Skip to content

VSCode, Github Copilot, OpenCode Bring your own model & keys - dual authentication mode Keys & Entra + PRM#362

Merged
nourshaker-msft merged 6 commits into
Azure-Samples:mainfrom
nourshaker-msft:main
Jul 6, 2026
Merged

VSCode, Github Copilot, OpenCode Bring your own model & keys - dual authentication mode Keys & Entra + PRM#362
nourshaker-msft merged 6 commits into
Azure-Samples:mainfrom
nourshaker-msft:main

Conversation

@nourshaker-msft

Copy link
Copy Markdown
Collaborator

Purpose

This pull request introduces a new lab, "GitHub Copilot BYOK → Foundry (MI swap)", which demonstrates how to govern GitHub Copilot's BYOK access to a private Azure AI Foundry model via Azure API Management (APIM) using an identity swap pattern. The lab provides both Entra ID (keyless) and API key authentication flows, implements per-user/subscription governance and metering, and includes resource clean-up steps. The main changes are grouped below.

Lab Documentation and Notebooks

  • Added a comprehensive README.md for the new lab, detailing architecture, authentication modes, FinOps reporting, and setup/cleanup instructions.
  • Introduced a clean-up-resources.ipynb notebook to automate the removal of Azure resources and the Entra security group created during the lab.

APIM Policy Implementations

  • Added entra-policy.xml for the Entra ID (keyless) flow, implementing developer authentication, group-based authorization via Microsoft Graph, per-user rate limiting and metering, managed-identity token swap, and RFC 9728 OAuth discovery support.
  • Added apikey-policy.xml for the API key flow, mapping subscription identity to FinOps dimensions, enforcing per-subscription rate limiting and metering, and performing the managed-identity swap.

Does this introduce a breaking change?

[ ] Yes
[x] No

Pull Request Type

What kind of change does this Pull Request introduce?

[ ] Bugfix
[x] Feature
[ ] Code style update (formatting, local variables)
[ ] Refactoring (no functional changes, no api changes)
[x] Documentation content changes
[ ] Other... Please describe:

How to Test

  • Get the code

  • Follow the instructions in the Notebook for deployment and testing

Other Information

Initial release, includes dual authentication mode (GitHub Copilot BYOK + Azure AD) and PRM discovery (RFC 9728) for interactive OAuth + ApiKey based authentication.
Tested on OpenCode and GitHub Copilot, with a Foundry model deployed in Azure OpenAI Service.
Tested using GPT5.4 and Kimi-K2.6
@nourshaker-msft nourshaker-msft requested a review from vieiraae July 5, 2026 07:07
@nourshaker-msft nourshaker-msft merged commit ced9394 into Azure-Samples:main Jul 6, 2026
4 of 7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant