You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: learn-pr/wwl-azure/manage-secure-ai-ready-infrastructure/includes/3-implement-keyless-authentication-microsoft.md
-32Lines changed: 0 additions & 32 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,42 +18,10 @@ Now that you understand how managed identities provide keyless authentication th
18
18
19
19
:::image type="content" source="../media/keyless-authentication-flow-system-assigned.png" alt-text="Diagram showing eight steps in the keyless authentication flow.":::
20
20
21
-
```mermaid
22
-
sequenceDiagram
23
-
participant Agent as AI Agent App Service
24
-
participant IMDS as Azure Instance Metadata Service
25
-
participant EntraID as Microsoft Entra ID
26
-
participant CosmosDB as Azure Cosmos DB
27
-
Agent->>IMDS: GET /metadata/identity/oauth2/token?resource=https://cosmos.azure.com
28
-
IMDS->>EntraID: Validate system-assigned identity for App Service
IMDS-->>Agent: Return JWT token (expires in 24 hours)
31
-
Agent->>CosmosDB: POST /dbs/conversations/colls/sessions/docs with Authorization: Bearer {token}
32
-
CosmosDB->>EntraID: Validate token signature and check claims
33
-
EntraID-->>CosmosDB: Token valid, principal has Cosmos DB Data Contributor role
34
-
CosmosDB->>CosmosDB: Verify RBAC permissions for write operation
35
-
CosmosDB-->>Agent: HTTP 201 Created with document ID
36
-
```
37
-
38
21
*Keyless authentication flow using system-assigned managed identity and Azure Instance Metadata Service to write conversation data*
39
22
40
-
Alt text: Sequence diagram showing eight steps in the keyless authentication flow: 1) AI Agent App Service sends HTTP GET request to Azure Instance Metadata Service requesting an access token for Cosmos DB resource, including the resource parameter set to https://cosmos.azure.com. 2) IMDS sends validation request to Microsoft Entra ID to confirm the App Service has a system-assigned managed identity enabled. 3) Entra ID confirms identity is valid and generates a JWT access token with appropriate claims and 24-hour expiration. 4) IMDS returns the JWT token to the agent application. 5) Agent makes HTTP POST request to Cosmos DB to create a new conversation document, including the token in the Authorization header as Bearer authentication. 6) Cosmos DB sends token to Entra ID to validate the signature and extract claims including the principal identity. 7) Entra ID confirms token is valid and returns the principal's role assignments, showing Cosmos DB Data Contributor permissions. 8) Cosmos DB verifies the principal has write permissions through RBAC and returns HTTP 201 Created response with the new document ID.
41
-
42
23
## Additional resources
43
24
44
25
-[How to use managed identities for App Service and Azure Functions](/azure/app-service/overview-managed-identity) - Detailed guide for enabling and using managed identities in App Service with code samples in multiple languages
45
26
-[Authenticate and authorize with managed identities in Azure Cosmos DB](/azure/cosmos-db/how-to-setup-rbac) - Instructions for configuring role-based access control for Cosmos DB using managed identities instead of connection strings
46
27
-[Azure Instance Metadata Service (IMDS)](/azure/virtual-machines/instance-metadata-service) - Technical reference for the IMDS endpoint including request formats, response schemas, and token acquisition examples
47
-
48
-
## Enhancement suggestions
49
-
50
-
- Screenshot of Azure portal showing the Identity blade of an App Service resource with the System assigned tab selected. The Status toggle should be set to On with a green indicator and checkmark. The Object (principal) ID field should display a sample GUID like 'a1b2c3d4-e5f6-7890-abcd-ef1234567890' to show the managed identity's unique identifier. The Azure resource ID field should show the full resource path. Include callout number 1 pointing to the Status toggle and number 2 pointing to the Object ID field with a label explaining 'This ID is used when assigning RBAC roles.'
51
-
- Screenshot showing sample application code or Azure CLI command demonstrating token acquisition from IMDS. For example, a Python code snippet using the requests library to call the IMDS endpoint with appropriate headers including 'Metadata: true' and the resource parameter. The response JSON should show the access_token, expires_on timestamp, and resource fields. Include syntax highlighting and a caption explaining that this code runs inside the Azure resource with managed identity enabled.
52
-
- Four-minute demonstration video showing the complete process of enabling a system-assigned managed identity on an App Service, assigning the Cosmos DB Data Contributor role to that identity through the Access Control (IAM) blade, and then viewing the Activity Log to verify the role assignment event. Video should include voice-over explaining the automatic token acquisition process and how the application code uses the IMDS endpoint without storing any credentials.
53
-
- Three-minute animated explainer video illustrating the token acquisition and validation flow with visual representations of the HTTP requests between agent, IMDS, Entra ID, and Cosmos DB. Animation should highlight the JWT token structure showing header, payload with claims, and signature components, with labels explaining how each part contributes to secure authentication.
54
-
- Interactive managed identity configuration simulator where learners choose between system-assigned and user-assigned identity types, select target resources (Cosmos DB, Key Vault, Storage Account), assign appropriate RBAC roles, and observe a visual representation of the resulting authentication flow. Tool should provide feedback on configuration choices and highlight security best practices versus common mistakes.
55
-
- Hands-on token inspection tool where learners paste a sample JWT access token and the tool decodes and displays the header, payload claims (including principal object ID, resource audience, expiration time), and signature. Tool should include explanatory tooltips for each claim and show how Cosmos DB validates these claims during authorization.
56
-
57
-
## Accessibility notes
58
-
59
-
Sequence diagram uses labeled participant boxes at the top with clear names (AI Agent App Service, Azure Instance Metadata Service, Microsoft Entra ID, Azure Cosmos DB). Numbered arrows show request and response flow with descriptive labels including HTTP methods, endpoints, and key parameters. Alt text describes each interaction step in detail including the purpose of the request, the validation performed, and the content of each response. Comparison table uses left-aligned text with clear column headers and row labels, avoiding merged cells or complex formatting that might confuse screen readers.
0 commit comments