Managed identities
Azure OpenAI supports Microsoft Entra ID, which is the fairly newly rebranded Azure Active Directory (Azure AD) service. If you are already familiar with Azure AD, then you already know aboutMicrosoft Entra ID, as this is the same service with a name change and new capabilities. If you are not familiar with Entra ID, we will not go into too much detail but know that this is the authentication and authorization system, and it has been around for a decade(s) for the centralized management of identities for Azure and many other resources.
Managed identities in services and resources in a cloud vendor, such as Microsoft, can authorize access to Azure AI service resources using Microsoft Entra ID credentials from applications. So, how is a managed identity different from, say, a service account using a service principal name (SPN)?
An application can use a managed identity to obtain a Microsoft Entra security access token without having to manage the credentials, such as having to reset the password after some time period. Alternatively, SPNs do require the management of credentials, such as regularly changing the password. This additional task makes SPN management not as secure; for example, if one does not have a policy in place to enforce password changes after x number of days, as a managed identity has to automatically change passwords via the internal system process. Thus, as a best practice for enabling security controls, always use managed identities with your Azure cloud solutions whenever possible.
Key management system
Another important security control and component of any cloud service is the ability to use a key management system, as secure key management is essential to protect data in the cloud. A key management solution will store passwords and secrets, application and service keys, and digital certificates.
For example, in the Microsoft Azure cloud, the key management system is called Azure Key Vault. While we will not cover the details of an Azure Key Vault deployment, as this information can be easily found online and is outside the scope of this book, we do want to raise the fact that using a key vault/key management system is a critical cloud component and is critical in a well-designed, secure, generative AI application. Let’s cover a few examples of where we can use a secure key management solution:
