Authenticating Azure Foundry OpenAI Using Managed Identity

In earlier post we have tested 30+ features of various Azure Foundry Open AI services.

Post: https://pratapreddypilaka.blogspot.com/2026/04/azure-ai-services-complete-guide-to.html

Most of the code have saved all the Open AI service keys in an environment file following Python best practice. But this is done only for practice purpose, just to get familiar with Open AI services and how to access those services using Python code.

Saving the Access keys in code is the worst possible security blunder you can do. Access keys will completely bypass all the RBAC controls and give complete access to anyone.

What are the ways to authenticate Azure Open AI services without exposing the keys?

• System Assigned Managed Identity — Auto-created identity tied to an Azure resource (VM, App Service, Functions)
• User Assigned Managed Identity — Standalone identity you create and attach to one or more Azure resources
• Service Principal + Client Secret — App registration with a secret, works anywhere including on-prem
• Service Principal + Certificate — Same as above but uses a certificate instead of secret, more secure
• Azure CLI Credential — Uses the logged-in az login identity, ideal for local dev/testing
• Interactive Browser Credential — Pops a browser login window, good for desktop tools
• Device Code Credential — Prints a code to enter at a URL, useful for headless servers
• DefaultAzureCredential — Tries multiple methods automatically in order, recommended for most cases
• Workload Identity — Federated keyless auth for pods running in Azure Kubernetes Service (AKS)
• Federated Identity Credential — Allows external IdPs like GitHub Actions or GitLab to authenticate without any secrets

Managed Identity is the preferred method for Azure workloads to access Open AI services.

In this article we will have a look at how we can authenticate using Managed Identity.

For this we need a VM up on which we will enable system managed Identity.

I created a Linux VM, and enabled the managed identity.

Now, go to Foundry, go to Access control, and Add a new role assignment for the managed identity we created earlier with role being "Cognitive Services OpenAI User".

Now create the rules for NSG to open the communication between OpenAI services. This is necessary if you are using a private endpoint for the OpenAI instance.

Login to your virtual machine.

Now in order to test the connectivity, I am installing Python and Azure-Identity.

# Python & pip
sudo apt update && sudo apt install python3-pip -y

# Required packages
pip3 install openai azure-identity

Once all the dependencies are installed, we will create a file with the below code.

from azure.identity import ManagedIdentityCredential
from openai import AzureOpenAI
import os

# ── Config ──────────────────────────────────────────────
AZURE_OPENAI_ENDPOINT = "https://prata-mhl58p7n-eastus2.cognitiveservices.azure.com/"
DEPLOYMENT_NAME       = "gpt-5-chat"   # e.g. gpt-4o
API_VERSION           = "2024-02-01"
# ────────────────────────────────────────────────────────

# 1. Obtain a token via Managed Identity (no keys!)
credential = ManagedIdentityCredential()
token       = credential.get_token("https://cognitiveservices.azure.com/.default")

# 2. Build AzureOpenAI client using the bearer token
client = AzureOpenAI(
    azure_endpoint = AZURE_OPENAI_ENDPOINT,
    api_version    = API_VERSION,
    azure_ad_token = token.token,       # <-- token-based, not key-based
)

# 3. Call the model
response = client.chat.completions.create(
    model    = DEPLOYMENT_NAME,
    messages = [
        {"role": "system", "content": "You are a helpful assistant."},
        {"role": "user",   "content": "Hello! Tell me more about Managed identity authentication without using access keys for Azure Open AI"}
    ]
)

print("✅ Response:", response.choices[0].message.content)

Now run the python file python3 chat.py

You will get the response from your gpt-5-chat model, without using access keys.

Azure AI Services - A Complete Guide to Building Intelligent Applications with Azure AI Foundry

A while ago i started exploring Azure AI Foundry and ended up going down a rabbit hole of 30+ implementations covering everything from GPT-5 chat to live speech transcription. In this post i will walk you through all the major Azure AI services, what they do, how to implement them, and when to use them — so you don't have to figure it all out the hard way like i did.

You can download git repo and start embedding your Azure OpenAI Service keys in.env file and start executing them as we go along.

README: https://github.com/pratappilaka24/Azure-Foundry-Samples?tab=readme-ov-file#readme

REPO: https://github.com/pratappilaka24/Azure-Foundry-Samples

Our objective is to understand the complete Azure AI Services ecosystem and how you can combine them to build enterprise-grade intelligent applications.

