Added new feature to integrate azure services using managed identities

.gitignore

@@ -35,3 +35,4 @@ next-env.d.ts
 .azure/
 infra/aad_setup.sh
 .vscode
+infra/main.parameters.example.json

docs/10.managed-identities.md

@@ -0,0 +1,52 @@
+# Using Managed Identities for Azure Chat Solution Accelerator
+
+### Introduction
+
+The Azure Chat Solution Accelerator powered by Azure OpenAI Service allows organizations to deploy a private chat tenant with enhanced security and control over their data. One of the new features is the support for Managed Identities, adding a layer of security by eliminating the need for managing service principals and secrets manually.
+
+### Security Advantages of Managed Identities
+
+**Managed Identities** for Azure resources provide the following benefits:
+
+1. **Improved Security**:
+    - **No Secret Management**: Eliminates the need to manually store and manage credentials or keys.
+    - **Automatic Rotation**: Managed Identities’ credentials are rotated automatically, eliminating potential security risk from non-rotated credentials.
+    - **Scope Limited Access**: Access to Azure resources can be fine-grained, allowing least-privilege access policies.
+
+2. **Simplified Management**:
+    - **Platform Managed**: The Azure platform handles identity creation and lifecycle management.
+    - **Simplified Resource Access**: Applications can request tokens to access resources without handling secrets.
+
+### List of Services Using Managed Identities
+
+The following services within the Azure Chat Solution Accelerator use Managed Identities for authentication:
+
+1. **Azure OpenAI Service**
+2. **Azure Cosmos DB**
+3. **Azure Cognitive Services (e.g., Document Intelligence, Azure OpenAI Dalle)**
+4. **Azure Search Service**
+5. **Azure Storage Account**
+
+> **Note:** Currently, due to compatibility issues, the Speech Service does not utilize Managed Identities. There is no available documentation for using Entra ID authentication with the Speech Service, making it a `TODO` item.
+
+### Preferred Production Deployment
+
+Using Managed Identities is preferred for production deployments due to:
+
+1. **Enhanced Security**: Eliminates risks associated with secret management such as accidental exposure or non-rotation of credentials.
+2. **Compliance and Governance**: Managed Identities integrate with Azure's role-based access control (RBAC), facilitating easier audits and compliance management.
+3. **Operational Efficiency**: Reduces the operational overhead of managing secrets, while also providing a more straightforward implementation.
+
+### Deploy to Azure with Managed Identities
+
+To deploy the application to Azure App Service with Managed Identities, follow the standard deployment instructions available in the [Deploy to Azure - GitHub Actions](https://github.com/microsoft/azurechat) section of the repository. Ensure to:
+
+1. **Update the Parameter**:
+   - Set the parameter `disableLocalAuth` to `true` to use Managed Identities.
+1. **Remove  Parameter**:
+After deployment remove the value in AZURE_OPENAI_API_KEY (if there is any) in the Environment Variables of the WebApp, the openai npm package requires this to be empty if using EntraID Authentication.
+
+
+### Conclusion
+
+By leveraging Managed Identities, you enhance the security posture of your Azure Chat deployment while simplifying secret management and access control. This guide outlines the security advantages and highlights the necessary parameter changes to ensure a secure and efficient production setup. For more details, review the complete code and configurations available in the repository's `infra` directory.

infra/main.bicep

@@ -60,6 +60,10 @@ resource rg 'Microsoft.Resources/resourceGroups@2021-04-01' = {
   tags: tags
 }
 
+//Activates/Deactivates Authentication by key, if true it will enforce RBAC using managed identities
+param disableLocalAuth  bool = false
+
+
 module resources 'resources.bicep' = {
   name: 'all-resources'
   scope: rg
@@ -88,6 +92,7 @@ module resources 'resources.bicep' = {
     storageServiceSku: storageServiceSku
     storageServiceImageContainerName: storageServiceImageContainerName
     location: location
+    disableLocalAuth:disableLocalAuth
   }
 }