Task 01 - Enforce identity-only access to Microsoft Foundry

Introduction

Microsoft Foundry supports multiple authentication modes, including traditional API keys and modern Microsoft Entra ID (managed identity + OAuth). For Responsible AI and enterprise governance, key-based authentication must be disabled because:

  • API keys cannot be scoped or constrained
  • API keys cannot be tied to an identity
  • Key usage cannot be audited per user or system
  • Keys are easily leaked, copied, or shared
  • Keys bypass least-privilege access controls

Description

In this task, you will use GitHub Copilot to review your current authentication configuration, update your Bicep templates to disable API keys and enforce identity-only authentication, and validate that your App Service’s managed identity has the correct RBAC role. You will then test the application to confirm it works using managed identity only. This establishes one of the core foundational controls for Responsible AI in Azure.

Success Criteria

  • You have reviewed the current authentication configuration using Copilot and confirmed no API keys are in use.
  • Bicep templates have been updated to disable API keys and enforce identity-only authentication.
  • The App Service’s system-assigned managed identity has the correct RBAC role (Cognitive Services User) on the Microsoft Foundry workspace.
  • API keys for the Microsoft Foundry workspace are fully disabled.
  • No deployment or endpoint allows key-based access.
  • A test call to your model succeeds using the managed identity, confirming the application works without API keys.

Learning Resources

Key Tasks

01: Review Current Application Authentication

Use GitHub Copilot Chat to verify that your application is using identity-only access for Microsoft Foundry and that no API keys are configured.

Expand this section for detailed steps

  1. Open Copilot Chat in VS Code.

  2. Paste the following prompt into the chat window:

     I need your help validating that my App Service <app-service-name> in
 <resource-group> is using identity-only access for Microsoft Foundry. Please
 look at the following areas to ensure we are not using API Keys: local bicep
 templates, app source code. Ensure that the deployed Azure resources match the
 current bicep configuration for the app service, validate no API keys are
 stored in the configuration, and that managed identity is enabled. If there are
 any discrepancies, suggest fixes for my approval.

  3. Review the response from Copilot.

  4. Copilot may ask for approval before using the Azure MCP to check your deployed App Service configuration.

  5. Copilot will use the Azure MCP to check your deployed App Service configuration.

  6. The Azure MCP might fail, and Copilot may ask you for permission to use the Azure CLI to check your deployed App Service configuration.

  7. Once Copilot checks the configuration, it will provide a summary of the configuration and any discrepancies.

02: Disable API Keys for Microsoft Foundry

Use GitHub Copilot Chat to update your Bicep templates to disable API keys and enforce identity-only authentication for the Microsoft Foundry workspace.

Expand this section for detailed steps

  1. Open Copilot Chat in VS Code.

  2. Paste the following prompt into the chat window:

     Update my Bicep templates so that the Microsoft Foundry workspace
 enforces identity-only authentication. The goal is to make sure API keys are fully
 disabled and Microsoft Entra ID is the only supported authentication method.
 After making the changes, explain what was updated and why, and let me know if any
 module dependencies need adjustments.

  3. Review the response from Copilot. It may indicate that the Microsoft Foundry workspace is already configured to enforce identity-only authentication.

  4. If the Microsoft Foundry workspace is not configured to enforce identity-only authentication, Copilot will update the Bicep templates to disable API keys.

  5. Once the Bicep templates are updated, Copilot will provide a summary of the changes and any discrepancies.

  6. Once the changes are made, use azd provision to apply the changes to the Azure environment.

03: Validate Application Access Using Managed Identity

Use GitHub Copilot Chat to validate that the App Service’s managed identity has the correct RBAC role, then test the application to confirm it works using managed identity only.

Expand this section for detailed steps

  1. Open Copilot Chat in VS Code.

  2. Paste the following prompt into the chat window:

     Validate that the App Service's system-assigned managed identity has the
 correct role on the Microsoft Foundry workspace. The role should be Cognitive
 Services User. If the role is not correct, update the Bicep templates to grant
 the correct role.

  3. Review the response from Copilot. It may indicate that the App Service’s system-assigned managed identity is already granted the correct RBAC role for accessing the Microsoft Foundry workspace.

  4. If the App Service’s system-assigned managed identity is not granted the correct RBAC role, Copilot will update the Bicep templates to grant the correct role.

  5. Once the Bicep templates are updated, use azd provision to apply the changes to the Azure environment.

  6. After verifying the correct role, open the deployed application in a browser and perform a normal chat completion request using the UI.

  7. Confirm the application still works after key-based authentication was disabled. Since the app continues to function and no API keys are present in configuration or code, this confirms that the App Service is successfully using its managed identity to authenticate to Microsoft Foundry.

Summary

You’ve completed this task. You enforced identity-only access to your Microsoft Foundry workspace—an essential first step in establishing Responsible AI governance and secure operational practices. You used GitHub Copilot to review your current authentication configuration, update your Bicep templates to disable API keys and enforce identity-only authentication, and validate that your App Service’s managed identity has the correct RBAC role. By testing the application and confirming it works without API keys, you verified that every request to Microsoft Foundry is authenticated, authorized, and fully traceable. With identity-only access now enforced and functioning, the environment is ready for deeper Responsible AI controls, such as enabling diagnostic logs and configuring content safety guardrails in the next tasks.