---

Azure OpenAI - GPT-5 Chat, Vision and Code

This is where most people start, and for good reason. Azure OpenAI gives you access to GPT-5 with enterprise-grade security, regional deployment and SLAs — unlike calling OpenAI directly.

The basic setup is straightforward. You initialize an AzureOpenAI client with your endpoint and API key, define a system role (something like "you are a helpful travel assistant"), pass in user messages and configure temperature and top_p for response behavior. That's it, you are doing conversational AI.

from openai import AzureOpenAI
from azure.core.credentials import AzureKeyCredential
from dotenv import load_dotenv
import os

load_dotenv()
client = AzureOpenAI(
    azure_endpoint=os.getenv("AZURE_OPENAI_ENDPOINT"),
    api_key=os.getenv("AZURE_OPENAI_KEY"),
    api_version="2024-12-01-preview"
)

What makes it more interesting is Vision. You can encode an image to base64, pass it as image_url in the message content, and GPT-5 will analyze and explain it — diagrams, screenshots, anything. I used this for code explanation too. Point it at a source file with a "you are a teacher" system prompt and let it stream the explanation back. Really useful for documentation generation and code reviews.

Chat Output:

Image Reading Output:

Azure FinOps using Terraform and Infracost - Finding the hourly or monthly cost before Azure DevOps Deployments

A while ago i created a demo for Azure VWAN using  terraform and Azure DevOps. I dive headfirst without realizing that i am using premium SKU for firewalls and my Dev teant is shutdown for a month in few days due to my billing cap of 230 NZD.

Next time when i create a demo for APIM instances, i dint realize Premium SKU costs 7500 NZD/month. Even before i finish my POC, the teant again shutdown in few hours this time.

Our objective is to find the cost of the IAC we are deploying even before we deploy. 

In this post i will show how we can utilize Infracost a opensource plugin in both VSCode and how we can make it part of our Azure DevOps pipelines to manage cost of the resources we are going to deploy.

Like this :

or like this:

Azure DevOps Self-Hosted Agents Automation Using Packer and Terrafrom

In Azure DevOps, "self-hosted agents" refer to agent machines that you set up and manage yourself, instead of using Microsoft-hosted agents. These self-hosted agents can be beneficial in various scenarios:

    Security and Compliance: In some organizations, data security and compliance policies may require running build and deployment processes on infrastructure managed within their own network.

    Access to Internal Resources: Your build and deployment processes may require access to internal resources (databases, network drives, etc.) that are not accessible from external Microsoft-hosted agents.

    Performance and Customization: Self-hosted agents can be tailored to specific hardware configurations, which might be necessary for resource-intensive builds or specialized build environments.

    Cost Management: Azure DevOps provides a certain number of free Microsoft-hosted parallel jobs, but if you have large-scale or resource-intensive projects, self-hosted agents can be more cost-effective in the long run.

    Reducing Build Queue Times: When using Microsoft-hosted agents, you share resources with other users, which might result in longer build queue times. Self-hosted agents allow you to control the resources dedicated to your builds, potentially reducing waiting times.

    Offline Environments: If you have environments without continuous internet access, self-hosted agents can be used to facilitate builds and deployments within those isolated networks.

In this post i will be:

1. Generating a Managed VM Image using Packer.
2. Saving the Managed image to a Image gallery within my tenant.
3. Create a Virtual Machine Scale Set(VMSS) from the said image.
4. Register the VMSS as DevOps Self-Hosted agents.
5. Run a time intensive project using self-hosted pool to see how VMSS will autoscale.
6. Then update the VM image with new build and see how we can update the existing Self-hosted agents.

Terraform Azure Application Landing Zone - TF AZ Bootstrap

Objective: This post is to provide a kick strat your Azure DevOps journey by providing a Seed Repo for your Azure DevOps organization. Every time when a new application is about to be launched into Azure, you have to go through the provisioning of launchpad and Devops Repo and building the CI/CD pipelines. Below project will address all of those concerns. 

Now i want to create similar thing and add couple of more steps and make it avilable for everyone.

Here is what you gona get.

Deploying Virtual WAN using Terraform & Azure DevOps

Let me summarize Azure networking options based on usecase:

• You need network connectivity between resources across different virtual networks in same region, you need to implement VNet peering.
• You need connectivity between resources in virtual networks spanned across different region, you need to implement Global VNet peering.
• You need network connectivity between your Organization (On-Prem) and your azure tenant and you are ok to have the secure channels over the internet, You need to implement site to site VPN gateways.
• You want network connectivity between your offices to azure tenancy with high throughput and not over internet, you need to implement Express Route.
• You need individual users to use services hsoted in your Azure tenant, you will implemnet Point-to-site VPN gateway.

