Better support for multitenant

Author: pamelafox

app/backend/app.py

@@ -16,7 +16,11 @@
     SpeechSynthesizer,
 )
 from azure.core.exceptions import ResourceNotFoundError
-from azure.identity.aio import DefaultAzureCredential, get_bearer_token_provider
+from azure.identity.aio import (
+    AzureDeveloperCliCredential,
+    ManagedIdentityCredential,
+    get_bearer_token_provider,
+)
 from azure.monitor.opentelemetry import configure_azure_monitor
 from azure.search.documents.aio import SearchClient
 from azure.search.documents.indexes.aio import SearchIndexClient
@@ -436,11 +440,13 @@ async def setup_clients():
     USE_SPEECH_OUTPUT_BROWSER = os.getenv("USE_SPEECH_OUTPUT_BROWSER", "").lower() == "true"
     USE_SPEECH_OUTPUT_AZURE = os.getenv("USE_SPEECH_OUTPUT_AZURE", "").lower() == "true"
 
-    # Use the current user identity to authenticate with Azure OpenAI, AI Search and Blob Storage (no secrets needed,
-    # just use 'az login' locally, and managed identity when deployed on Azure). If you need to use keys, use separate AzureKeyCredential instances with the
-    # keys for each service
-    # If you encounter a blocking error during a DefaultAzureCredential resolution, you can exclude the problematic credential by using a parameter (ex. exclude_shared_token_cache_credential=True)
-    azure_credential = DefaultAzureCredential(exclude_shared_token_cache_credential=True)
+    # Use the current user identity for keyless authentication to Azure services.
+    # This assumes you use 'azd auth login' locally, and managed identity when deployed on Azure.
+    # The managed identity is setup in the infra/ folder.
+    if os.getenv("WEBSITE_HOSTNAME"):
+        azure_credential = ManagedIdentityCredential()
+    else:
+        azure_credential = AzureDeveloperCliCredential(tenant_id=AZURE_TENANT_ID)
 
     # Set up clients for AI Search and Storage
     search_client = SearchClient(

app/backend/prepdocs.py

@@ -381,11 +381,12 @@ async def main(strategy: Strategy, setup_index: bool = True):
     use_int_vectorization = args.useintvectorization and args.useintvectorization.lower() == "true"
 
     # Use the current user identity to connect to Azure services unless a key is explicitly set for any of them
-    azd_credential = (
-        AzureDeveloperCliCredential()
-        if args.tenantid is None
-        else AzureDeveloperCliCredential(tenant_id=args.tenantid, process_timeout=60)
-    )
+    if args.tenantid:
+        logger.info("Connecting to Azure services using the azd credential for tenant %s", args.tenantid)
+        azd_credential = AzureDeveloperCliCredential(tenant_id=args.tenantid, process_timeout=60)
+    else:
+        logger.info("Connecting to Azure services using the azd credential for home tenant")
+        azd_credential = AzureDeveloperCliCredential()
 
     if args.removeall:
         document_action = DocumentAction.RemoveAll

infra/main.parameters.json

@@ -191,9 +191,6 @@
     "enableUnauthenticatedAccess": {
       "value": "${AZURE_ENABLE_UNAUTHENTICATED_ACCESS=false}"
     },
-    "tenantId": {
-      "value": "${AZURE_TENANT_ID}"
-    },
     "authTenantId": {
       "value": "${AZURE_AUTH_TENANT_ID}"
     },