish I Knew ... about finding the right major
What I Wish I Knew ... about finding the right major
Microsoft Developer
52 What I Wish I Knew ... about how to approach programming
What I Wish I Knew ... about how to approach programming
Microsoft Developer
53 What I Wish I Knew ... about how to approach programming
What I Wish I Knew ... about how to approach programming
Microsoft Developer
54 Learn Live - Scale from a single node to multiple nodes with Azure Cosmos DB for PostgreSQL
Learn Live - Scale from a single node to multiple nodes with Azure Cosmos DB for PostgreSQL
Microsoft Developer
55 What I Wish I Knew ... about diversity in tech #1
What I Wish I Knew ... about diversity in tech #1
Microsoft Developer
56 What I Wish I Knew ... about diversity in tech #1
What I Wish I Knew ... about diversity in tech #1
Microsoft Developer
57 Get started with SQL Server AGs across Windows, Linux and Container Replicas | Data Exposed
Get started with SQL Server AGs across Windows, Linux and Container Replicas | Data Exposed
Microsoft Developer
58 Writing LLM Apps with Azure AI and PromptFlow
Writing LLM Apps with Azure AI and PromptFlow
Microsoft Developer
59 What I Wish I Knew ... about how cool working in tech could be
What I Wish I Knew ... about how cool working in tech could be
Microsoft Developer
60 Open Source foundation models in Azure Machine Learning & optimization techniques behind the scenes
Open Source foundation models in Azure Machine Learning & optimization techniques behind the scenes
Microsoft Developer

Related Reads

📰
10 Most Common Mistakes Java Developers Make in Interviews
Learn the common mistakes Java developers make in interviews and how to avoid them to improve your chances of success
Medium · Programming
📰
# C++ Error Messages Translated — 10 Common Compilation & Link Errors Explained
Learn to decipher 10 common C++ error messages for compilation and linking, improving debugging efficiency
Dev.to · Yilong Wu
📰
# Picking What to Read Next: The Trade-offs of Ranked-Choice Voting in a Django App
Learn how to implement ranked-choice voting in a Django app, weighing the trade-offs and complexities involved
Medium · Python
📰
The Ultimate Rust ORM Comparison 2026: Diesel vs SQLx vs SeaORM vs Rusqlite — Pick Your Powerhouse!
Compare top Rust ORMs Diesel, SQLx, SeaORM, and Rusqlite to choose the best fit for your project
Medium · Programming
Up next
Beginners Guide to GPT4 API & ChatGPT 3.5 Turbo API Tutorial
Adrian Twarog
Watch →