Better support for deploying to non-home tenant

.github/workflows/azure-dev-validation.yaml

@@ -22,7 +22,9 @@ jobs:
       - name: Build Bicep for linting
         uses: azure/CLI@v2
         with:
-          inlineScript: az config set bicep.use_binary_from_path=false && az bicep build -f infra/main.bicep --stdout
+          inlineScript: |
+            export DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1
+            az config set bicep.use_binary_from_path=false && az bicep build -f infra/main.bicep --stdout
 
   psrule:
     runs-on: ubuntu-latest
@@ -42,7 +44,7 @@ jobs:
           outputPath: reports/ps-rule-results.sarif
           summary: true
         continue-on-error: true
-          
+
         env:
           PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION: 'true'
           PSRULE_CONFIGURATION_AZURE_BICEP_FILE_EXPANSION_TIMEOUT: '30'

app/backend/app.py

@@ -16,7 +16,11 @@
     SpeechSynthesizer,
 )
 from azure.core.exceptions import ResourceNotFoundError
-from azure.identity.aio import DefaultAzureCredential, get_bearer_token_provider
+from azure.identity.aio import (
+    AzureDeveloperCliCredential,
+    ManagedIdentityCredential,
+    get_bearer_token_provider,
+)
 from azure.monitor.opentelemetry import configure_azure_monitor
 from azure.search.documents.aio import SearchClient
 from azure.search.documents.indexes.aio import SearchIndexClient
@@ -436,11 +440,21 @@ async def setup_clients():
     USE_SPEECH_OUTPUT_BROWSER = os.getenv("USE_SPEECH_OUTPUT_BROWSER", "").lower() == "true"
     USE_SPEECH_OUTPUT_AZURE = os.getenv("USE_SPEECH_OUTPUT_AZURE", "").lower() == "true"
 
-    # Use the current user identity to authenticate with Azure OpenAI, AI Search and Blob Storage (no secrets needed,
-    # just use 'az login' locally, and managed identity when deployed on Azure). If you need to use keys, use separate AzureKeyCredential instances with the
-    # keys for each service
-    # If you encounter a blocking error during a DefaultAzureCredential resolution, you can exclude the problematic credential by using a parameter (ex. exclude_shared_token_cache_credential=True)
-    azure_credential = DefaultAzureCredential(exclude_shared_token_cache_credential=True)
+    # Use the current user identity for keyless authentication to Azure services.
+    # This assumes you use 'azd auth login' locally, and managed identity when deployed on Azure.
+    # The managed identity is setup in the infra/ folder.
+    azure_credential: Union[AzureDeveloperCliCredential, ManagedIdentityCredential]
+    if os.getenv("WEBSITE_HOSTNAME"):  # Environment variable set on Azure Web Apps
+        current_app.logger.info("Setting up Azure credential using ManagedIdentityCredential")
+        azure_credential = ManagedIdentityCredential()
+    elif AZURE_TENANT_ID:
+        current_app.logger.info(
+            "Setting up Azure credential using AzureDeveloperCliCredential with tenant_id %s", AZURE_TENANT_ID
+        )
+        azure_credential = AzureDeveloperCliCredential(tenant_id=AZURE_TENANT_ID, process_timeout=60)
+    else:
+        current_app.logger.info("Setting up Azure credential using AzureDeveloperCliCredential for home tenant")
+        azure_credential = AzureDeveloperCliCredential(process_timeout=60)
 
     # Set up clients for AI Search and Storage
     search_client = SearchClient(

app/backend/prepdocs.py

@@ -381,11 +381,12 @@ async def main(strategy: Strategy, setup_index: bool = True):
     use_int_vectorization = args.useintvectorization and args.useintvectorization.lower() == "true"
 
     # Use the current user identity to connect to Azure services unless a key is explicitly set for any of them
-    azd_credential = (
-        AzureDeveloperCliCredential()
-        if args.tenantid is None
-        else AzureDeveloperCliCredential(tenant_id=args.tenantid, process_timeout=60)
-    )
+    if args.tenantid:
+        logger.info("Connecting to Azure services using the azd credential for tenant %s", args.tenantid)
+        azd_credential = AzureDeveloperCliCredential(tenant_id=args.tenantid, process_timeout=60)
+    else:
+        logger.info("Connecting to Azure services using the azd credential for home tenant")
+        azd_credential = AzureDeveloperCliCredential(process_timeout=60)
 
     if args.removeall:
         document_action = DocumentAction.RemoveAll

infra/main.parameters.json

@@ -191,9 +191,6 @@
     "enableUnauthenticatedAccess": {
       "value": "${AZURE_ENABLE_UNAUTHENTICATED_ACCESS=false}"
     },
-    "tenantId": {
-      "value": "${AZURE_TENANT_ID}"
-    },
     "authTenantId": {
       "value": "${AZURE_AUTH_TENANT_ID}"
     },

tests/conftest.py

@@ -314,7 +314,7 @@ def mock_env(monkeypatch, request):
         if os.getenv("AZURE_USE_AUTHENTICATION") is not None:
             monkeypatch.delenv("AZURE_USE_AUTHENTICATION")
 
-        with mock.patch("app.DefaultAzureCredential") as mock_default_azure_credential:
+        with mock.patch("app.AzureDeveloperCliCredential") as mock_default_azure_credential:
             mock_default_azure_credential.return_value = MockAzureCredential()
             yield
 
@@ -383,7 +383,7 @@ async def auth_client(
     for key, value in request.param.items():
         monkeypatch.setenv(key, value)
 
-    with mock.patch("app.DefaultAzureCredential") as mock_default_azure_credential:
+    with mock.patch("app.AzureDeveloperCliCredential") as mock_default_azure_credential:
         mock_default_azure_credential.return_value = MockAzureCredential()
         quart_app = app.create_app()
 
@@ -422,7 +422,7 @@ async def auth_public_documents_client(
     for key, value in request.param.items():
         monkeypatch.setenv(key, value)
 
-    with mock.patch("app.DefaultAzureCredential") as mock_default_azure_credential:
+    with mock.patch("app.AzureDeveloperCliCredential") as mock_default_azure_credential:
         mock_default_azure_credential.return_value = MockAzureCredential()
         quart_app = app.create_app()