How to Set Microsoft Entra ID as Identity Provider

Table of Contents

• Introduction
• Configuration Guidelines
  • Configure Microsoft Entra ID
  • Configure AI DIAL
    • AI DIAL Chat Settings
    • AI DIAL Core Settings
    • Assignment of Roles

Introduction

This basic tutorial demonstrates how to configure Microsoft Entra ID and use it as an identity and access management solution for AI DIAL users.

In AI DIAL, you can assign roles to Models and Applications to restrict the number of tokens that can be transmitted in a specific time frame. These roles and their limitations can be created in external systems and then assigned in AI DIAL's configuration.

Configuration Guidelines

Configure Microsoft Entra ID

Note: Replace <chat_url> with the actual address of your AI DIAL Chat application.

Follow these steps to configure Microsoft Entra ID:

1. Register Application: refer to Microsoft documentation for detailed instructions on how to register an application:
   • Name: e.g. ai-dial-chat
   • Supported account types: e.g. Accounts in this organizational directory only (Single tenant)
   • Redirect URI: Web + <chat_url>/api/auth/callback/azure-ad
2. Create Client secret: in the Certificates & secrets/Client secrets section, create New client secret and save its value. Refer to Microsoft documentation.
3. Gather facts: to proceed with DIAL configuration, collect information related to Microsoft Entra ID:
   • In App registrations/App registration name/Overview, save Application (client) ID (<azure_client_id>), Directory (tenant) ID (<azure_tenant_id>).
   • In App registrations/App registration name/Certificates & secrets, save Client secret value (<azure_client_secret>).
4. (Optional, RBAC) Create a Group and add members: once the application integration is set up, create groups and add members to them. Refer to Microsoft documentation.
5. (Optional, RBAC): Add Groups to application: in the Enterprise applications/Application name/Users and groups section, add the created groups to the application. If free tier is used, you can assign only users, not groups, which is fine too.
6. (Optional, RBAC) Configure ID Token: in the App registrations/App registration name/Token Configuration section, select Add groups claim and customize which groups you want to include, e.g.:
   • Select group types to include in Access, ID, and SAML tokens: Groups assigned to the application
   • Customize token properties by type: Group ID

   Note: There're important caveats to be aware of when using group claims in Microsoft Entra ID.

Configure AI DIAL

By configuring both AI DIAL Chat and AI DIAL Core with the necessary environment variables, you will enable them to work together seamlessly with Identity Provider for authentication and authorization purposes.

AI DIAL Chat Settings

Add the following environment variables to AI DIAL Chat configuration. Refer to AI DIAL Chat for more details.

AUTH_AZURE_AD_CLIENT_ID: "<azure_client_id>"
AUTH_AZURE_AD_TENANT_ID: "<azure_tenant_id>"
AUTH_AZURE_AD_SECRET: "<azure_client_secret>"
AUTH_AZURE_AD_SCOPE: "openid profile <azure_client_id>/.default email offline_access"

Tip: The application scope added above is required to validate signature of the access token.

AI DIAL Core Settings

Add the following parameters to AI DIAL Core static settings:

Note: generate some random sting for loggingSalt parameter, e.g. using pwgen -s 32 1

aidial.identityProviders.azure.jwksUrl: "https://login.microsoftonline.com/<azure_tenant_id>/discovery/v2.0/keys"
aidial.identityProviders.azure.issuerPattern: '^https:\/\/sts\.windows\.net.+$'
aidial.identityProviders.azure.loggingKey: "sub"
aidial.identityProviders.azure.loggingSalt: "loggingSalt"
aidial.identityProviders.azure.rolePath: "groups"

Assignment of Roles

Warning: RBAC-related steps from Configure Microsoft Entra ID must be completed before proceeding with this section.

To limit access to AI DIAL resources based on Microsoft Entra ID Groups, configure the AI DIAL Core by adjusting the Dynamic settings: set the userRoles parameter to align with the desired Microsoft Entra ID group names.

In the provided example, users assigned the azure-group-name group will have access to the chat-gpt-35-turbo model.

{
  "models": {
    "gpt-35-turbo": {
      "type": "chat",
      "endpoint": "http://localhost:5000/v1/openai/deployments/gpt-35-turbo/chat/completions",
      "upstreams": [
        {
          "endpoint": "https://[REDACTED].openai.azure.com/openai/deployments/gpt-35-turbo/chat/completions",
          "key": "[REDACTED]"
        }
      ],
      "userRoles": [
        "azure-group-name"
      ]
    }
  }
}