refactor: remove Azure AI Search API key references and switch to AAD authentication

Abdul-Microsoft · Abdul-Microsoft · commit 3648a945d073 · 2026-02-27T00:10:19.000+05:30
diff --git a/infra/main.bicep b/infra/main.bicep
@@ -1330,10 +1330,6 @@ module containerApp 'br/public:avm/res/app/container-app:0.18.1' = {
             name: 'SUPPORTED_MODELS'
             value: '["o3","o4-mini","gpt-4.1","gpt-4.1-mini"]'
           }
-          {
-            name: 'AZURE_AI_SEARCH_API_KEY'
-            secretRef: 'azure-ai-search-api-key'
-          }
           {
             name: 'AZURE_STORAGE_BLOB_URL'
             value: avmStorageAccount.outputs.serviceEndpoints.blob
@@ -1369,13 +1365,7 @@ module containerApp 'br/public:avm/res/app/container-app:0.18.1' = {
         ]
       }
     ]
-    secrets: [
-      {
-        name: 'azure-ai-search-api-key'
-        keyVaultUrl: keyvault.outputs.secrets[0].uriWithVersion
-        identity: userAssignedIdentity.outputs.resourceId
-      }
-    ]
+    secrets: []
   }
 }
 
@@ -1675,12 +1665,7 @@ module searchServiceUpdate 'br/public:avm/res/search/search-service:0.11.1' = {
   name: take('avm.res.search.update.${solutionSuffix}', 64)
   params: {
     name: searchServiceName
-    authOptions: {
-      aadOrApiKey: {
-        aadAuthFailureMode: 'http401WithBearerChallenge'
-      }
-    }
-    disableLocalAuth: false
+    disableLocalAuth: true
     hostingMode: 'default'
     managedIdentities: {
       systemAssigned: true
@@ -1809,12 +1794,7 @@ module keyvault 'br/public:avm/res/key-vault/vault:0.12.1' = {
         roleDefinitionIdOrName: 'Key Vault Administrator'
       }
     ]
-    secrets: [
-      {
-        name: 'AzureAISearchAPIKey'
-        value: searchService.listAdminKeys().primaryKey
-      }
-    ]
+    secrets: []
     enableTelemetry: enableTelemetry
   }
 }
@@ -1864,7 +1844,6 @@ output REASONING_MODEL_NAME string = aiFoundryAiServicesReasoningModelDeployment
 output MCP_SERVER_NAME string = 'MacaeMcpServer'
 output MCP_SERVER_DESCRIPTION string = 'MCP server with greeting, HR, and planning tools'
 output SUPPORTED_MODELS string = '["o3","o4-mini","gpt-4.1","gpt-4.1-mini"]'
-output AZURE_AI_SEARCH_API_KEY string = '<Deployed-Search-ApiKey>'
 output BACKEND_URL string = 'https://${containerApp.outputs.fqdn}'
 output AZURE_AI_PROJECT_ENDPOINT string = aiFoundryAiProjectEndpoint
 output AZURE_AI_AGENT_ENDPOINT string = aiFoundryAiProjectEndpoint
diff --git a/infra/main.json b/infra/main.json
@@ -6,10 +6,10 @@
     "_generator": {
       "name": "bicep",
       "version": "0.40.2.10011",
-      "templateHash": "16839096090855786967"
+      "templateHash": "17476534152468179054"
     },
     "name": "Multi-Agent Custom Automation Engine",
-    "description": "This module contains the resources required to deploy the [Multi-Agent Custom Automation Engine solution accelerator](https://github.com/microsoft/Multi-Agent-Custom-Automation-Engine-Solution-Accelerator) for both Sandbox environments and WAF aligned environments.\n\n> **Note:** This module is not intended for broad, generic use, as it was designed by the Commercial Solution Areas CTO team, as a Microsoft Solution Accelerator. Feature requests and bug fix requests are welcome if they support the needs of this organization but may not be incorporated if they aim to make this module more generic than what it needs to be for its primary use case. This module will likely be updated to leverage AVM resource modules in the future. This may result in breaking changes in upcoming versions when these features are implemented.\n"
