Merge pull request #832 from microsoft/pssl-aadauthchanges

refactor: Migrate Azure AI Search from API key to Azure AD authentication

Author: Roopan-Microsoft

infra/main.bicep

@@ -1330,10 +1330,6 @@ module containerApp 'br/public:avm/res/app/container-app:0.18.1' = {
             name: 'SUPPORTED_MODELS'
             value: '["o3","o4-mini","gpt-4.1","gpt-4.1-mini"]'
           }
-          {
-            name: 'AZURE_AI_SEARCH_API_KEY'
-            secretRef: 'azure-ai-search-api-key'
-          }
           {
             name: 'AZURE_STORAGE_BLOB_URL'
             value: avmStorageAccount.outputs.serviceEndpoints.blob
@@ -1369,13 +1365,7 @@ module containerApp 'br/public:avm/res/app/container-app:0.18.1' = {
         ]
       }
     ]
-    secrets: [
-      {
-        name: 'azure-ai-search-api-key'
-        keyVaultUrl: keyvault.outputs.secrets[0].uriWithVersion
-        identity: userAssignedIdentity.outputs.resourceId
-      }
-    ]
+    secrets: []
   }
 }
 
@@ -1675,12 +1665,7 @@ module searchServiceUpdate 'br/public:avm/res/search/search-service:0.11.1' = {
   name: take('avm.res.search.update.${solutionSuffix}', 64)
   params: {
     name: searchServiceName
-    authOptions: {
-      aadOrApiKey: {
-        aadAuthFailureMode: 'http401WithBearerChallenge'
-      }
-    }
-    disableLocalAuth: false
+    disableLocalAuth: true
     hostingMode: 'default'
     managedIdentities: {
       systemAssigned: true
@@ -1759,7 +1744,6 @@ module aiSearchFoundryConnection 'modules/aifp-connections.bicep' = {
     searchServiceResourceId: searchService.id
     searchServiceLocation: searchService.location
     searchServiceName: searchService.name
-    searchApiKey: searchService.listAdminKeys().primaryKey
   }
   dependsOn: [
     aiFoundryAiServices
@@ -1810,12 +1794,7 @@ module keyvault 'br/public:avm/res/key-vault/vault:0.12.1' = {
         roleDefinitionIdOrName: 'Key Vault Administrator'
       }
     ]
-    secrets: [
-      {
-        name: 'AzureAISearchAPIKey'
-        value: searchService.listAdminKeys().primaryKey
-      }
-    ]
+    secrets: []
     enableTelemetry: enableTelemetry
   }
 }
@@ -1865,7 +1844,6 @@ output REASONING_MODEL_NAME string = aiFoundryAiServicesReasoningModelDeployment
 output MCP_SERVER_NAME string = 'MacaeMcpServer'
 output MCP_SERVER_DESCRIPTION string = 'MCP server with greeting, HR, and planning tools'
 output SUPPORTED_MODELS string = '["o3","o4-mini","gpt-4.1","gpt-4.1-mini"]'
-output AZURE_AI_SEARCH_API_KEY string = '<Deployed-Search-ApiKey>'
 output BACKEND_URL string = 'https://${containerApp.outputs.fqdn}'
 output AZURE_AI_PROJECT_ENDPOINT string = aiFoundryAiProjectEndpoint
 output AZURE_AI_AGENT_ENDPOINT string = aiFoundryAiProjectEndpoint

