fix: Use DefaultAzureCredential in dev, Managed Identity in prod

Author: Avijit-Microsoft

docs/workshop/docs/workshop/Challenge-3-and-4/knowledge_mining_api.ipynb

@@ -28,7 +28,7 @@
     "import pyodbc\n",
     "from dotenv import load_dotenv\n",
     "\n",
-    "from azure.identity.aio import DefaultAzureCredential, get_bearer_token_provider\n",
+    "from azure.identity.aio import AzureCliCredential, get_bearer_token_provider\n",
     "from azure.ai.agents.models import TruncationObject\n",
     "\n",
     "from semantic_kernel.functions.kernel_function_decorator import kernel_function\n",
@@ -61,7 +61,7 @@
     "    mid_id = os.getenv(\"SQLDB_USER_MID\")\n",
     "\n",
     "    try:\n",
-    "        async with DefaultAzureCredential() as credential:\n",
+    "        async with AzureCliCredential() as credential:\n",
     "            token = await credential.get_token(\"https://database.windows.net/.default\")\n",
     "            token_bytes = token.token.encode(\"utf-16-LE\")\n",
     "            token_struct = struct.pack(\n",
@@ -128,7 +128,7 @@
     "\n",
     "        try:\n",
     "            token_provider = get_bearer_token_provider(\n",
-    "                DefaultAzureCredential(), \"https://cognitiveservices.azure.com/.default\"\n",
+    "                AzureCliCredential(), \"https://cognitiveservices.azure.com/.default\"\n",
     "            )\n",
     "            token = await token_provider()\n",
     "            client = openai.AzureOpenAI(\n",
@@ -175,7 +175,7 @@
     "                    Only return the generated SQL query. Do not return anything else.'''\n",
     "            \n",
     "            token_provider = get_bearer_token_provider(\n",
-    "                DefaultAzureCredential(), \"https://cognitiveservices.azure.com/.default\"\n",
+    "                AzureCliCredential(), \"https://cognitiveservices.azure.com/.default\"\n",
     "            )\n",
     "            token = await token_provider()\n",
     "            client = openai.AzureOpenAI(\n",
@@ -212,7 +212,7 @@
     "    ):\n",
     "        try:\n",
     "            token_provider = get_bearer_token_provider(\n",
-    "                DefaultAzureCredential(), \"https://cognitiveservices.azure.com/.default\"\n",
+    "                AzureCliCredential(), \"https://cognitiveservices.azure.com/.default\"\n",
     "            )\n",
     "            token = await token_provider()\n",
     "            client = openai.AzureOpenAI(\n",
@@ -313,7 +313,7 @@
     "async def main() -> None:\n",
     "    ai_agent_settings = AzureAIAgentSettings()\n",
     "    async with (\n",
-    "        DefaultAzureCredential() as creds,\n",
+    "        AzureCliCredential() as creds,\n",
     "        AzureAIAgent.create_client(credential=creds, endpoint=ai_agent_settings.endpoint) as client,\n",
     "    ):\n",
     "        AGENT_INSTRUCTIONS = '''You are a helpful assistant.\n",

docs/workshop/docs/workshop/Challenge-5/notebooks/video_chapter_generation.ipynb

@@ -117,8 +117,8 @@
     ")\n",
     "from python.content_understanding_client import AzureContentUnderstandingClient\n",
     "\n",
-    "from azure.identity import DefaultAzureCredential, get_bearer_token_provider\n",
-    "credential = DefaultAzureCredential()\n",
+    "from azure.identity import AzureCliCredential, get_bearer_token_provider\n",
+    "credential = AzureCliCredential()\n",
     "token_provider = get_bearer_token_provider(credential, AUTHENTICATION_URL)\n",
     "\n",
     "# The analyzer template is used to define the schema of the output\n",

docs/workshop/docs/workshop/Challenge-5/notebooks/video_tag_generation.ipynb

@@ -117,8 +117,8 @@
     ")\n",
     "from python.content_understanding_client import AzureContentUnderstandingClient\n",
     "\n",
-    "from azure.identity import DefaultAzureCredential, get_bearer_token_provider\n",
-    "credential = DefaultAzureCredential()\n",
+    "from azure.identity import AzureCliCredential, get_bearer_token_provider\n",
+    "credential = AzureCliCredential()\n",
     "token_provider = get_bearer_token_provider(credential, AUTHENTICATION_URL)\n",
     "\n",
     "# The analyzer template is used to define the schema of the output\n",

docs/workshop/docs/workshop/Challenge-5/python/utility.py

@@ -5,7 +5,7 @@
 
 from openai import AzureOpenAI
 import tiktoken
-from azure.identity import DefaultAzureCredential, get_bearer_token_provider
+from azure.identity import AzureCliCredential, get_bearer_token_provider
 from tenacity import retry, wait_random_exponential, stop_after_attempt
 from pydantic import BaseModel, Field
 