+    "description": "This module contains the resources required to deploy the [Multi-Agent Custom Automation Engine solution accelerator](https://github.com/microsoft/Multi-Agent-Custom-Automation-Engine-Solution-Accelerator) for both Sandbox environments and WAF aligned environments.\r\n\r\n> **Note:** This module is not intended for broad, generic use, as it was designed by the Commercial Solution Areas CTO team, as a Microsoft Solution Accelerator. Feature requests and bug fix requests are welcome if they support the needs of this organization but may not be incorporated if they aim to make this module more generic than what it needs to be for its primary use case. This module will likely be updated to leverage AVM resource modules in the future. This may result in breaking changes in upcoming versions when these features are implemented.\r\n"
   },
   "parameters": {
     "solutionName": {
@@ -25441,8 +25441,8 @@
       },
       "dependsOn": [
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').openAI)]",
-        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]",
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').aiServices)]",
+        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]",
         "logAnalyticsWorkspace",
         "userAssignedIdentity",
         "virtualNetwork"
@@ -30521,10 +30521,6 @@
                     "name": "SUPPORTED_MODELS",
                     "value": "[[\"o3\",\"o4-mini\",\"gpt-4.1\",\"gpt-4.1-mini\"]"
                   },
-                  {
-                    "name": "AZURE_AI_SEARCH_API_KEY",
-                    "secretRef": "azure-ai-search-api-key"
-                  },
                   {
                     "name": "AZURE_STORAGE_BLOB_URL",
                     "value": "[reference('avmStorageAccount').outputs.serviceEndpoints.value.blob]"
@@ -30562,13 +30558,7 @@
             ]
           },
           "secrets": {
-            "value": [
-              {
-                "name": "azure-ai-search-api-key",
-                "keyVaultUrl": "[reference('keyvault').outputs.secrets.value[0].uriWithVersion]",
-                "identity": "[reference('userAssignedIdentity').outputs.resourceId.value]"
-              }
-            ]
+            "value": []
           }
         },
         "template": {
@@ -32140,7 +32130,6 @@
         "containerAppEnvironment",
         "containerAppMcp",
         "existingAiFoundryAiServicesProject",
-        "keyvault",
         "searchServiceUpdate",
         "userAssignedIdentity"
       ]
@@ -42268,15 +42257,8 @@
           "name": {
             "value": "[variables('searchServiceName')]"
           },
-          "authOptions": {
-            "value": {
-              "aadOrApiKey": {
-                "aadAuthFailureMode": "http401WithBearerChallenge"
-              }
-            }
-          },
           "disableLocalAuth": {
-            "value": false
+            "value": true
           },
           "hostingMode": {
             "value": "default"
@@ -44654,9 +44636,6 @@
           },
           "searchServiceName": {
             "value": "[variables('searchServiceName')]"
-          },
-          "searchApiKey": {
-            "value": "[listAdminKeys('searchService', '2024-06-01-preview').primaryKey]"
           }
         },
         "template": {
@@ -44666,30 +44645,45 @@
             "_generator": {
               "name": "bicep",
               "version": "0.40.2.10011",
-              "templateHash": "14874963049736669838"
