Fix Azure AI Search Test Connection with Managed Identity #641
+264
−34
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 4 commits
January 2, 2026 10:42
- Added custom_subdomain_name to OpenAI resource for managed identity authentication - Created Speech Service resource with custom subdomain configuration - Added RBAC role assignments for Speech Service (Managed Identity and App Service MI) - Includes Cognitive Services Speech User and Speech Contributor roles - Documentation: Azure Speech managed identity setup guide
Replaced REST API approach with SearchIndexClient SDK to properly handle managed identity authentication in Azure public cloud. The SDK automatically handles token acquisition and endpoint construction, eliminating the 'search_resource_manager is not defined' error that occurred with the REST API approach.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR primarily fixes the Azure AI Search “Test Connection” path when using managed identity, and also adds related infrastructure and documentation for managed-identity-based Cognitive Services (including Speech).
Changes:
- Reworked
_test_azure_ai_search_connectionto use the Azure Search SDK (SearchIndexClient) for both key-based and managed-identity auth, aligning behavior with how production search operations authenticate. - Added Terraform resources and RBAC assignments for a Speech Cognitive Services account with custom subdomain and managed-identity-friendly configuration, plus a how-to guide for Speech with managed identity.
- Bumped the application version in
config.pyand added detailed fix documentation underdocs/explanation/fixes.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
application/single_app/route_backend_settings.py |
Replaces the previous REST + manual token logic in _test_azure_ai_search_connection with SearchIndexClient using DefaultAzureCredential for managed identity and AzureKeyCredential for key/APIM scenarios, directly addressing the managed-identity failure. |
application/single_app/config.py |
Increments VERSION to 0.236.013 to version the Azure AI Search test-connection fix. |
deployers/terraform/main.tf |
Adds a Speech Cognitive Services account with custom_subdomain_name and assigns appropriate Speech RBAC roles to the user-assigned and system-assigned identities, supporting managed-identity-based Speech usage consistent with the new docs. |
docs/explanation/fixes/v.0.236.013/AZURE_AI_SEARCH_TEST_CONNECTION_FIX.md |
Documents the root cause and resolution for the Azure AI Search test-connection bug, including environment-specific details and configuration requirements, but currently misstates that there were no config.py changes. |
docs/how-to/azure_speech_managed_identity_manul_setup.md |
Provides a detailed how-to guide for configuring Azure Speech with managed identity and custom subdomains so that deployments match the updated Terraform resources, though the filename contains a typo. |
docs/explanation/fixes/v.0.236.013/AZURE_AI_SEARCH_TEST_CONNECTION_FIX.md
Show resolved
Hide resolved
docs/explanation/fixes/v.0.236.013/AZURE_AI_SEARCH_TEST_CONNECTION_FIX.md
Show resolved
Hide resolved
Replaced REST API approach with SearchIndexClient SDK to properly handle managed identity authentication in Azure public cloud. The SDK automatically handles token acquisition and endpoint construction, eliminating the 'search_resource_manager is not defined' error that occurred with the REST API approach.
vivche
force-pushed
the
ai-search-test-connection-fix
branch
from
7e0c688 to
6b0164a
Compare
added 2 commits
January 24, 2026 10:10
…vche/simplechat-development into ai-search-test-connection-fix
Collaborator
|
@vivche Please resolve the merge conflict then @ me here so I can merge please. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This PR fixes the "Test Azure AI Search Connection" functionality when using managed identity authentication in Azure public cloud environments. The fix replaces the REST API approach with the Azure Search SDK, which properly handles managed identity authentication.
📖 For detailed technical analysis and implementation details, see:
docs/explanation/fixes/v.0.236.013/AZURE_AI_SEARCH_TEST_CONNECTION_FIX.md
🐛 Bug Fix
Azure AI Search Test Connection with Managed Identity
Issue Behavior:
When clicking "Test Azure AI Search Connection" button on the App Settings "Search & Extract" page with managed identity authentication enabled, the test failed with:
Even when attempting to define the variable, bearer token authentication didn't work with Azure AI Search's data plane operations.
Fix Azure AI Search Test Connection with Managed Identity
Root Cause:
The old implementation used a REST API approach with manually acquired bearer tokens via
DefaultAzureCredential.get_token(). This approach is fundamentally incompatible with how Azure AI Search handles managed identity authentication on the data plane:Solution:
Replaced the REST API implementation with
SearchIndexClientfrom theazure.search.documentsSDK:📝 Files Changed
Code Modified:
application/single_app/route_backend_settings.py- Replaced REST API with SearchIndexClient SDKapplication/single_app/config.py- Version update to 0.236.013Documentation Added:
docs/explanation/fixes/v.0.236.013/AZURE_AI_SEARCH_TEST_CONNECTION_FIX.md- Comprehensive fix documentation🔄 Version Update
Updated version from
0.236.011to0.236.012🧪 Testing
Tested with:
Test Environment:
AZURE_ENVIRONMENT=publicin .env🎯 Related Issues
Fixes #611 - Azure AI Search Test Connection failed for public env
This fix is critical for: