This repository includes a Python app that uses Azure OpenAI to generate responses to user messages and uses Microsoft Entra for user authentication. The user sign-in functionality uses the built-in authentication feature of Azure Container Apps, which supports both Microsoft Entra ID and Microsoft Entra External ID.
The project includes all the infrastructure and configuration needed to setup Microsoft Entra authentication, provision Azure OpenAI resources (with keyless access), and deploy the app to Azure Container Apps using the Azure Developer CLI.
We recommend first going through the deploying steps before running this app locally, since the local app needs credentials for Azure OpenAI to work properly.
- A Python Quart backend that uses the openai package to generate responses to user messages.
- A basic HTML/JS frontend that streams responses from the backend using JSON Lines over a ReadableStream.
- Bicep files for provisioning Azure resources, including an Azure OpenAI resource, Azure Container Apps (with authentication configuration), and Azure Container Registry.
- Python scripts that use the msgraph-sdk package to create a Microsoft Entra application and service principal, and to grant the service principal permissions to the application.
This project has Dev Container support, so it will be be setup automatically if you open it in Github Codespaces or in local VS Code with the Dev Containers extension.
If you're not using one of those options for opening the project, then you'll need to:
-
Create a Python virtual environment and activate it.
-
Install the requirements:
python -m pip install -r requirements-dev.txt
-
Install the app as an editable package:
python -m pip install -e src
Once you've opened the project in Codespaces, in Dev Containers, or locally, you can deploy it to Azure.
-
Sign up for a free Azure account and create an Azure Subscription. See guide to deploying with the free trial.
-
Check that you have the necessary permissions:
- Your Azure account must have
Microsoft.Authorization/roleAssignments/write
permissions, such as Role Based Access Control Administrator, User Access Administrator, or Owner. If you don't have subscription-level permissions, you must be granted RBAC for an existing resource group and deploy to that existing group. - Your Azure account also needs
Microsoft.Resources/deployments/write
permissions on the subscription level.
- Your Azure account must have
We have integrated the sample with Entra ID to require authentication. This feature allows users within your organization to log in and how to process their identity within the sample. If a user is logged in, they'll see their name in the chat app.
To configure, follow these steps:
-
Create a new azd environment:
azd env new
This will create a folder under
.azure/
in your project to store the configuration for this deployment. You may have multiple azd environments if desired. -
Set the
AZURE_AUTH_TENANT_ID
azd environment variable to the tenant ID you want to use for Entra authentication:azd env set AZURE_AUTH_TENANT_ID your-tenant-id
-
Login to the azd CLI with the Entra tenant ID:
azd auth login --tenant-id AUTH-TENANT-ID
-
Then proceed with the deployment steps below.
If you want to allow external users to sign up and sign in to the application using their email address or social identity such as Google, Apple or Facebook, you can use Microsoft Entra External ID. If you don't have an External ID tenant already, you can create a trial tenant using your Microsoft or Work account.
To deploy, you will need the tenant ID of your External ID. In the instructions below, replace <YOUR_TENANT_ID>
with the tenant ID you obtain from the Entra Portal.
To configure, follow these steps:
-
Create a new azd environment:
azd env new
This will create a folder under
.azure/
in your project to store the configuration for this deployment. You may have multiple azd environments if desired. -
Set the
AZURE_AUTH_TENANT_ID
azd environment variable to whichever tenant ID you want to use for Entra authentication:azd env set AZURE_AUTH_TENANT_ID your-tenant-id
-
Set
AZURE_AUTH_LOGIN_ENDPOINT
to the login endpoint for the External ID tenant. That will typically look like "TenantNameHere.ciamlogin.com".azd env set AZURE_AUTH_LOGIN_ENDPOINT your-login-endpoint
-
Login to the azd CLI with the External ID tenant ID:
azd auth login --tenant-id AUTH-TENANT-ID
-
Run the script that will setup permissions needed for the rest of the deployment process. Both PowerShell and Bash scripts are provided:
./scripts/setup_for_external_id.ps1
./scripts/setup_for_external_id.sh
-
Now proceed with the deployment steps below.
Once you have either setup Microsoft Entra ID or Microsoft Entra External ID, you can proceed to deploy the app.
-
If the Azure resources will be created in a different tenant than the Entra tenant, you must now login to Azure with that account:
azd auth login --tenant-id AZURE-TENANT-ID
-
(Optional) This is the point where you can customize the deployment by setting environment variables, in order to use existing Azure resources or reduce the Azure OpenAI capacity.
-
Provision and deploy all the resources:
azd up
It will prompt you to provide an
azd
environment name (like "chat-app") and select a subscription from your Azure account. Then it will provision the resources in your account and deploy the latest code. If you get an error or timeout with deployment, changing the location can help, as there may be availability constraints. -
When
azd
has finished deploying, you'll see an endpoint URI in the command output. Visit that URI, and you should see the chat app! 🎉 -
When you've made any changes to the app code, you can just run:
azd deploy
This project includes a Github workflow for deploying the resources to Azure on every push to main. That workflow requires several Azure-related authentication secrets to be stored as Github action secrets. To set that up, run:
azd pipeline config
Assuming you've run the steps in Opening the project and the steps in Deploying, you can now run the Python app in your development environment:
-
Copy
.env.sample
into.env
:cp .env.sample .env
-
For use with Azure OpenAI, run this command to get the Azure OpenAI endpoint URI from your deployed resource group and paste it in the
.env
file:azd env get-value AZURE_OPENAI_ENDPOINT
-
For use with OpenAI.com, either set the value of
OPENAICOM_API_KEY
in the.env
file to your OpenAI API key, or set the environment values of bothOPENAICOM_API_KEY_SECRET_NAME
andAZURE_KEY_VAULT_NAME
in the.env
file. -
For use with a local LLM server (to save costs during development), see our guide.
-
Run the app:
python -m quart --app src.quartapp run --port 50505 --reload
This will start the app on port 50505, and you can access it at
http://localhost:50505
.
Pricing varies per region and usage, so it isn't possible to predict exact costs for your usage. The majority of the Azure resources used in this infrastructure are on usage-based pricing tiers. However, Azure Container Registry has a fixed cost per registry per day.
You can try the Azure pricing calculator for the resources:
- Azure OpenAI Service: S0 tier, ChatGPT model. Pricing is based on token count. Pricing
- Azure Container App: Consumption tier with 0.5 CPU, 1GiB memory/storage. Pricing is based on resource allocation, and each month allows for a certain amount of free usage. Pricing
- Azure Container Registry: Basic tier. Pricing
- Log analytics: Pay-as-you-go tier. Costs based on data ingested. Pricing
azd down
.
By default, this template uses Managed Identity for authenticating to the Azure OpenAI service. It uses an Azure Key Vault to store the client secret for the Microsoft Entra application.
Additionally, we have added a GitHub Action that scans the infrastructure-as-code files and generates a report containing any detected issues. To ensure continued best practices in your own repository, we recommend that anyone creating solutions based on our templates ensure that the Github secret scanning setting is enabled.
You may want to consider additional security measures, such as:
- Protecting the Azure Container Apps instance with a firewall and/or Virtual Network.
- Using certificates instead of client secrets for the Microsoft Entra application.
- OpenAI Chat Application with Microsoft Entra Authentication (Python): Similar to this project, but sets up authentication using the MSAL SDK instead of the built-in authentication feature of Azure Container Apps. This is necessary if you want to deploy an app to a different environment or use authentication during development.
- OpenAI Chat App with Managed Identity: Similar to this project, but doesn't include Microsoft Entra authentication.
- RAG chat with Azure AI Search + Python: A more advanced chat app that uses Azure AI Search to ground responses in domain knowledge.
- Develop Python apps that use Azure AI services