mssparkutils.credentials.getToken() does not support CognitiveServices or AIServices audience aliases — no way to acquire SAMI token for Azure OpenAI or Azure AI Foundry from Spark notebook.

Question

mssparkutils.credentials.getToken() does not support CognitiveServices or AIServices audience aliases — no way to acquire SAMI token for Azure OpenAI or Azure AI Foundry from Spark notebook.

Lilu Wan 0 Microsoft Employee

We are migrating Synapse Spark pipeline authentication from certificate-based Service Principal to workspace System-Assigned Managed Identity (SAMI) to comply with SFI. The SAMI has been granted the required RBAC roles (Cognitive Services OpenAI Contributor, Azure AI User) and the configuration is verified. However, mssparkutils.credentials.getToken() does not support Azure Cognitive Services or Azure AI Foundry as audiences. Per the official documentation (Introduction to Microsoft Spark utilities - Azure Synapse Analytics | Microsoft Learn), the supported audiences are limited to: AzureManagement, Storage, AzureDataExplorer, Synapse, DW, etc. Neither Cognitive Services nor AI Foundry is listed.

This blocks our SFI migration — we cannot eliminate certificate-based auth because there is no way to acquire tokens for these audiences via managed identity from within a Synapse Spark notebook.

What we tested (2026-05-20) Cognitive Services (https://cognitiveservices.azure.com):

mssparkutils.credentials.getToken("https://cognitiveservices.azure.com") → 400: "Audience has invalid characters"
mssparkutils.credentials.getToken("CognitiveServices") → Not a recognized alias
mssparkutils.credentials.getToken("AzureOpenAI") → Not a recognized alias
mssparkutils.credentials.getToken("AzureCognitiveServices") → Not a recognized alias

AI Foundry (https://ai.azure.com):

mssparkutils.credentials.getToken("https://ai.azure.com") → 400: "Audience has invalid characters"
mssparkutils.credentials.getToken("AIServices") → Not a recognized alias

7. mssparkutils.credentials.getToken("AzureAIServices") → Not a recognized alias All other scopes work correctly via named aliases (AzureManagement, Storage, AzureDataExplorer).

Ask

Could we have the following audience aliases added to the Synapse Token Service?

CognitiveServices → https://cognitiveservices.azure.com (for Azure OpenAI API calls)
AIServices → https://ai.azure.com (for Azure AI Foundry project access)

This would allow mssparkutils.credentials.getToken("CognitiveServices") and mssparkutils.credentials.getToken("AIServices") to return tokens using the workspace managed identity, enabling SFI-compliant authentication for AI workloads in Synapse Spark.

Thank you

Gautami Bhoopati 90 Reputation points Microsoft External Staff Moderator

2026-05-24T07:04:37.0466667+00:00
Hey @Lilu Wan ,
Thanks for the detailed write-up. You’re right—today’s mssparkutils.credentials.getToken API only knows about a fixed set of audience aliases (Storage, Vault, AzureManagement, DW, Synapse, ADF, AzureDataExplorer, AzureOSSDB, etc.), and it doesn’t expose CognitiveServices or AIServices. That’s why all your attempts to call getToken("https://cognitiveservices.azure.com") or getToken("CognitiveServices") are being rejected as unrecognized.

Here’s what you can do today to move off certificate-based auth in your Spark notebook:

Use the Azure Identity library directly instead of mssparkutils for those two endpoints. • In your notebook, pip-install azure-identity:
%pip install azure-identity
• Acquire a token with DefaultAzureCredential (which will pick up your workspace system-assigned identity):
from azure.identity import DefaultAzureCredential credential = DefaultAzureCredential() token = credential.get_token("https://cognitiveservices.azure.com/.default") spark.conf.set("fs.azure.token.provider.type", "Custom") # or however you pass the bearer token into your REST calls print(token.token)
• Do the same for https://ai.azure.com/.default when calling Azure AI Foundry APIs.

File a feature request so the Synapse Token Service adds the two aliases you asked for: • CognitiveServices → https://cognitiveservices.azure.com • AIServices → https://ai.azure.com

That way, once the platform teams add them, you’d be able to do:

mssparkutils.credentials.getToken("CognitiveServices") mssparkutils.credentials.getToken("AIServices")

and get back tokens via your workspace managed identity.

Hope this helps unblock your SFI migration. Let me know if you need any code samples or run into other errors!

Reference docs

Microsoft Spark utilities (credentials) – supported audience aliases https://learn.microsoft.com/azure/synapse-analytics/spark/microsoft-spark-utilities#credentials-utilities

Secure credentials with linked services using mssparkutils https://learn.microsoft.com/azure/synapse-analytics/spark/apache-spark-secure-credentials-with-tokenlibrary#tokenlibrary-for-other-linked-services

DefaultAzureCredential (azure-identity) https://learn.microsoft.com/python/api/overview/azure/identity-readme

Note: This content was drafted with the help of an AI system. Please verify the information before relying on it for decision-making.
Sina Salam 29,111 Reputation points Volunteer Moderator

2026-05-24T17:16:28.4266667+00:00
Hello Lilu Wan,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that your mssparkutils.credentials.getToken() does not support CognitiveServices or AIServices audience aliases and you need away to acquire SAMI token for Azure OpenAI or Azure AI Foundry from Spark notebook.

If your requirement is strict, my best advice is to use managed identity only, no certificate, no client secret, no API key, and keep the caller as Synapse Spark notebook using workspace SAMI. This is not currently supported in Azure Synapse Spark. Stop trying to force mssparkutils.getToken() or azure-identity inside the notebook.
The only reliable way is to move the Azure OpenAI / Azure AI Foundry call out of Synapse Spark into an Azure host that officially supports managed identity with Azure Identity (for example Azure Functions, Azure App Service, Azure Container Apps, AKS, etc.), then call that internal service from Synapse. Microsoft documents managed identity support for Azure-hosted app scenarios and for Azure AI / OpenAI keyless connections there. https://learn.microsoft.com/en-us/azure/developer/ai/keyless-connections, https://learn.microsoft.com/en-us/azure/service-connector/how-to-integrate-cognitive-services, https://learn.microsoft.com/en-us/azure/ai-services/authentication

But if not then, the only supported Synapse-native workaround today is not only managed-identity. It is:

Use Key Vault + Foundry Tools linked service / API key for SynapseML or linked-service-based access as documented for Synapse AI/Foundry integration; or

Use a service principal secret/certificate stored in Key Vault and retrieved via mssparkutils.credentials.getSecret(...), then acquire the AI token outside of workspace-SAMI. Microsoft’s own Synapse Foundry quickstart documents the Key Vault + key pattern for Foundry Tools in Synapse. - https://learn.microsoft.com/en-us/azure/synapse-analytics/machine-learning/tutorial-configure-cognitive-services-synapse, https://learn.microsoft.com/en-us/azure/synapse-analytics/machine-learning/overview-cognitive-services, https://learn.microsoft.com/en-us/azure/synapse-analytics/spark/apache-spark-secure-credentials-with-tokenlibrary, https://learn.microsoft.com/en-us/azure/synapse-analytics/synapse-service-identity

Use the associated links for more reading and steps.

I hope this is helpful! Do not hesitate to let me know if you have any other questions, steps or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.
Lilu Wan 0 Reputation points Microsoft Employee

2026-05-26T21:47:02.7133333+00:00

Thank you for the response. Could you clarify which specific credential class within DefaultAzureCredential is expected to acquire the workspace SAMI token in a Synapse Spark pool?

I tested both the suggested DefaultAzureCredential approach and an additional federated identity credential workaround. Neither works in Synapse Spark pools.

EnvironmentCredential: No AZURE_CLIENT_ID/AZURE_TENANT_ID env vars

WorkloadIdentityCredential: No AZURE_FEDERATED_TOKEN_FILE env var

ManagedIdentityCredential: No IMDS endpoint (169.254.169.254 unreachable)

AzureCliCredential: Azure CLI not installed

AzurePowerShellCredential: PowerShell not installed

No MSI_ENDPOINT, IDENTITY_ENDPOINT, or AZURE_CLIENT_ID environment variables are set in the Spark pool. Is there a Synapse-specific credential provider or a runtime version where this works?

1 answer

Your answer

Lilu Wan 0 Reputation points Microsoft Employee

2026-05-26T21:47:02.7133333+00:00

Thank you for the response. Could you clarify which specific credential class within DefaultAzureCredential is expected to acquire the workspace SAMI token in a Synapse Spark pool?

I tested both the suggested DefaultAzureCredential approach and an additional federated identity credential workaround. Neither works in Synapse Spark pools.

EnvironmentCredential: No AZURE_CLIENT_ID/AZURE_TENANT_ID env vars

WorkloadIdentityCredential: No AZURE_FEDERATED_TOKEN_FILE env var

ManagedIdentityCredential: No IMDS endpoint (169.254.169.254 unreachable)

AzureCliCredential: Azure CLI not installed

AzurePowerShellCredential: PowerShell not installed

No MSI_ENDPOINT, IDENTITY_ENDPOINT, or AZURE_CLIENT_ID environment variables are set in the Spark pool. Is there a Synapse-specific credential provider or a runtime version where this works?

Answer 1

Hi @Lilu Wan

Thank you for the detailed investigation and testing results.

Based on the current Microsoft Spark utilities implementation, mssparkutils.credentials.getToken() supports only a predefined set of audience aliases, and currently Azure Cognitive Services / Azure AI Foundry audiences are not included. This explains why requests such as:

mssparkutils.credentials.getToken("https://cognitiveservices.azure.com")

or aliases like:

mssparkutils.credentials.getToken("CognitiveServices")

are failing.

At present, the recommended workaround is to use the Azure Identity SDK directly inside the Synapse Spark notebook with the workspace Managed Identity, for example:

from azure.identity import DefaultAzureCredential

credential = DefaultAzureCredential()

token = credential.get_token(
    "https://cognitiveservices.azure.com/.default"
)

print(token.token)

This approach allows token acquisition using the workspace System Assigned Managed Identity without relying on certificate-based authentication.

Similarly, for Azure AI Foundry scenarios, the corresponding scope can be requested using:

"https://ai.azure.com/.default"

Your feedback regarding additional aliases such as:

CognitiveServices

AIServices

is valid and would improve managed identity integration experience within Synapse Spark. We recommend submitting this through official feedback/support channels so the Product Group can evaluate adding support in the Synapse Token Service.

Thank you for highlighting this scenario and sharing the detailed validation results.

Share via

mssparkutils.credentials.getToken() does not support CognitiveServices or AIServices audience aliases — no way to acquire SAMI token for Azure OpenAI or Azure AI Foundry from Spark notebook.

1 answer

Your answer