Refactor Azure credential retrieval to use AZURE_CLIENT_ID across multiple modules and update dependencies in pyproject.toml

Author: Abdul-Microsoft

infra/main.bicep

@@ -30,13 +30,20 @@ param solutionUniqueText string = take(uniqueString(subscription().id, resourceG
   'westeurope'
   'uksouth'
 ])
-param location string = 'australiaeast'
+param location string
 
 // Restricting deployment to only supported Azure OpenAI regions validated with GPT-4o model
 @allowed(['australiaeast', 'eastus2', 'francecentral', 'japaneast', 'norwayeast', 'swedencentral', 'uksouth', 'westus'])
-@metadata({ azd: { type: 'location' } })
+@metadata({
+  azd : {
+    type: 'location'
+    usageName : [
+      'OpenAI.GlobalStandard.gpt-4o, 150'
+    ]
+  }
+})
 @description('Optional. Location for all AI service resources. This should be one of the supported Azure AI Service locations.')
-param azureAiServiceLocation string = 'australiaeast'
+param azureAiServiceLocation string
 
 @description('Optional. The tags to apply to all deployed Azure resources.')
 param tags resourceInput<'Microsoft.Resources/resourceGroups@2025-04-01'>.tags = {}
@@ -62,13 +69,13 @@ param virtualMachineAdminUsername string = take(newGuid(), 20)
 param virtualMachineAdminPassword string = newGuid()
 
 @description('Optional. The Container Registry hostname where the docker images for the backend are located.')
-param backendContainerRegistryHostname string = 'biabcontainerreg.azurecr.io'
+param backendContainerRegistryHostname string = 'macaer.azurecr.io'
 
 @description('Optional. The Container Image Name to deploy on the backend.')
 param backendContainerImageName string = 'macaebackend'
 
 @description('Optional. The Container Image Tag to deploy on the backend.')
-param backendContainerImageTag string = 'latest_2025-07-22_895'
+param backendContainerImageTag string = 'dev'
 
 @description('Optional. The Container Registry hostname where the docker images for the frontend are located.')
 param frontendContainerRegistryHostname string = 'biabcontainerreg.azurecr.io'
@@ -77,7 +84,7 @@ param frontendContainerRegistryHostname string = 'biabcontainerreg.azurecr.io'
 param frontendContainerImageName string = 'macaefrontend'
 
 @description('Optional. The Container Image Tag to deploy on the frontend.')
-param frontendContainerImageTag string = 'latest_2025-07-22_895'
+param frontendContainerImageTag string = 'latest'
 
 @description('Optional. Enable/Disable usage telemetry for module.')
 param enableTelemetry bool = true
@@ -1038,6 +1045,10 @@ var cosmosDbResourceName = 'cosmos-${solutionSuffix}'
 var cosmosDbDatabaseName = 'macae'
 var cosmosDbDatabaseMemoryContainerName = 'memory'
 
