Azure OpenAI keyless deployment

02/25/2025

This sample shows how to to provision an Azure OpenAI account with an RBAC role permission for your user account to access, so that you can use the OpenAI API SDKs with keyless (Entra) authentication.

Prerequisites

Node.js LTS
Azure Developer CLI
Git
PowerShell 7+ (for Windows users only)
- Important: Ensure you can run pwsh.exe from a PowerShell command. If this fails, you likely need to upgrade PowerShell.
- Instead of Powershell, you can also use Git Bash or WSL to run the Azure Developer CLI commands.
Azure account. If you're new to Azure, get an Azure account for free to get free Azure credits to get started. If you're a student, you can also get free credits with Azure for Students.
Azure subscription with access enabled for the Azure OpenAI service. You can request access with this form.
Azure account permissions:
- Your Azure account must have Microsoft.Authorization/roleAssignments/write permissions, such as Role Based Access Control Administrator, User Access Administrator, or Owner. If you don't have subscription-level permissions, you must be granted RBAC for an existing resource group and deploy to that existing group by running these commands:
```
azd env set AZURE_RESOURCE_GROUP <name of existing resource group>
azd env set AZURE_LOCATION <location of existing resource group>
```
- Your Azure account also needs Microsoft.Resources/deployments/write permissions on the subscription level.

Setup the sample

You can run this project directly in your browser by using GitHub Codespaces, which will open a web-based VS Code.

Fork the project to create your own copy of this repository.
On your forked repository, select the Code button, then the Codespaces tab, and clink on the button Create codespace on main.
Wait for the Codespace to be created, it should take a few minutes.

Provision Azure OpenAI resources

Open a terminal and navigate to the root of the project.
Authenticate with Azure by running azd auth login.
Run azd provision to provision the Azure resources.
- You will be prompted to select a location for your OpenAI resource. If you're unsure of which location to choose, select eastus2. See OpenAI model availability table for more information.

The deployment process will take a few minutes. Once it's done, a .env file will be created in the root folder with the environment variables needed to run the application.

Run the sample

First make sure you have provisioned the Azure OpenAI resources, and that you have the .env file in the root folder.

Run npm install to install the dependencies.
Run npm start to run the example.

This will use the OpenAI SDK to make a request to the OpenAI API and print the response to the console.

Clean up

To clean up all the Azure resources created by this sample:

Run azd down --purge
When asked if you are sure you want to continue, enter y

The resource group and all the resources will be deleted.

Troubleshooting

If you have any issue when running or deploying this sample, please check the troubleshooting guide. If you can't find a solution to your problem, please open an issue in this repository.

Security

This sample has Managed Identity built in to eliminate the need for developers to manage these credentials. Applications can use managed identities to obtain Microsoft Entra tokens without having to handle any secrets in the code. Additionally, we're using Microsoft Security DevOps GitHub Action to scan the infrastructure-as-code files and generates a report containing any detected issues.

You can Learn more about using Managed Identity with Azure OpenAI in this tutorial.

Next steps

Here are some resources to learn more about the technologies used in this sample:

You can also find more Azure AI samples here.

Share via