+              "templateHash": "15348022841521786626"
             }
           },
           "parameters": {
             "aifSearchConnectionName": {
-              "type": "string"
+              "type": "string",
+              "metadata": {
+                "description": "Name of the AI Foundry search connection"
+              }
             },
             "searchServiceName": {
-              "type": "string"
+              "type": "string",
+              "metadata": {
+                "description": "Name of the Azure AI Search service"
+              }
             },
             "searchServiceResourceId": {
-              "type": "string"
+              "type": "string",
+              "metadata": {
+                "description": "Resource ID of the Azure AI Search service"
+              }
             },
             "searchServiceLocation": {
-              "type": "string"
+              "type": "string",
+              "metadata": {
+                "description": "Location/region of the Azure AI Search service"
+              }
             },
             "aiFoundryName": {
-              "type": "string"
+              "type": "string",
+              "metadata": {
+                "description": "Name of the AI Foundry account"
+              }
             },
             "aiFoundryProjectName": {
-              "type": "string"
-            },
-            "searchApiKey": {
-              "type": "securestring"
+              "type": "string",
+              "metadata": {
+                "description": "Name of the AI Foundry project"
+              }
             }
           },
           "resources": [
@@ -44700,10 +44694,7 @@
               "properties": {
                 "category": "CognitiveSearch",
                 "target": "[format('https://{0}.search.windows.net', parameters('searchServiceName'))]",
-                "authType": "ApiKey",
-                "credentials": {
-                  "key": "[parameters('searchApiKey')]"
-                },
+                "authType": "AAD",
                 "isSharedToAll": true,
                 "metadata": {
                   "ApiType": "Azure",
@@ -44777,12 +44768,7 @@
             ]
           },
           "secrets": {
-            "value": [
-              {
-                "name": "AzureAISearchAPIKey",
-                "value": "[listAdminKeys('searchService', '2024-06-01-preview').primaryKey]"
-              }
-            ]
+            "value": []
           },
           "enableTelemetry": {
             "value": "[parameters('enableTelemetry')]"
@@ -47908,7 +47894,6 @@
       "dependsOn": [
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').keyVault)]",
         "logAnalyticsWorkspace",
-        "searchService",
         "userAssignedIdentity",
         "virtualNetwork"
       ]
@@ -48041,10 +48026,6 @@
       "type": "string",
       "value": "[[\"o3\",\"o4-mini\",\"gpt-4.1\",\"gpt-4.1-mini\"]"
     },
-    "AZURE_AI_SEARCH_API_KEY": {
-      "type": "string",
-      "value": "<Deployed-Search-ApiKey>"
-    },
     "BACKEND_URL": {
       "type": "string",
       "value": "[format('https://{0}', reference('containerApp').outputs.fqdn.value)]"
diff --git a/infra/main_custom.bicep b/infra/main_custom.bicep
@@ -1365,10 +1365,6 @@ module containerApp 'br/public:avm/res/app/container-app:0.18.1' = {
             name: 'SUPPORTED_MODELS'
             value: '["o3","o4-mini","gpt-4.1","gpt-4.1-mini"]'
           }
-          {
-            name: 'AZURE_AI_SEARCH_API_KEY'
-            secretRef: 'azure-ai-search-api-key'
-          }
           {
             name: 'AZURE_STORAGE_BLOB_URL'
             value: avmStorageAccount.outputs.serviceEndpoints.blob
@@ -1412,13 +1408,7 @@ module containerApp 'br/public:avm/res/app/container-app:0.18.1' = {
         ]
       }
     ]
-    secrets: [
-      {
-        name: 'azure-ai-search-api-key'
-        keyVaultUrl: keyvault.outputs.secrets[0].uriWithVersion
-        identity: userAssignedIdentity.outputs.resourceId
-      }
-    ]
+    secrets: []
   }
 }
 
@@ -1801,7 +1791,6 @@ module aiSearchFoundryConnection 'modules/aifp-connections.bicep' = {
     searchServiceResourceId: searchService.outputs.resourceId
     searchServiceLocation: searchService.outputs.location
     searchServiceName: searchService.outputs.name
-    searchApiKey: searchService.outputs.primaryKey
   }
   dependsOn: [
     aiFoundryAiServices
@@ -1852,12 +1841,7 @@ module keyvault 'br/public:avm/res/key-vault/vault:0.12.1' = {
         roleDefinitionIdOrName: 'Key Vault Administrator'
       }
     ]
-    secrets: [
-      {
-        name: 'AzureAISearchAPIKey'
-        value: searchService.outputs.primaryKey
-      }
-    ]
+    secrets: []
     enableTelemetry: enableTelemetry
   }
 }
@@ -1908,7 +1892,6 @@ output REASONING_MODEL_NAME string = aiFoundryAiServicesReasoningModelDeployment
 output MCP_SERVER_NAME string = 'MacaeMcpServer'
 output MCP_SERVER_DESCRIPTION string = 'MCP server with greeting, HR, and planning tools'
 output SUPPORTED_MODELS string = '["o3","o4-mini","gpt-4.1","gpt-4.1-mini"]'
-output AZURE_AI_SEARCH_API_KEY string = '<Deployed-Search-ApiKey>'
 output BACKEND_URL string = 'https://${containerApp.outputs.fqdn}'
 output AZURE_AI_PROJECT_ENDPOINT string = aiFoundryAiProjectEndpoint
 output AZURE_AI_AGENT_ENDPOINT string = aiFoundryAiProjectEndpoint

Original file line number	Diff line number	Diff line change
`@@ -1330,10 +1330,6 @@ module containerApp 'br/public:avm/res/app/container-app:0.18.1' = {`
`1330`	`1330`	`name: 'SUPPORTED_MODELS'`
`1331`	`1331`	`value: '["o3","o4-mini","gpt-4.1","gpt-4.1-mini"]'`
`1332`	`1332`	`}`
`1333`		`- {`
`1334`		`- name: 'AZURE_AI_SEARCH_API_KEY'`
`1335`		`- secretRef: 'azure-ai-search-api-key'`
`1336`		`- }`
`1337`	`1333`	`{`
`1338`	`1334`	`name: 'AZURE_STORAGE_BLOB_URL'`
`1339`	`1335`	`value: avmStorageAccount.outputs.serviceEndpoints.blob`
`@@ -1369,13 +1365,7 @@ module containerApp 'br/public:avm/res/app/container-app:0.18.1' = {`
`1369`	`1365`	`]`
`1370`	`1366`	`}`
`1371`	`1367`	`]`
`1372`		`- secrets: [`
`1373`		`- {`
`1374`		`- name: 'azure-ai-search-api-key'`
`1375`		`- keyVaultUrl: keyvault.outputs.secrets[0].uriWithVersion`
`1376`		`- identity: userAssignedIdentity.outputs.resourceId`
`1377`		`- }`
`1378`		`- ]`
	`1368`	`+ secrets: []`
`1379`	`1369`	`}`
`1380`	`1370`	`}`
`1381`	`1371`
`@@ -1675,12 +1665,7 @@ module searchServiceUpdate 'br/public:avm/res/search/search-service:0.11.1' = {`
`1675`	`1665`	`name: take('avm.res.search.update.${solutionSuffix}', 64)`
`1676`	`1666`	`params: {`
`1677`	`1667`	`name: searchServiceName`
`1678`		`- authOptions: {`
`1679`		`- aadOrApiKey: {`
`1680`		`- aadAuthFailureMode: 'http401WithBearerChallenge'`
`1681`		`- }`
`1682`		`- }`
`1683`		`- disableLocalAuth: false`
	`1668`	`+ disableLocalAuth: true`
`1684`	`1669`	`hostingMode: 'default'`
`1685`	`1670`	`managedIdentities: {`
`1686`	`1671`	`systemAssigned: true`
`@@ -1809,12 +1794,7 @@ module keyvault 'br/public:avm/res/key-vault/vault:0.12.1' = {`
`1809`	`1794`	`roleDefinitionIdOrName: 'Key Vault Administrator'`
`1810`	`1795`	`}`
`1811`	`1796`	`]`
`1812`		`- secrets: [`
`1813`		`- {`
`1814`		`- name: 'AzureAISearchAPIKey'`
`1815`		`- value: searchService.listAdminKeys().primaryKey`
`1816`		`- }`
`1817`		`- ]`
	`1797`	`+ secrets: []`
`1818`	`1798`	`enableTelemetry: enableTelemetry`
`1819`	`1799`	`}`
`1820`	`1800`	`}`
`@@ -1864,7 +1844,6 @@ output REASONING_MODEL_NAME string = aiFoundryAiServicesReasoningModelDeployment`
`1864`	`1844`	`output MCP_SERVER_NAME string = 'MacaeMcpServer'`
`1865`	`1845`	`output MCP_SERVER_DESCRIPTION string = 'MCP server with greeting, HR, and planning tools'`
`1866`	`1846`	`output SUPPORTED_MODELS string = '["o3","o4-mini","gpt-4.1","gpt-4.1-mini"]'`
`1867`		`-output AZURE_AI_SEARCH_API_KEY string = '<Deployed-Search-ApiKey>'`
`1868`	`1847`	`output BACKEND_URL string = 'https://${containerApp.outputs.fqdn}'`
`1869`	`1848`	`output AZURE_AI_PROJECT_ENDPOINT string = aiFoundryAiProjectEndpoint`
`1870`	`1849`	`output AZURE_AI_AGENT_ENDPOINT string = aiFoundryAiProjectEndpoint`
Original file line number	Diff line number	Diff line change
`@@ -1365,10 +1365,6 @@ module containerApp 'br/public:avm/res/app/container-app:0.18.1' = {`
`1365`	`1365`	`name: 'SUPPORTED_MODELS'`
`1366`	`1366`	`value: '["o3","o4-mini","gpt-4.1","gpt-4.1-mini"]'`
`1367`	`1367`	`}`
`1368`		`- {`
`1369`		`- name: 'AZURE_AI_SEARCH_API_KEY'`
`1370`		`- secretRef: 'azure-ai-search-api-key'`
`1371`		`- }`
`1372`	`1368`	`{`
`1373`	`1369`	`name: 'AZURE_STORAGE_BLOB_URL'`
`1374`	`1370`	`value: avmStorageAccount.outputs.serviceEndpoints.blob`
`@@ -1412,13 +1408,7 @@ module containerApp 'br/public:avm/res/app/container-app:0.18.1' = {`
`1412`	`1408`	`]`
`1413`	`1409`	`}`
`1414`	`1410`	`]`
`1415`		`- secrets: [`
`1416`		`- {`
`1417`		`- name: 'azure-ai-search-api-key'`
`1418`		`- keyVaultUrl: keyvault.outputs.secrets[0].uriWithVersion`
`1419`		`- identity: userAssignedIdentity.outputs.resourceId`
`1420`		`- }`
`1421`		`- ]`
	`1411`	`+ secrets: []`
`1422`	`1412`	`}`
`1423`	`1413`	`}`
`1424`	`1414`
`@@ -1801,7 +1791,6 @@ module aiSearchFoundryConnection 'modules/aifp-connections.bicep' = {`
`1801`	`1791`	`searchServiceResourceId: searchService.outputs.resourceId`
`1802`	`1792`	`searchServiceLocation: searchService.outputs.location`
`1803`	`1793`	`searchServiceName: searchService.outputs.name`
`1804`		`- searchApiKey: searchService.outputs.primaryKey`
`1805`	`1794`	`}`
`1806`	`1795`	`dependsOn: [`
`1807`	`1796`	`aiFoundryAiServices`
`@@ -1852,12 +1841,7 @@ module keyvault 'br/public:avm/res/key-vault/vault:0.12.1' = {`
`1852`	`1841`	`roleDefinitionIdOrName: 'Key Vault Administrator'`
`1853`	`1842`	`}`
`1854`	`1843`	`]`
`1855`		`- secrets: [`
`1856`		`- {`
`1857`		`- name: 'AzureAISearchAPIKey'`
`1858`		`- value: searchService.outputs.primaryKey`
`1859`		`- }`
`1860`		`- ]`
	`1844`	`+ secrets: []`
`1861`	`1845`	`enableTelemetry: enableTelemetry`
`1862`	`1846`	`}`
`1863`	`1847`	`}`
`@@ -1908,7 +1892,6 @@ output REASONING_MODEL_NAME string = aiFoundryAiServicesReasoningModelDeployment`
`1908`	`1892`	`output MCP_SERVER_NAME string = 'MacaeMcpServer'`
`1909`	`1893`	`output MCP_SERVER_DESCRIPTION string = 'MCP server with greeting, HR, and planning tools'`
`1910`	`1894`	`output SUPPORTED_MODELS string = '["o3","o4-mini","gpt-4.1","gpt-4.1-mini"]'`
`1911`		`-output AZURE_AI_SEARCH_API_KEY string = '<Deployed-Search-ApiKey>'`
`1912`	`1895`	`output BACKEND_URL string = 'https://${containerApp.outputs.fqdn}'`
`1913`	`1896`	`output AZURE_AI_PROJECT_ENDPOINT string = aiFoundryAiProjectEndpoint`
`1914`	`1897`	`output AZURE_AI_AGENT_ENDPOINT string = aiFoundryAiProjectEndpoint`