updating with managed identity examples

jeffwmartinez · jeffwmartinez · commit 5b044fdfa20d · 2024-06-27T15:30:10.000-07:00
diff --git a/articles/app-service/includes/deploy-intelligent-apps/deploy-intelligent-apps-linux-dotnet-pivot.md b/articles/app-service/includes/deploy-intelligent-apps/deploy-intelligent-apps-linux-dotnet-pivot.md
@@ -60,6 +60,43 @@ Next, we need to add the new page to the navigation so we can navigate to the se
 
 After the Navigation is updated, we can start preparing to build the OpenAI client to handle our requests.
 
+### Secure your app with managed identity
+
+Although optional, it's highly recommended to secure your application using [managed identity](../../../overview-managed-identity.md) to authenticate your app to your Azure OpenAI resource. Skip this step if you are not using Azure OpenAI. This enables your application to access the Azure OpenAI resource without needing to manage API keys.
+
+Follow the steps below to secure your application:
+
+Add the identity package `Azure.Identity`. This package enables using Azure credentials in your app.  Install the package using Nuget package manager and add the using statement to the top of the OpenAI.razor file.
+
+```c#
+@using Azure.Identity
+```
+
+Next, include the default Azure credentials in the chat completions options
+
+```c#
+var kernel = Kernel.CreateBuilder()
+	.AddAzureOpenAIChatCompletion(
+		deploymentName: deploymentName,
+		endpoint: endpoint,
+		credentials: new DefaultAzureCredential()
+	)
+	.Build();
+```
+
+Once the credentials are added to the application, you�ll then need to enable managed identity in your application and grant access to the resource.
+
+1. In your web app resource, navigate to the **Identity** blade and turn on **System assigned** and click **Save**
+2. Once System assigned identity is turned on, it will register the web app with Microsoft Entra ID and the web app can be granted permissions to access protected resources.  
+3. Go to your Azure OpenAI resource and navigate to the **Access control (IAM)** blade on the left pane.  
+4. Find the Grant access to this resource card and click on **Add role assignment**
+5. Search for the **Cognitive Services OpenAI User** role and click **Next**
+6. On the **Members** tab, find **Assign access to** and choose the **Managed identity** option
+7. Next, click on **+Select Members**  and find your web app
+8. Click **Review + assign**
+
+Your web app is now added as a cognitive service OpenAI user and can communicate to your Azure OpenAI resource.
+
 ### API keys and endpoints
 
 In order to make calls to OpenAI with your client, you need to first grab the Keys and Endpoint values from Azure OpenAI, or OpenAI and add them as secrets for use in your application. Retrieve and save the values for later use.
@@ -315,7 +352,6 @@ Now save the application and follow the next steps to deploy it to App Service.
 
 If you have followed the steps above, you're ready to deploy to App Service. If you run into any issues remember that you need to have done the following: grant your app access to your Key Vault, add the app settings with key vault references as your values. App Service resolves the app settings in your application that match what you've added in the portal.
 
-
 ### Authentication
 
 Although optional, it's highly recommended that you also add authentication to your web app when using an Azure OpenAI or OpenAI service. This can add a level of security with no other code. Learn how to enable authentication for your web app [here](../../scenario-secure-app-authentication-app-service.md).
diff --git a/articles/app-service/includes/deploy-intelligent-apps/deploy-intelligent-apps-linux-java-pivot.md b/articles/app-service/includes/deploy-intelligent-apps/deploy-intelligent-apps-linux-java-pivot.md
@@ -29,6 +29,46 @@ For this Spring Boot application, we are building off the [quickstart](../../qui
   }
 ```
 
+### Secure your app with managed identity
+
+Although optional, it's highly recommended to secure your application using [managed identity](../../../overview-managed-identity.md) to authenticate your app to your Azure OpenAI resource. Skip this step if you are not using Azure OpenAI. This enables your application to access the Azure OpenAI resource without needing to manage API keys.
+
+Follow the steps below to secure your application:
+
+Add the Azure OpenAI dependency package. This package enables using Azure credentials in your app.
+
+```java
+<dependency>
+    <groupId>com.azure</groupId>
+    <artifactId>azure-ai-openai</artifactId>
+    <version>1.0.0-beta.9</version>
+</dependency>
+```
+
+Next, include the default Azure default credentials when creating the client
+
+```java
+TokenCredential defaultCredential = new DefaultAzureCredentialBuilder().build();
+
+OpenAIClient client = new OpenAIClientBuilder()
+    .credential(defaultCredential)
+    .endpoint("{endpoint}")
+    .buildClient();
+```
+
+Once the credentials are added to the application, you�ll then need to enable managed identity in your application and grant access to the resource.
+
+1. In your web app resource, navigate to the **Identity** blade and turn on **System assigned** and click **Save**
+2. Once System assigned identity is turned on, it will register the web app with Microsoft Entra ID and the web app can be granted permissions to access protected resources.  
+3. Go to your Azure OpenAI resource and navigate to the **Access control (IAM)** blade on the left pane.  
+4. Find the Grant access to this resource card and click on **Add role assignment**
+5. Search for the **Cognitive Services OpenAI User** role and click **Next**
+6. On the **Members** tab, find **Assign access to** and choose the **Managed identity** option
+7. Next, click on **+Select Members**  and find your web app
+8. Click **Review + assign**
+
+Your web app is now added as a cognitive service OpenAI user and can communicate to your Azure OpenAI resource.
+
 ### API Keys and Endpoints
 
 First, you need to grab the keys and endpoint values from Azure OpenAI, or OpenAI and add them as secrets for use in your application. Retrieve and save the values for later use to build the client.
diff --git a/articles/app-service/includes/deploy-intelligent-apps/deploy-intelligent-apps-linux-python-pivot.md b/articles/app-service/includes/deploy-intelligent-apps/deploy-intelligent-apps-linux-python-pivot.md
@@ -82,6 +82,45 @@ Next, copy and replace the *hello.html* file with the following code:
 
 After the files are updated, we can start preparing our environment variables to work with OpenAI.
 
+### Secure your app with managed identity
+
+Although optional, it's highly recommended to secure your application using [managed identity](../../../overview-managed-identity.md) to authenticate your app to your Azure OpenAI resource. Skip this step if you are not using Azure OpenAI. This enables your application to access the Azure OpenAI resource without needing to manage API keys.
+
+Follow the steps below to secure your application:
+
+Add the identity package `Azure.Identity`. This package enables using Azure credentials in your app.  Install the package and import the default credential and bearer token provider.
+
+```python
+from azure.identity import DefaultAzureCredential, get_bearer_token_provider
+```
+
+Next, include the default Azure credentials and token provider in the AzureOpenAI options.
+
+```python
+token_provider = get_bearer_token_provider(
+    DefaultAzureCredential(), "https://cognitiveservices.azure.com/.default"
+)
+
+client = AzureOpenAI(
+    api_version="2024-02-15-preview",
+    azure_endpoint="https://{your-custom-endpoint}.openai.azure.com/",
+    azure_ad_token_provider=token_provider
+)
+```
+
+Once the credentials are added to the application, you�ll then need to enable managed identity in your application and grant access to the resource.
+
+1. In your web app resource, navigate to the **Identity** blade and turn on **System assigned** and click **Save**
+2. Once System assigned identity is turned on, it will register the web app with Microsoft Entra ID and the web app can be granted permissions to access protected resources.  
+3. Go to your Azure OpenAI resource and navigate to the **Access control (IAM)** blade on the left pane.  
+4. Find the Grant access to this resource card and click on **Add role assignment**
+5. Search for the **Cognitive Services OpenAI User** role and click **Next**
+6. On the **Members** tab, find **Assign access to** and choose the **Managed identity** option
+7. Next, click on **+Select Members**  and find your web app
+8. Click **Review + assign**
+
+Your web app is now added as a cognitive service OpenAI user and can communicate to your Azure OpenAI resource.
+
 ### API Keys and Endpoints
 
 In order to make calls to OpenAI with your client, you need to first grab the Keys and Endpoint values from Azure OpenAI, or OpenAI and add them as secrets for use in your application. Retrieve and save the values for later use.
diff --git a/articles/app-service/toc.yml b/articles/app-service/toc.yml
@@ -383,6 +383,10 @@
           href: deploy-container-azure-pipelines.md
         - name: Deploy a multi-container WordPress app
           href: tutorial-multi-container-app.md
+- name: Integrate AI with App Service
+  items:
+    - name: Deploy an application that uses OpenAI on App Service
+      href: deploy-intelligent-apps.md
 - name: Reliability
   items:
   - name: Reliability in Azure App Service
@@ -435,8 +439,6 @@
       href: operating-system-functionality.md
     - name: Kudu service
       href: resources-kudu.md
-    - name: Deploy an application that uses OpenAI on App Service
-      href: deploy-intelligent-apps.md
     - name: gRPC configuration
       href: configure-grpc.md
     - name: Recommended services (preview)
