Azure OpenAI

Enhanced Advanced

This document provides instructions for implementing Microsoft Azure OpenAI OAuth integrations with Posit Connect through Microsoft Entra ID. System administrators will learn how to configure secure authentication pathways for both individual user accounts and service accounts, ensuring proper resource access controls. The integration enables authorized Connect users to leverage Azure OpenAI resources within published content.

Create application in Microsoft Entra ID

Register application

The Azure administrator registers a new OAuth Application in Microsoft Entra ID. Application registration will have different requirements depending on the authentication type of the OAuth integration in Posit Connect:

Viewer Integration

The Azure administrator adds a redirect_uri for the OAuth application as seen in the screenshot below. Azure sends the user credentials to the redirect_uri at the end of the OAuth handshake, allowing Posit Connect to obtain a temporary access token and refresh token.

The OAuth application is configured with the following redirect URL (sometimes referred to as a callback URL): https://connect.example.org/__oauth__/integrations/callback. Replace connect.example.org with the address of the Connect server.

Note

For OAuth application administrators who prefer to use the same OAuth application for both Posit Connect and Posit Workbench, simply register the Workbench redirect URL (https://workbench.example.org/oauth_redirect_callback) in addition to the Connect redirect URL.

The Register OAuth App page of the Azure Console.

Service Account Integration

Service account integrations do not direct the user through a login flow, so a redirect_uri is not required.

Add API permissions

In the API permissions section, the Azure administrator adds the required permissions for the OAuth application. API permissions define the capabilities granted to the user when they request credentials from this OAuth application. These permissions are also referred to as scopes.

Depending on which permissions are required, the Azure administrator provides additional scopes values to the Connect administrator.

This is also referred to as a Resource App ID in the Azure console. See the Azure documentation to learn more about API Permissions and scopes.

Choose only the permissions that are required by your application.

Note

The Microsoft Cognitive Services/user_impersonation permission uses the following scope value https://cognitiveservices.azure.com/.default. This scope allows Connect to access the viewer’s OpenAI resources. This documentation uses the OpenAI permission as an example but all Azure API permissions are supported.

To allow users to access their Azure OpenAI resources using this OAuth application, add a permission for Microsoft Cognitive Services/user_impersonation as seen below:

The API Permissions section of the Azure Console with an added permission for `Microsoft Cognitive Services/user_impersonation`.

Setup client authentication

The Azure administrator decides whether this OAuth application requires client authentication. Client authentication requirements will differ depending on the authentication type of the OAuth integration in Posit Connect:

Viewer integration

For Confidential OAuth applications, the Azure administrator adds a new client secret under the Certificates & secrets section.

Role assignment

A viewer can only interact with an Azure OpenAI resource if they are assigned the Cognitive Services OpenAI User role by an Azure administrator.

Service account integration

Service Account integrations require a client secret, which represents the service account identity being used by the Connect Server. The Azure administrator adds a new secret under the Certificates & secrets section.

Role assignment

An Azure administrator must assign the Cognitive Services OpenAI User role to the registered Enterprise Application.

Transfer information to Connect administrator

The Azure administrator then shares the following information with the Posit Connect administrator:

Field Description
tenant_id The unique identifier of the organization in Azure (Microsoft Entra ID).
client_id The unique identifier of the application in Azure (Microsoft Entra ID).
client_secret The secret string configured under Certificates & secrets.
scopes Permissions supported by the OAuth application. Only include the scopes required by Connect.

Copy tenant ID and client ID.

Create OAuth integration in Posit Connect

The Posit Connect administrator creates an integration through the dashboard’s System>Integrations settings. Once the OAuth integration has been created in Connect, it is available for use by all publishers.

Note

The OAuth scope https://cognitiveservices.azure.com/.default is a reference to the Microsoft Cognitive Services/user_impersonation permission that allows deployed content on Connect to access protected Azure OpenAI resources.

For more information about defining scopes, see the Add API permissions section above.

Create Azure OpenAI OAuth integration.

Alternatively, the example below shows how to create a Confidential Viewer Azure OAuth integration using curl and the Connect Server API.

Note

Replace connect.example.org with the address of the Connect server.

Terminal
curl -H "Authorization: Key ${CONNECT_API_KEY}" \
  -XPOST https://connect.example.org/__api__/v1/oauth/integrations \
  --data '{
    "template": "azure-openai",
    "name": "Azure OpenAI OAuth integration",
    "description": "A helpful description for publishers to use when choosing an OAuth integration for their content.",   
    "config": {
      "auth_type": "Viewer",
      "tenant_id": "<azure-tenant-id>",
      "client_id": "<azure-client-id>",
      "client_secret": "<azure-client-secret>",
      "scopes": "https://cognitiveservices.azure.com/.default offline_access"
    }
  }'
# 200 OK
# {"guid": "<oauth-integration-guid>", ... }