Skip to content

docs: expand Azure Managed Identity BYOK guidance#1995

Draft
scottaddie wants to merge 5 commits into
mainfrom
scottaddie-add-ami-doc-samples
Draft

docs: expand Azure Managed Identity BYOK guidance#1995
scottaddie wants to merge 5 commits into
mainfrom
scottaddie-add-ami-doc-samples

Conversation

@scottaddie

@scottaddie scottaddie commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Summary

Directly addresses Patrick's comment: https://github.com/github/copilot-sdk-internal/issues/45#issuecomment-4971913761

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: c19bbd67-bd50-4f54-93e1-8c6961012916
@scottaddie scottaddie marked this pull request as ready for review July 15, 2026 19:56
@scottaddie scottaddie requested a review from a team as a code owner July 15, 2026 19:56
Copilot AI review requested due to automatic review settings July 15, 2026 19:56

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Expands Azure Managed Identity BYOK guidance across all SDK languages and documents on-demand bearer token providers.

Changes:

  • Adds static-token and callback examples for six SDKs.
  • Documents bearer token provider behavior in the BYOK reference.
Show a summary per file
File Description
docs/setup/azure-managed-identity.md Expands setup guidance and multi-language examples.
docs/auth/byok.md Adds bearer token provider documentation.

Review details

  • Files reviewed: 2/2 changed files
  • Comments generated: 20
  • Review effort level: Medium

Comment thread docs/setup/azure-managed-identity.md
Comment thread docs/setup/azure-managed-identity.md Outdated
Comment thread docs/setup/azure-managed-identity.md Outdated
Comment thread docs/setup/azure-managed-identity.md
Comment thread docs/auth/byok.md
Comment thread docs/setup/azure-managed-identity.md
Comment thread docs/setup/azure-managed-identity.md
Comment thread docs/setup/azure-managed-identity.md
Comment thread docs/setup/azure-managed-identity.md
Comment thread docs/setup/azure-managed-identity.md
Co-authored-by: scottaddie <10702007+scottaddie@users.noreply.github.com>
Comment thread .github/instructions/docs-style.instructions.md Outdated
Co-authored-by: scottaddie <10702007+scottaddie@users.noreply.github.com>
scottaddie and others added 2 commits July 15, 2026 15:31
@scottaddie scottaddie requested a review from sunbrye July 15, 2026 20:42

@sunbrye sunbrye left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mainly reviewed the structure of the content and it looks good to me ✅

# Azure Managed Identity with BYOK

The Copilot SDK's [BYOK mode](../auth/byok.md) accepts static API keys, but Azure deployments often use **Managed Identity** (Microsoft Entra ID) instead of long-lived keys. Since the SDK doesn't natively support Microsoft Entra authentication, you can use a short-lived bearer token via the `bearer_token` provider config field.
The GitHub Copilot SDK's [BYOK mode](../auth/byok.md) supports static API keys, but Azure deployments often use **Managed Identity** (Microsoft Entra ID) instead of long-lived keys. Since the SDK doesn't natively support Microsoft Entra authentication, supply either a bearer token you already acquired or a bearer token provider that can fetch fresh tokens on demand.

@SteveSandersonMS SteveSandersonMS Jul 16, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Saying "SDK doesn't native support Entra" might sound like the product is deficient, but the layering we've chosen is deliberate - we've designed this to compose with Azure Identity SDK for maximum flexibility.

1. Pass the token as the `bearer_token` in the BYOK provider config
1. Refresh the token before it expires (tokens are typically valid for ~1 hour)
* [Provide an access token that your application refreshes.](#provide-an-access-token-you-manage)
* [Specify a token provider callback so the runtime can acquire tokens on demand.](#specify-a-token-provider-for-automatic-token-acquisition)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we give some advice for how developers should choose between these two options?

My guess is they should always use the token provider callback since manual token refreshing is complex. But is there some edge-case reason why people would want to do their own token refresh?

### Basic usage
### Provide an access token you manage

Get a token using your language's Azure Identity SDK credential and pass it as the bearer token in your provider configuration. Track the token's expiration or refresh metadata so you know when to acquire a fresh token. Because a static bearer token is captured when the session is created, create a new session when you need to use the refreshed token. See the language-specific guidance in each code sample's comments below.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because a static bearer token is captured when the session is created, create a new session when you need to use the refreshed token.

This doesn't seem like a viable approach. Doesn't that mean you lose your sessions when tokens expire?

Do you think we should swap the doc around and describe the "automatic token acquisition" method as the only real method? Then we could also comment that if somehow you know you don't need to refresh tokens (e.g., because your sessions are always just one-shot operations not ongoing conversations) then you can pass a static token, but we don't have to document how to do any of the token refresh stuff because that's orthogonal to Copilot SDK.

@scottaddie scottaddie marked this pull request as draft July 16, 2026 20:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants