pamelafox
commented
1 month ago cc @zedhaque Could you possibly share the steps you used to enable External ID?
Open dmpai-per opened 1 month ago
pamelafox
commented
1 month ago cc @zedhaque Could you possibly share the steps you used to enable External ID?
zedhaque
commented
1 month ago @pamelafox - sure, I will put together a External ID how to document and submit a PR. Maybe the manual steps can be automated later.
dmpai-per
commented
1 month ago @zedhaque @pamelafox thanks for that, I managed to get this done manually using this guide
but it did not allow me to enable other features that rely on the authentication like user document upload and document level access control.
is there ETA for this to be available? with enabling other dependent features.
zedhaque
commented
1 month ago @dmpai-per and @pamelafox
Here is the current draft of the document. I plan to add screenshots for better clarity. It would be great if you could review it, test the steps, and provide any feedback or report any issues you encounter.
cforce
commented
1 month ago Shouldn't "Required Steps" 4.)
be
"Since the authentication tenant ID is different from your current logged-in tenant ID, run azd auth login --tenant-id External Tenant ID."
as the Apps is running not on External, juts auth Tenant is external
If this "External" would be another Entra which has already User Identities and Security Groups for them (which are used by this demo ACL mapping) how would the setup need to be adopted. The application tenant in my case is a guest on the other tenant, which means identities can be authenticated but security groups are only present ion the External (parent) tenant Entra and therefore the Parent has to be used for authorization and authentication (folders and single docs per user mapping based on the Entra security groups). I tried that, but never got it working
dmpai-per
commented
1 month ago @zedhaque @pamelafox
App Service Settings Log in to the Azure portal and navigate to your App Service instance. On the "Edit Identity Provider" page, update the issuer URL from https://login.microsoftonline.com/c4a0744a-92d7-43ae-850e-07db4eb5c33a/v2.0 to https://xxxxx.ciamlogin.com/c4a0744a-92d7-43ae-850e-07db4eb5c33a/v2.0. Leave the tenant ID c4a0744a-92d7-43ae-850e-07db4eb5c33a unchanged,
what is this tenant ID? "c4a0744a-92d7-43ae-850e-07db4eb5c33a". I believe this needs to be replaced by the External Tenant ID. Could you please confirm?
After: self.authority = f"https://xxxxx.ciamlogin.com" self.valid_issuers = [ f"https://sts.windows.net/{tenant_id}/", f"https://login.microsoftonline.com/{tenant_id}/v2.0", f"https://{tenant_id}.ciamlogin.com/{tenant_id}/v2.0", ]
is it {tenant_id}.ciamlogin.com or {xxxxx.ciamlogin.com where xxxxx is the first part of your External Entra ID tenant's primary domain (e.g., your-tenant-name from your-tenant-name.onmicrosoft.com)?
zedhaque
commented
1 month ago App Service Settings Log in to the Azure portal and navigate to your App Service instance. On the "Edit Identity Provider" page, update the issuer URL from https://login.microsoftonline.com/c4a0744a-92d7-43ae-850e-07db4eb5c33a/v2.0 to https://xxxxx.ciamlogin.com/c4a0744a-92d7-43ae-850e-07db4eb5c33a/v2.0. Leave the tenant ID c4a0744a-92d7-43ae-850e-07db4eb5c33a unchanged,
what is this tenant ID? "c4a0744a-92d7-43ae-850e-07db4eb5c33a". I believe this needs to be replaced by the External Tenant ID. Could you please confirm?
Thanks! When you run the first azd up in step 5, you will get the correct tenant ID. What I meant to say is that you don’t need to change the one already in the App Service, as it’s correct. But good catch—I'll update the info.
After: self.authority = f"https://xxxxx.ciamlogin.com" self.valid_issuers = [ f"https://sts.windows.net/{tenant_id}/", f"https://login.microsoftonline.com/{tenant_id}/v2.0", f"https://{tenant_id}.ciamlogin.com/{tenant_id}/v2.0", ]
is it {tenant_id}.ciamlogin.com or {xxxxx.ciamlogin.com where xxxxx is the first part of your External Entra ID tenant's primary domain (e.g., your-tenant-name from your-tenant-name.onmicrosoft.com)?
This {tenant_id} is correct; it's not the primary domain. See the screenshot below from the documentation. I'll update it with screenshots to make it clearer.
Keep your questions coming :)
zedhaque
commented
1 month ago Shouldn't "Required Steps" 4.) be "Since the authentication tenant ID is different from your current logged-in tenant ID, run azd auth login --tenant-id to log in with your Entra ~External~ Tenant ID."
as the Apps is running not on External, juts auth Tenant is external
Thanks. You are correct in observing the distinction between the app’s tenant and the authentication (Entra External) tenant.
In this setup, we are specifically using an External Entra ID Tenant to manage authentication, distinct from the Workforce Tenant that hosts the app. So, when running the command 'azd auth login --tenant-id
As for your second scenario it's lot more complex!!!
pamelafox
commented
1 month ago Great doc @zedhaque! Ideally we'd also make the code changes that enable External ID optionally. We have the code for the setup for either Entra ID or Entra External ID in https://github.com/Azure-Samples/openai-chat-app-entra-auth-builtin in the scripts folder, so I think it should be possible to support via configuration entirely.
zedhaque
commented
1 month ago Thanks @pamelafox. I can try merging those scripts into this repo, so everything is done via configuration. I had a quick look, and it shouldn't be an issue.
dmpai-per
commented
1 month ago @pamelafox @zedhaque Many thanks for addressing this and the quick turn around as well, much appreciated.
quick question please, where can i find the initial/default prompt engineering for Azure OpenAI? I have a case where i need to edit it and disable the user from being able to do that via the "developer advanced settings" in the frontend?
is it possible to add a button to enable/disable internet search if answers cannot be found in the uploaded docs? i know this can be done via the prompt, but can it be added as part of the admin settings as well? so admin has more control on what can and cannot be retrieved.
eai-douglaswross
commented
1 month ago @pamelafox @zedhaque - Have got this running locally using Entra External Tenant using Google as the identity provider and a google account, however cannot get it to work with the backend app service (not Localhost). Made the Identity provider changes you suggested in your document @zedhaque. changing from login.microsoft.com to tenant.ciamlogin.com. Must be some configuration that localhost does not use (i.e. it works) compared to it running on the app service. For example if the localhost works, then is it the redirect urls? or something that is stopping it from working, or a cross tenant issue. The error I get after it asking for email address, and talking with the identity provider is "Requests from this IP are not allowed.", coming from this loaded page: https://login.microsoftonline.com/extservice/cpim?dc=ests-pub-wus2-az1-test1 The external tenant is in West US, however the resource group for this deployed code is in eastus??
zedhaque
commented
1 month ago Hi @eai-douglaswross ,
I haven’t tried your scenario before. What I’d like to know is:
1. Can you confirm if your app service URL is listed in Entra Admin under Application -> Redirect URLs? This might have changed when you tried subsequent “azd up” commands.
2. Can you first check if the one-time password email works for the app service before adding Google? This will help isolate the issue.
3. I don’t think the region or resource group would be an issue. However, the URL you shared, “extservice” (requesting IP not allowed), is something I haven’t seen before.
This issue is for a: (mark with an
x)Minimal steps to reproduce
Any log messages given by the failure
Expected/desired behavior
OS and Version?
azd version?
Versions
Mention any other details that might be useful
current code is built for internal users, I did the following two scenarios to enable external users: Scenario 01) i did not enable authentication where i used (azd env set AZURE_USE_AUTHENTICATION false) and configured the authentication manually using the guide in this link https://learn.microsoft.com/en-us/azure/app-service/scenario-secure-app-authentication-app-service?tabs=external-configuration#tabpanel_1_external-configuration. The result: user was able to sign up and sign in, no logout button, other features related to authentication did not work at all. For example user document upload.
Scenario 02) I changed the code as per above mentioned steps under ### Minimal steps to reproduce. The result: user is able to sign up but not able to sign in, getting the above error