 All the above implementations are different on thier configurations and they each cater for each use case in its own capacity.

Here is why you need to choose Virtual WAN if you are already using more than 2 capabilities mentioned above.

•  VWAN brings all of the above network connectivity implemntations under one centralized platform.
• VWAN automatically deployes one hub in each choosen region which implements Hub-spoke network design by default.
• Site-to-Site VPN gateways supports max of 10, 30 and 100 tunnels in Basic, Standard and HighPerformance SKUs. VWAN supports upto 1000 branch conncetions per VWAN hub, which can throuhput at 20GBps per hub.
• Though private communication between VNets in both VNet Peering and VWAN are ecrypted over MS backbone network, Adding additional firewall security is way easier in VWAN comapred to VNet peering.
• VWAN has most of the above services deployed across all avilability zones in a given region thus making it more relaible and scalable without any manual intervention.
• Virtual WAN provides many functionalities built into a single pane of glass such as site/site-to-site VPN connectivity, User/P2S connectivity, ExpressRoute connectivity, virtual network connectivity, VPN ExpressRoute Interconnectivity, VNet-to-VNet transitive connectivity, Centralized Routing, Azure Firewall and Firewall Manager security, Monitoring, ExpressRoute Encryption, and many other capabilities. Pick and choose what you want.

More information is available on MS Documentation. All refrence links are provided at the end of the article.

Now the title of artice is no "Why VWAN?" it says "Deploying VWAN using Terrafrom & Azure Devops". So lets jump in to deployment.

How to build subscription based security around Azure functions

Working in company which deals with hundreds of client azure tenants showed me how different it is working on your own tenant.

Recently i worked on a subscription based service and i want to show you how to build the secruity walls arround your azure functions.

Here is an example of subscriotion service which caters differently for each client based on thier type of subscription. Free or Paid or Premium. 

React Js Modularity - Breaking a monolith react component into modular components

Earlier in 2017, I have written a few articles on Basics of SharePoint Framework, Use of React JS and React JS component life cycle. 

But Most of the SPFx web parts I created were task oriented and not application oriented. This means the size of the React components is small. 

Now I am working on a product / application level components which are complex and big in size.

Here is a screenshot of a POC I am currently working.

Azure PIM Provisioning and Configuration

Setting up PIM Administrator

Global Admins enable PIM provisioning and create PIM Admin role assignment.

PIM Admin Account Pre-requisites:

PIM admin account need to have below 2 licenses assigned.

1.  Azure AD Premium P2
2.  Enterprise Mobility + Security (EMS) E5

PIM Admin Setup:

1. Login to Azure portal as Global admin, navigate to Azure Active Directory.

2. In Featured highlights, click on
3. Click on “Azure AD roles” in left pane=> Navigate to “Roles” by clicking on
4. Search for “privileged role administrator”.



5. Click on “Privileged Role Administrator” role. Click on
6. Follow below configuration

Field	Value	Reason
Selected Member(s)*	PIM Admin Account	This should be an account which will be permanently treated as PIM admin
Assignment type	Eligible	This means PIM admin account is always eligible, but not active. PIM admin need to activate this role every time the changes need to be made to PIM configuration
Permanently eligible	YES	Always eligible, but not active.

 7. PIM Admin setup is finished.

Data Persistence Models in Docker Containers

A container has different layers starting with Minimal Subset of OS topped by Container Filesystem topped by Application layer topped by Hosting layer. All these layers are read-only.

There is a top layer called Container Runtime layer which will be in a Read/Write state. 

The data on Container Runtime layer is persistent only when the container is stopped/started . If a continer is deleted, this data will be lost forever. Also this data is isolated only to that continer and cannot be shared with other containers.

So lets look at better data persistance models to share data between different containers on a Host.

Volume and Bind Mount are two ways of persistent data storage thats avilable on a Host, which can be accessed (read/write) by multiple containers.

Volume is the storage created and managed by Docker. This means no containers can go beyond the boundaries of docker while working with volumes.

Bind Mount is the storage directly from file system of the host file. So if there is a malicious code deployed in a container, it can break the host by manipulating the host filesystem.

By now looking at color coding you should have understood that Volume is a better/safer way of storing and sharing data between containers. Let me show you by a demonstration.