infra/main.json

@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.40.2.10011",
-      "templateHash": "16839096090855786967"
+      "templateHash": "17476534152468179054"
     },
     "name": "Multi-Agent Custom Automation Engine",
     "description": "This module contains the resources required to deploy the [Multi-Agent Custom Automation Engine solution accelerator](https://github.com/microsoft/Multi-Agent-Custom-Automation-Engine-Solution-Accelerator) for both Sandbox environments and WAF aligned environments.\n\n> **Note:** This module is not intended for broad, generic use, as it was designed by the Commercial Solution Areas CTO team, as a Microsoft Solution Accelerator. Feature requests and bug fix requests are welcome if they support the needs of this organization but may not be incorporated if they aim to make this module more generic than what it needs to be for its primary use case. This module will likely be updated to leverage AVM resource modules in the future. This may result in breaking changes in upcoming versions when these features are implemented.\n"
@@ -25441,8 +25441,8 @@
       },
       "dependsOn": [
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').openAI)]",
-        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]",
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').aiServices)]",
+        "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').cognitiveServices)]",
         "logAnalyticsWorkspace",
         "userAssignedIdentity",
         "virtualNetwork"
@@ -30521,10 +30521,6 @@
                     "name": "SUPPORTED_MODELS",
                     "value": "[[\"o3\",\"o4-mini\",\"gpt-4.1\",\"gpt-4.1-mini\"]"
                   },
-                  {
-                    "name": "AZURE_AI_SEARCH_API_KEY",
-                    "secretRef": "azure-ai-search-api-key"
-                  },
                   {
                     "name": "AZURE_STORAGE_BLOB_URL",
                     "value": "[reference('avmStorageAccount').outputs.serviceEndpoints.value.blob]"
@@ -30562,13 +30558,7 @@
             ]
           },
           "secrets": {
-            "value": [
-              {
-                "name": "azure-ai-search-api-key",
-                "keyVaultUrl": "[reference('keyvault').outputs.secrets.value[0].uriWithVersion]",
-                "identity": "[reference('userAssignedIdentity').outputs.resourceId.value]"
-              }
-            ]
+            "value": []
           }
         },
         "template": {
@@ -32140,7 +32130,6 @@
         "containerAppEnvironment",
         "containerAppMcp",
         "existingAiFoundryAiServicesProject",
-        "keyvault",
         "searchServiceUpdate",
         "userAssignedIdentity"
       ]
@@ -42268,15 +42257,8 @@
           "name": {
             "value": "[variables('searchServiceName')]"
           },
-          "authOptions": {
-            "value": {
-              "aadOrApiKey": {
-                "aadAuthFailureMode": "http401WithBearerChallenge"
-              }
-            }
-          },
           "disableLocalAuth": {
-            "value": false
+            "value": true
           },
           "hostingMode": {
             "value": "default"
@@ -44654,9 +44636,6 @@
           },
           "searchServiceName": {
             "value": "[variables('searchServiceName')]"
-          },
-          "searchApiKey": {
-            "value": "[listAdminKeys('searchService', '2024-06-01-preview').primaryKey]"
           }
         },
         "template": {
@@ -44666,30 +44645,45 @@
             "_generator": {
               "name": "bicep",
               "version": "0.40.2.10011",
-              "templateHash": "14874963049736669838"
+              "templateHash": "15348022841521786626"
             }
           },
           "parameters": {
             "aifSearchConnectionName": {
-              "type": "string"
+              "type": "string",
+              "metadata": {
+                "description": "Name of the AI Foundry search connection"
+              }
             },
             "searchServiceName": {
-              "type": "string"
+              "type": "string",
+              "metadata": {
+                "description": "Name of the Azure AI Search service"
+              }
             },
             "searchServiceResourceId": {
-              "type": "string"
+              "type": "string",
+              "metadata": {
+                "description": "Resource ID of the Azure AI Search service"
+              }
             },
             "searchServiceLocation": {
-              "type": "string"
+              "type": "string",
+              "metadata": {
+                "description": "Location/region of the Azure AI Search service"
+              }
             },
             "aiFoundryName": {
-              "type": "string"
+              "type": "string",
+              "metadata": {
+                "description": "Name of the AI Foundry account"
+              }
             },
             "aiFoundryProjectName": {
-              "type": "string"
-            },
-            "searchApiKey": {
-              "type": "securestring"
+              "type": "string",
+              "metadata": {
+                "description": "Name of the AI Foundry project"
+              }
             }
           },
           "resources": [
@@ -44700,10 +44694,7 @@
               "properties": {
                 "category": "CognitiveSearch",
                 "target": "[format('https://{0}.search.windows.net', parameters('searchServiceName'))]",
-                "authType": "ApiKey",
-                "credentials": {
-                  "key": "[parameters('searchApiKey')]"
-                },
+                "authType": "AAD",
                 "isSharedToAll": true,
                 "metadata": {
                   "ApiType": "Azure",
@@ -44777,12 +44768,7 @@
             ]
           },
           "secrets": {
-            "value": [
-              {
-                "name": "AzureAISearchAPIKey",
-                "value": "[listAdminKeys('searchService', '2024-06-01-preview').primaryKey]"
-              }
-            ]
+            "value": []
           },
           "enableTelemetry": {
             "value": "[parameters('enableTelemetry')]"
@@ -47908,7 +47894,6 @@
       "dependsOn": [
         "[format('avmPrivateDnsZones[{0}]', variables('dnsZoneIndex').keyVault)]",
         "logAnalyticsWorkspace",
-        "searchService",
         "userAssignedIdentity",
         "virtualNetwork"
       ]
@@ -48041,10 +48026,6 @@
       "type": "string",
       "value": "[[\"o3\",\"o4-mini\",\"gpt-4.1\",\"gpt-4.1-mini\"]"
     },
-    "AZURE_AI_SEARCH_API_KEY": {
-      "type": "string",
-      "value": "<Deployed-Search-ApiKey>"
-    },
     "BACKEND_URL": {
       "type": "string",
       "value": "[format('https://{0}', reference('containerApp').outputs.fqdn.value)]"