+resource sqlContributorRoleDefinition 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2024-11-15' existing = {
+  name: '${cosmosDbResourceName}/00000000-0000-0000-0000-000000000002'
+}
+
 //TODO: update to latest version of AVM module
 module cosmosDb 'br/public:avm/res/document-db/database-account:0.15.0' = {
   name: take('avm.res.document-db.database-account.${cosmosDbResourceName}', 64)
@@ -1062,16 +1073,22 @@ module cosmosDb 'br/public:avm/res/document-db/database-account:0.15.0' = {
         ]
       }
     ]
-    dataPlaneRoleDefinitions: [
+    // dataPlaneRoleDefinitions: [
+    //   {
+    //     // Cosmos DB Built-in Data Contributor: https://docs.azure.cn/en-us/cosmos-db/nosql/security/reference-data-plane-roles#cosmos-db-built-in-data-contributor
+    //     roleName: 'Cosmos DB SQL Data Contributor'
+    //     dataActions: [
+    //       'Microsoft.DocumentDB/databaseAccounts/readMetadata'
+    //       'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*'
+    //       'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*'
+    //     ]
+    //     assignments: [{ principalId: userAssignedIdentity.outputs.principalId }]
+    //   }
+    // ]
+    dataPlaneRoleAssignments: [
       {
-        // Cosmos DB Built-in Data Contributor: https://docs.azure.cn/en-us/cosmos-db/nosql/security/reference-data-plane-roles#cosmos-db-built-in-data-contributor
-        roleName: 'Cosmos DB SQL Data Contributor'
-        dataActions: [
-          'Microsoft.DocumentDB/databaseAccounts/readMetadata'
-          'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*'
-          'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*'
-        ]
-        assignments: [{ principalId: userAssignedIdentity.outputs.principalId }]
+        principalId: userAssignedIdentity.outputs.principalId
+        roleDefinitionId: sqlContributorRoleDefinition.id
       }
     ]
     // WAF aligned configuration for Monitoring
@@ -1331,6 +1348,10 @@ module containerApp 'br/public:avm/res/app/container-app:0.18.1' = {
             name: 'AZURE_AI_AGENT_MODEL_DEPLOYMENT_NAME'
             value: aiFoundryAiServicesModelDeployment.name
           }
+          {
+            name: 'AZURE_CLIENT_ID'
+            value: userAssignedIdentity.outputs.clientId // NOTE: This is the client ID of the managed identity, not the Entra application, and is needed for the App Service to access the Cosmos DB account.
+          }
         ]
       }
     ]

src/backend/app_config.py

@@ -115,7 +115,7 @@ def get_cosmos_database_client(self):
         try:
             if self._cosmos_client is None:
                 self._cosmos_client = CosmosClient(
-                    self.COSMOSDB_ENDPOINT, credential=get_azure_credential()
+                    self.COSMOSDB_ENDPOINT, credential=get_azure_credential(self.AZURE_CLIENT_ID)
                 )
 
             if self._cosmos_database is None:
@@ -152,7 +152,7 @@ def get_ai_project_client(self):
             return self._ai_project_client
 
         try:
-            credential = get_azure_credential()
+            credential = get_azure_credential(self.AZURE_CLIENT_ID)
             if credential is None:
                 raise RuntimeError(
                     "Unable to acquire Azure credentials; ensure Managed Identity is configured"

src/backend/config_kernel.py

@@ -32,7 +32,7 @@ class Config:
     @staticmethod
     def GetAzureCredentials():
         """Get Azure credentials using the AppConfig implementation."""
-        return get_azure_credential()
+        return get_azure_credential(config.AZURE_CLIENT_ID)
 
     @staticmethod
     def GetCosmosDatabaseClient():

src/backend/context/cosmos_memory_kernel.py

@@ -73,7 +73,7 @@ async def initialize(self):
             if not self._database:
                 # Create Cosmos client
                 cosmos_client = CosmosClient(
-                    self._cosmos_endpoint, credential=get_azure_credential()
+                    self._cosmos_endpoint, credential=get_azure_credential(config.AZURE_CLIENT_ID)
                 )
                 self._database = cosmos_client.get_database_client(
                     self._cosmos_database

src/backend/pyproject.toml

@@ -8,6 +8,7 @@ dependencies = [
     "azure-ai-evaluation>=1.5.0",
     "azure-ai-inference>=1.0.0b9",
     "azure-ai-projects>=1.0.0b9",
+    "azure-ai-agents>=1.2.0b1",
     "azure-cosmos>=4.9.0",
     "azure-identity>=1.21.0",
     "azure-monitor-events-extension>=0.1.0",

src/backend/utils_kernel.py

@@ -172,7 +172,7 @@ async def rai_success(description: str, is_task_creation: bool) -> bool:
     """
     try:
         # Use managed identity for authentication to Azure OpenAI
-        credential = get_azure_credential()
+        credential = get_azure_credential(config.AZURE_CLIENT_ID)
         access_token = credential.get_token(
             "https://cognitiveservices.azure.com/.default"
         ).token