Added new feature to integrate azure services using managed identities

[FreddyAyala]

This pull request introduces:

• support for Managed Identities, enhancing security and simplifying secret management. Key changes include updates to documentation, infrastructure templates, and backend TS classes.
• add_localdev_roles.ps1 helper script - add the required RBAC roles to the locally logged-in user to enable local dev.
• appreg_setup.ps1 - automated creation of the App Registration in Entra and updates the web app too.
• Debug logging: set the DEBUG=true environment variable and you'll get extensive logging from the app (warning, may contain secrets/private info)

Documentation Updates:

• Added a new section on using Managed Identities for the Azure Chat Solution Accelerator, detailing security advantages, services using Managed Identities, and deployment instructions: docs/10.managed-identities.md
• Added "What's New" to the main README.md

Infrastructure Updates:

• Introduced a new parameter disableLocalAuth in infra/main.bicep to toggle authentication by key, enforcing RBAC using Managed Identities. (infra/main.bicep) [1] [2]
• Updated infra/main.json to include the disableLocalAuth parameter and its usage across various Azure services configurations. (infra/main.json) [1] [2] [3] [4] [5] [6] [7] [8] [9] [10]

Deployment Configuration:

• The bicep files now output the majority of the environment variables required for the app to run -- they are stored in the azd environment (/.azure/<env_name>/.env) this enables developers (or Copilot) to copy most of the values directly into .env.local
• Modified the deployment instructions to ensure the parameter disableLocalAuth is set to true for using Managed Identities and updated environment variables accordingly. (infra/main.json) [1] [2]

These changes collectively enhance the security posture of the Azure Chat deployment by leveraging Managed Identities, while also simplifying secret management and access control.

Code changes:

• modified various backend classes to use DefaultAzureCredential
• Added debug logging statements and DEBUG environment variable

New Scripts:

• add_localdev_roles.ps1 - adds the required RBAC roles to the locally logged-in user to enable local dev
• appreg_setup.ps1 - automated creation of the App Registration

[FreddyAyala]

Hey there @thivy @davidxw ,
I've spent the last few days adding a new feature that enables the use of managed identities with the accelerator, except for Azure Speech, which I couldn't get to work reliably with managed identities and TypeScript.
As you might know, the FSI initiative is locking down tenants and enforcing the use of managed identities for internal tenants, particularly for CosmosDB. This change broke our solution, so I took the time to modify the infrastructure code and application services to support managed identities. This enhancement allows us to eliminate the risks associated with key sharing and deploy the solution in locked-down tenants.
Please take a look when you have a chance. I've conducted extensive testing to ensure everything works correctly.

[pyrox82]

Hi, any updates on this? I would really like to use this solution with managed identities.

Thank you in advance.

Copilot reviewed 6 out of 13 changed files in this pull request and generated no suggestions.

Files not reviewed (7)

• infra/main.bicep: Language not supported
• infra/main.json: Language not supported
• infra/resources.bicep: Language not supported
• src/package.json: Language not supported
• src/features/common/services/document-intelligence.ts: Evaluated as low risk
• src/features/common/services/openai.ts: Evaluated as low risk
• src/features/chat-page/chat-services/chat-document-service.ts: Evaluated as low risk

Comments skipped due to low confidence (2)

src/features/common/services/ai-search.ts:24

• Rename function to follow camelCase convention: getCredential.

export const GetCredential = () => {

src/features/common/services/azure-storage.ts:20

• [nitpick] The error message should specify the exact environment variable name, e.g., "AZURE_STORAGE_ACCOUNT_NAME or AZURE_STORAGE_ACCOUNT_KEY environment variable is not set".

throw new Error("Azure Storage Account not configured correctly, check environment variables.");

[leongj]

Hey @FreddyAyala thanks so much for the work you've put into this PR, it looks great.
Let's change a few things if that's ok:

1. debug logging - connectivity logging is good, but let's remove any logging that contains actual data (e.g. the AI search queries and responses) or credentials (please check some of the connection logging).
2. local user MI - to support local dev -- can we please add a script that assigns the local user (e.g. az login) with the required IAM roles -- that will make local dev easier. Happy if we want to call this script directly from azd
3. other stuff - a few other things that I made comments on directly above

[leongj]

@thivy @davidxw @FreddyAyala this PR is now ready for your review and testing! Thanks so much Freddy for the original work you did on this one.