@@ -158,7 +158,7 @@ def __init__(
         if aoai_api_key is None or aoai_api_key == "":
             print("Using Entra ID/AAD to authenticate")
             token_provider = get_bearer_token_provider(
-                DefaultAzureCredential(), "https://cognitiveservices.azure.com/.default"
+                AzureCliCredential(), "https://cognitiveservices.azure.com/.default"
             )
 
             self.client = AzureOpenAI(

docs/workshop/docs/workshop/Challenge-6/Content_safety_evaluation.ipynb

@@ -36,7 +36,7 @@
    "metadata": {},
    "outputs": [],
    "source": [
-    "from azure.identity import DefaultAzureCredential\n",
+    "from azure.identity import AzureCliCredential\n",
     "\n",
     "azure_ai_project = {\n",
     "    \"subscription_id\": os.environ.get(\"AZURE_SUBSCRIPTION_ID\"),\n",
@@ -122,8 +122,8 @@
    "outputs": [],
    "source": [
     "from azure.ai.evaluation.simulator import AdversarialScenario\n",
-    "from azure.identity import DefaultAzureCredential\n",
-    "credential = DefaultAzureCredential()\n",
+    "from azure.identity import AzureCliCredential\n",
+    "credential = AzureCliCredential()\n",
     "\n",
     "scenario = AdversarialScenario.ADVERSARIAL_QA\n",
     "adversarial_simulator = AdversarialSimulator(azure_ai_project=azure_ai_project, credential=credential)\n",
@@ -150,7 +150,7 @@
     "from azure.ai.evaluation import ContentSafetyEvaluator\n",
     "import pandas as pd\n",
     "\n",
-    "credential = DefaultAzureCredential()\n",
+    "credential = AzureCliCredential()\n",
     "# instantiate an evaluator with image and multi-modal support\n",
     "safety_evaluator = ContentSafetyEvaluator(credential=credential, azure_ai_project=azure_ai_project)\n",
     "\n",

infra/main.bicep

@@ -269,6 +269,7 @@ module backend_docker 'deploy_backend_docker.bicep' = {
       APPLICATIONINSIGHTS_CONNECTION_STRING: aifoundry.outputs.applicationInsightsConnectionString
       DUMMY_TEST: 'True'
       SOLUTION_NAME: solutionPrefix
+      APP_ENV: 'Prod'
     }
   }
   scope: resourceGroup(resourceGroup().name)

infra/main.json

@@ -5,7 +5,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.36.177.2456",
-      "templateHash": "832352662399817246"
+      "templateHash": "13989630346581833993"
     }
   },
   "parameters": {
@@ -137,7 +137,7 @@
           "type": "location",
           "usageName": [
             "OpenAI.GlobalStandard.gpt-4o-mini,150",
-            "OpenAI.Standard.text-embedding-ada-002,80"
+            "OpenAI.GlobalStandard.text-embedding-ada-002,80"
           ]
         },
         "description": "Location for AI Foundry deployment. This is the location where the AI Foundry resources will be deployed."
@@ -377,7 +377,7 @@
     "abbrs": "[variables('$fxv#0')]",
     "solutionLocation": "[if(empty(parameters('AZURE_LOCATION')), resourceGroup().location, parameters('AZURE_LOCATION'))]",
     "useLocalBuildLower": "[toLower(parameters('useLocalBuild'))]",
-    "uniqueId": "[toLower(uniqueString(subscription().id, parameters('environmentName'), variables('solutionLocation')))]",
+    "uniqueId": "[toLower(uniqueString(subscription().id, parameters('environmentName'), variables('solutionLocation'), resourceGroup().name))]",
     "solutionPrefix": "[format('km{0}', padLeft(take(variables('uniqueId'), 12), 12, '0'))]",
     "containerRegistryName": "[format('{0}{1}', variables('abbrs').containers.containerRegistry, variables('solutionPrefix'))]",
     "containerRegistryNameCleaned": "[replace(variables('containerRegistryName'), '-', '')]",
@@ -681,7 +681,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.36.177.2456",
-              "templateHash": "18139801220201504120"
+              "templateHash": "16364162048483949784"
             }
           },
           "parameters": {
@@ -988,7 +988,7 @@
                 "name": "[parameters('embeddingModel')]",
                 "model": "[parameters('embeddingModel')]",
                 "sku": {
-                  "name": "Standard",
+                  "name": "GlobalStandard",
                   "capacity": "[parameters('embeddingDeploymentCapacity')]"
                 },
                 "raiPolicyName": "Microsoft.Default"
@@ -1698,7 +1698,7 @@
                     "_generator": {
                       "name": "bicep",
                       "version": "0.36.177.2456",
-                      "templateHash": "7364575792801916457"
+                      "templateHash": "2162775944115849065"
                     }
                   },
                   "parameters": {
@@ -1909,7 +1909,7 @@
                     "_generator": {
                       "name": "bicep",
                       "version": "0.36.177.2456",
-                      "templateHash": "7364575792801916457"
+                      "templateHash": "2162775944115849065"
                     }
                   },
                   "parameters": {
@@ -3205,7 +3205,8 @@
               "DISPLAY_CHART_DEFAULT": "False",
               "APPLICATIONINSIGHTS_CONNECTION_STRING": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, resourceGroup().name), 'Microsoft.Resources/deployments', 'deploy_ai_foundry'), '2022-09-01').outputs.applicationInsightsConnectionString.value]",
               "DUMMY_TEST": "True",
-              "SOLUTION_NAME": "[variables('solutionPrefix')]"
+              "SOLUTION_NAME": "[variables('solutionPrefix')]",
+              "APP_ENV": "Prod"
             }
           }
         },
@@ -3216,7 +3217,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.36.177.2456",
-              "templateHash": "6279741508955918821"
+              "templateHash": "13824837150745689508"
             }
           },
           "parameters": {
@@ -3676,7 +3677,7 @@
                     "_generator": {
                       "name": "bicep",
                       "version": "0.36.177.2456",
-                      "templateHash": "7364575792801916457"
+                      "templateHash": "2162775944115849065"
                     }
                   },
                   "parameters": {
@@ -3919,7 +3920,7 @@
             "_generator": {
               "name": "bicep",
               "version": "0.36.177.2456",
-              "templateHash": "12963922539753840423"
+              "templateHash": "2667250685903499862"
             }
           },
           "parameters": {

infra/process_data_scripts.bicep

@@ -1,6 +1,7 @@
 param solutionLocation string
 param keyVaultName string
-param identity string
+param managedIdentityResourceId string
+param managedIdentityClientId string
 
 var baseUrl = 'https://raw.githubusercontent.com/microsoft/Conversation-Knowledge-Mining-Solution-Accelerator/main/'
 
@@ -11,13 +12,13 @@ resource process_data_scripts 'Microsoft.Resources/deploymentScripts@2020-10-01'
   identity: {
     type: 'UserAssigned'
     userAssignedIdentities: {
-      '${identity}' : {}
+      '${managedIdentityResourceId}' : {}
     }
   }
   properties: {
     azCliVersion: '2.52.0'
     primaryScriptUri: '${baseUrl}infra/scripts/process_data_scripts.sh' 
-    arguments: '${baseUrl} ${keyVaultName}' // Specify any arguments for the script
+    arguments: '${baseUrl} ${keyVaultName} ${managedIdentityClientId}' // Specify any arguments for the script
     timeout: 'PT1H' // Specify the desired timeout duration
     retentionInterval: 'PT1H' // Specify the desired retention interval
     cleanupPreference:'OnSuccess'

infra/scripts/fabric_scripts/create_fabric_items.py

@@ -1,4 +1,4 @@
-from azure.identity import DefaultAzureCredential
+from azure.identity import ManagedIdentityCredential
 import base64
 import json
 import requests
@@ -9,7 +9,7 @@
 import time
 
 
-# credential = DefaultAzureCredential()
+# credential = ManagedIdentityCredential()
 from azure.identity import AzureCliCredential
 credential = AzureCliCredential()
 

infra/scripts/index_scripts/01_create_search_index.py

@@ -1,4 +1,3 @@
-from azure.identity import DefaultAzureCredential
 from azure.keyvault.secrets import SecretClient
 from azure.search.documents.indexes import SearchIndexClient
 from azure.search.documents.indexes.models import (
@@ -15,6 +14,7 @@
     SemanticField,
     SearchIndex
 )
+from azure_credential_utils import get_azure_credential
 
 # === Configuration ===
 KEY_VAULT_NAME = 'kv_to-be-replaced'
@@ -28,12 +28,12 @@ def get_secrets_from_kv(secret_name: str) -> str:
 
     Args:
         secret_name (str): Name of the secret.
-        credential (DefaultAzureCredential): Credential with access to Key Vault.
+        credential (ManagedIdentityCredential): Credential with access to Key Vault.
 
     Returns:
         str: The secret value.
     """
-    kv_credential = DefaultAzureCredential(managed_identity_client_id=MANAGED_IDENTITY_CLIENT_ID)
+    kv_credential = get_azure_credential(client_id=MANAGED_IDENTITY_CLIENT_ID)
     secret_client = SecretClient(
         vault_url=f"https://{KEY_VAULT_NAME}.vault.azure.net/",
         credential=kv_credential
@@ -49,7 +49,7 @@ def create_search_index():
     - Semantic search using prioritized fields
     """
     # Shared credential
-    credential = DefaultAzureCredential(managed_identity_client_id=MANAGED_IDENTITY_CLIENT_ID)
+    credential = get_azure_credential(client_id=MANAGED_IDENTITY_CLIENT_ID)
 
     # Retrieve secrets from Key Vault
     search_endpoint = get_secrets_from_kv("AZURE-SEARCH-ENDPOINT")
@@ -121,4 +121,4 @@ def create_search_index():
     print(f"Search index '{result.name}' created or updated successfully.")
 
 
-create_search_index()
+create_search_index()