Use Managed Identities for OpenAI Service Instances

Risk Level: Medium (should be achieved)

Rule ID: AIServices-004

Ensure that your Azure OpenAI service instances are using system-assigned and/or user-assigned managed identities to allow secure access to other cloud protected resources such as Azure key vaults. Managed identities minimizes risks, simplifies management, and maintains compliance with evolving cloud services.

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

Operational
excellence

Using system-assigned and/or user-assigned managed identities for Azure OpenAI instances enhances security by allowing the OpenAI service to authenticate and authorize with Azure services and resources without the need for explicit credentials. This reduces the risk associated with credential management, allows granular control over access permissions, and provides a seamless and more secure integration with other Azure cloud components.

Audit

To determine if your Azure OpenAI service instances are configured to use system-assigned and/or user-assigned managed identities, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Azure OpenAI blade at https://portal.azure.com/#view/Microsoft_Azure_ProjectOxford/CognitiveServicesHub/~/OpenAI.

03 Select the Azure subscription that you want to examine from the Subscription equals all filter box, and choose Apply.

04 Click on the name (link) of the Azure OpenAI service instance that you want to examine. An OpenAI service instance has Kind set to OpenAI.

05 In the navigation panel, under Resource Management, select Identity, and perform the following checks to determine if the selected Azure OpenAI service instance is using managed identities:

Select the System assigned tab and check the configuration setting status available under Status. If Status is set to Off, the selected OpenAI instance is not using a system-assigned managed identity.
Select the User assigned tab and check for any user-assigned managed identities associated with the selected instance. If there are no user identities listed on this page, instead the following message is displayed: No user assigned managed identities found on this resource, the selected OpenAI instance is not using user-assigned managed identities.

06 Repeat steps no. 4 and 5 for each Azure OpenAI service instance available within the selected subscription.

07 Repeat steps no. 3 – 6 for each subscription created in your Microsoft Azure cloud account.

Using Azure CLI

01 Run cognitiveservices account list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure OpenAI service instance available in the current subscription:

az cognitiveservices account list
  --output table
  --query '[?(kind==`OpenAI`)].{name:name, resourceGroup:resourceGroup}'

02 The command output should return the requested OpenAI service instance identifiers:

Name                           ResourceGroup
---------------------------    ------------------------------
tm-openai-project5-instance    cloud-shell-storage-westeurope
tm-openai-workspace-server     cloud-shell-storage-westeurope

03 Run cognitiveservices account identity show command (Windows/macOS/Linux) with the name of the Azure OpenAI service instance that you want to examine as the identifier parameter and custom output filters to determine the type of the managed identity (i.e. system-assigned and/or user-assigned) configured for the selected OpenAI instance:

az cognitiveservices account identity show
  --name tm-openai-project5-instance
  --resource-group cloud-shell-storage-westeurope
  --query '{"IdentityType":type}'

04 The command output should return the identity type used by the selected OpenAI service instance:

{
	"IdentityType": "None"
}

If the cognitiveservices account identity show command output returns null or "None" for the "IdentityType" attribute, as shown in the example above, the selected Azure OpenAI service instance is not using a system-assigned and/or user-assigned managed identity to authenticate to other Azure cloud services.

05 Repeat steps no. 3 and 4 for each Azure OpenAI instance available in the selected Azure subscription.

06 Repeat steps no. 1 – 5 for each subscription created in your Microsoft Azure cloud account.

Remediation / Resolution

To ensure that your Microsoft Azure OpenAI service instances are configured to use system-assigned and/or user-assigned managed identities, perform the following operations:

Using Azure Console

01 Sign in to the Azure Management Console.

02 Navigate to Managed Identities blade available at https://portal.azure.com/#browse/Microsoft.ManagedIdentity%2FuserAssignedIdentities.

03 Choose + Create and perform the following actions to create a new user-assigned managed identity:

For Basics, choose the correct subscription and resource group, provide a unique name for the new managed identity, then select the Azure region where your cloud resources are deployed. Choose Next to continue the setup process.
For Tags, use the Name and Value fields to create tags that will help organize the identity of the identity. Choose Review + create to validate the identity setup.
For Review + create, review the resource configuration details, then choose Create to create your new user-assigned managed identity.

04 Navigate to Azure OpenAI blade at https://portal.azure.com/#view/Microsoft_Azure_ProjectOxford/CognitiveServicesHub/~/OpenAI.

05 Select the Azure subscription that you want to access from the Subscription equals all filter box, and choose Apply.

06 Click on the name (link) of the Azure OpenAI service instance that you want to configure.

07 In the navigation panel, under Resource Management, select Identity, and perform the following actions to enable system-assigned and user-assigned managed identities for the selected Azure OpenAI service instance:

Choose the System assigned tab and select On under Status to enable the system-assigned managed identity for the selected Azure OpenAI service instance. Choose Save and select Yes to confirm the changes. The selected OpenAI instance is now registered with Microsoft Entra ID, eliminating the need to store credentials in your code.
Select the User assigned tab, choose + Add, select the appropriate Azure subscription from the Select a subscription dropdown list, and choose the user-assigned managed identity created earlier in the Remediation process, from the User assigned managed identities list. Choose Add to apply the configuration changes.

08 Repeat steps no. 6 and 7 for each Azure OpenAI service instance that you want to configure, available within the selected Azure subscription.

09 Repeat steps no. 5 – 8 for each subscription available in your Microsoft Azure cloud account.

Using Azure CLI And PowerShell

01 Run cognitiveservices account identity assign command (Windows/macOS/Linux) to enable the system-assigned managed identity for the selected Azure OpenAI service instance:

az cognitiveservices account identity assign
  --name tm-openai-project5-instance
  --resource-group cloud-shell-storage-westeurope

02 The command output should return the configuration information available for the configured identity:

{
	"principalId": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"tenantId": "abcdabcd-abcd-1234-abcd-abcdabcdabcd",
	"type": "SystemAssigned",
	"userAssignedIdentities": null
}

03 Run New-AzUserAssignedIdentity PowerShell command (cmdlet) to create a new user-assigned managed identity for your Azure OpenAI service instance:

New-AzUserAssignedIdentity -Name "tm-openai-user-identity" -ResourceGroupName "cloud-shell-storage-westeurope" -Location westeurope | Select-Object -Property Id

04 The command output should return the full ID of the new user-assigned managed identity:

Id
--
/subscriptions/abcdabcd-abcd-1234-abcd-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ManagedIdentity/userAssignedIdentities/tm-openai-user-identity

05 Run Set-AzCognitiveServicesAccount PowerShell command (cmdlet) to add your new user-assigned managed identity to the selected Azure OpenAI service instance:

Set-AzCognitiveServicesAccount -ResourceGroupName cloud-shell-storage-westeurope -name tm-openai-project5-instance -IdentityType UserAssigned -UserAssignedIdentityId /subscriptions/abcdabcd-abcd-1234-abcd-abcdabcdabcd/resourcegroups/cloud-shell-storage-westeurope/providers/Microsoft.ManagedIdentity/userAssignedIdentities/tm-openai-user-identity

06 The command output should return the configuration information available for the modified OpenAI instance:

ResourceGroupName             : cloud-shell-storage-westeurope
AccountName                   : tm-openai-project5-instance
Id                            : /subscriptions/abcdabcd-abcd-1234-abcd-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.CognitiveServices/accounts/tm-openai-project5-instance
Endpoint                      : https://tm-openai-project5-instance.openai.azure.com/
Location                      : westeurope
Sku                           : Microsoft.Azure.Management.CognitiveServices.Models.Sku
AccountType                   : OpenAI
ResourceType                  : Microsoft.CognitiveServices/accounts
ProvisioningState             : Succeeded
CustomSubDomainName           : tm-openai-project5-instance
PublicNetworkAccess           : Enabled
Identity                      : Microsoft.Azure.Management.CognitiveServices.Models.Identity
UserOwnedStorage              :
PrivateEndpointConnections    : {}
ApiProperties                 :
Properties                    : Microsoft.Azure.Management.CognitiveServices.Models.AccountProperties
RestrictOutboundNetworkAccess :
AllowedFqdnList               :
DisableLocalAuth              :
NetworkRuleSet                : Microsoft.Azure.Commands.Management.CognitiveServices.Models.PSNetworkRuleSet
Capabilities                  : {VirtualNetworks, CustomerManagedKey, MaxFineTuneCount, MaxRunningFineTuneCount…}
Tags                          : {}

07 Repeat steps no. 1 - 7 for each Azure OpenAI service instance that you want to configure, available in the selected Azure subscription.

08 Repeat steps no. 1 – 8 for each subscription available in your Microsoft Azure cloud account.

References

Azure Official Documentation
What are managed identities for Azure resources?
How to configure Azure OpenAI Service with Microsoft Entra ID authentication
Manage user-assigned managed identities

Azure Command Line Interface (CLI) And PowerShell Documentation
az cognitiveservices account list
az cognitiveservices account identity show
az cognitiveservices account identity assign
New-AzUserAssignedIdentity
Set-AzCognitiveServicesAccount

Publication date Aug 14, 2024

Audit

Using Azure Console

Using Azure CLI

Remediation / Resolution

Using Azure Console

Using Azure CLI And PowerShell

References

Related AIServices rules