infra/main_custom.bicep

@@ -1365,10 +1365,6 @@ module containerApp 'br/public:avm/res/app/container-app:0.18.1' = {
             name: 'SUPPORTED_MODELS'
             value: '["o3","o4-mini","gpt-4.1","gpt-4.1-mini"]'
           }
-          {
-            name: 'AZURE_AI_SEARCH_API_KEY'
-            secretRef: 'azure-ai-search-api-key'
-          }
           {
             name: 'AZURE_STORAGE_BLOB_URL'
             value: avmStorageAccount.outputs.serviceEndpoints.blob
@@ -1412,13 +1408,7 @@ module containerApp 'br/public:avm/res/app/container-app:0.18.1' = {
         ]
       }
     ]
-    secrets: [
-      {
-        name: 'azure-ai-search-api-key'
-        keyVaultUrl: keyvault.outputs.secrets[0].uriWithVersion
-        identity: userAssignedIdentity.outputs.resourceId
-      }
-    ]
+    secrets: []
   }
 }
 
@@ -1720,12 +1710,7 @@ module searchService 'br/public:avm/res/search/search-service:0.11.1' = {
   name: take('avm.res.search.search-service.${solutionSuffix}', 64)
   params: {
     name: searchServiceName
-    authOptions: {
-      aadOrApiKey: {
-        aadAuthFailureMode: 'http401WithBearerChallenge'
-      }
-    }
-    disableLocalAuth: false
+    disableLocalAuth: true
     hostingMode: 'default'
     managedIdentities: {
       systemAssigned: true
@@ -1801,7 +1786,6 @@ module aiSearchFoundryConnection 'modules/aifp-connections.bicep' = {
     searchServiceResourceId: searchService.outputs.resourceId
     searchServiceLocation: searchService.outputs.location
     searchServiceName: searchService.outputs.name
-    searchApiKey: searchService.outputs.primaryKey
   }
   dependsOn: [
     aiFoundryAiServices
@@ -1852,12 +1836,7 @@ module keyvault 'br/public:avm/res/key-vault/vault:0.12.1' = {
         roleDefinitionIdOrName: 'Key Vault Administrator'
       }
     ]
-    secrets: [
-      {
-        name: 'AzureAISearchAPIKey'
-        value: searchService.outputs.primaryKey
-      }
-    ]
+    secrets: []
     enableTelemetry: enableTelemetry
   }
 }
@@ -1908,7 +1887,6 @@ output REASONING_MODEL_NAME string = aiFoundryAiServicesReasoningModelDeployment
 output MCP_SERVER_NAME string = 'MacaeMcpServer'
 output MCP_SERVER_DESCRIPTION string = 'MCP server with greeting, HR, and planning tools'
 output SUPPORTED_MODELS string = '["o3","o4-mini","gpt-4.1","gpt-4.1-mini"]'
-output AZURE_AI_SEARCH_API_KEY string = '<Deployed-Search-ApiKey>'
 output BACKEND_URL string = 'https://${containerApp.outputs.fqdn}'
 output AZURE_AI_PROJECT_ENDPOINT string = aiFoundryAiProjectEndpoint
 output AZURE_AI_AGENT_ENDPOINT string = aiFoundryAiProjectEndpoint

infra/modules/aifp-connections.bicep

@@ -1,21 +1,27 @@
+@description('Name of the AI Foundry search connection')
 param aifSearchConnectionName string
+
+@description('Name of the Azure AI Search service')
 param searchServiceName string
+
+@description('Resource ID of the Azure AI Search service')
 param searchServiceResourceId string
+
+@description('Location/region of the Azure AI Search service')
 param searchServiceLocation string
+
+@description('Name of the AI Foundry account')
 param aiFoundryName string
+
+@description('Name of the AI Foundry project')
 param aiFoundryProjectName string
-@secure()
-param searchApiKey string
 
 resource aiSearchFoundryConnection 'Microsoft.CognitiveServices/accounts/projects/connections@2025-04-01-preview' = {
   name: '${aiFoundryName}/${aiFoundryProjectName}/${aifSearchConnectionName}'
   properties: {
     category: 'CognitiveSearch'
     target: 'https://${searchServiceName}.search.windows.net'
-    authType: 'ApiKey'
-    credentials: {
-      key: searchApiKey
-    }
+    authType: 'AAD'
     isSharedToAll: true
     metadata: {
       ApiType: 'Azure'