Support MSI access to cognitive services QnAMaker and LUIS

[scheyal]

BF CLI will have to light up access of QnAMaker and LUIS services using Managed Service Identity.
We know the services support MSI.

We need to put the ground work to investigate

• Do they support access via the interfaces we use (REST API)?
• Do we have sufficient info to access the right resources via the CLI
• Can we allow side by side migration and slowly deprecate use of keys.

References:

The BF CLI (as a client) needs to support AAD Auth. Refer to Sign in with the Azure CLI | Microsoft Docs for how Azure CLI has done that. In that case, the AAD security principal is the one created for the CLI user. That user needs to be in Cognitive Services role(s) for RBAC (ex. “Cognitive Services User”) to work.

https://docs.microsoft.com/en-us/azure/cognitive-services/authentication?tabs=powershell#authenticate-with-azure-active-directory has a sample for registered AAD app (i.e. service principal). User principal (of the CLI user) works the same way.

The Microsoft Authentication Library (MSAL) Supports Node.JS. Refer to https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-v2-libraries.

QnA maker supports MSI already as documented here: Authentication - Azure Cognitive Services | Microsoft Docs