Application requests to most Azure services must be authenticated with keys or passwordless connections. Developers must be diligent to never expose the keys in an unsecure location. Anyone who gains access to the key is able to authenticate to the service. Keyless authentication offers improved management and security benefits over the account key because there's no key (or connection string) to store.
Keyless connections are enabled with the following steps:
Configure your authentication.
Set environment variables, as needed.
Use an Azure Identity library credential type to create an Azure OpenAI client object.
Authentication
Authentication to Microsoft Entra ID is required to use the Azure client libraries.
Authentication differs based on the environment in which the app is running:
Learn about how to manage the DefaultAzureCredential for applications deployed to Azure.
Learn about how to manage the DefaultAzureCredential for applications deployed to Azure.
Learn about how to manage the DefaultAzureCredential for applications deployed to Azure.
Learn about how to manage the DefaultAzureCredential for applications deployed to Azure.
Learn about how to manage the DefaultAzureCredential for applications deployed to Azure.
Configure roles for authorization
Find the role for your usage of Azure OpenAI. Depending on how you intend to set that role, you'll need either the name or ID.
Role name
Role ID
For Azure CLI or Azure PowerShell, you can use role name.
For Bicep, you need the role ID.
Use the following table to select a role and ID.
Use case
Role name
Role ID
Assistants
Cognitive Services OpenAI Contributor
a001fd3d-188f-4b5d-821b-7da978bf7442
Chat completions
Cognitive Services OpenAI User
5e0bd9bd-7b93-4f28-af87-19fc36ad61bd
Select an identity type to use.
Personal identity: This is your personal identity tied to your sign in to Azure.
Managed identity: This is an identity managed by and created for use on Azure. For managed identity, create a user-assigned managed identity. When you create the managed identity, you need the Client ID, also known as the app ID.
To find your personal identity, use one of the following commands. Use the ID as the <identity-id> in the next step.
For use in Azure, specify a user-assigned managed identity as part of the Bicep deployment process. Create a user-assigned managed identity separate from the identity running the process.
To grant your identity permissions to your resource through RBAC, assign a role using the Azure CLI command az role assignment create.
az role assignment create \
--role "Cognitive Services OpenAI User" \
--assignee "<identity-id>" \
--scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>"
To grant your application permissions to your Azure OpenAI resource through RBAC, assign a role using the Azure PowerShell cmdlet New-AzRoleAssignment.
Use the following Azure OpenAI Bicep template to create the resource and set the authentication for the identityId. Bicep requires the role ID. The name shown in this Bicep snippet isn't the Azure role; it's specific to the Bicep deployment.
The Azure Identity library's DefaultAzureCredential allows the customer to run the same code in the local development environment and in the Azure Cloud.
using Azure;
using Azure.AI.OpenAI;
using Azure.Identity;
using System;
using static System.Environment;
string endpoint = GetEnvironmentVariable("AZURE_OPENAI_ENDPOINT");
OpenAIClient client = new(new Uri(endpoint), new DefaultAzureCredential());
Use the following link to explore an end-to-end sample. This sample provisions an Azure OpenAI account with your user account RBAC role permission for keyless (Microsoft Entra) authentication to access the OpenAI API SDKs.