Disable local authentication in Azure AI Services
Azure AI Services provides Microsoft Entra authentication support for all resources. This feature provides you with seamless integration when you require centralized control and management of identities and resource credentials. Organizations can disable local authentication methods and enforce Microsoft Entra authentication instead.
How to disable local authentication
You can disable local authentication using the Azure policy Azure AI Services resources should have key access disabled (disable local authentication). Set it at the subscription level or resource group level to enforce the policy for a group of services.
If you're creating an account using Bicep / ARM template, you can set the property disableLocalAuth
to true
to disable local authentication. For more information, see
Microsoft.CognitiveServices accounts - Bicep, ARM template, & Terraform
You can also use PowerShell with the Azure CLI to disable local authentication for an individual resource. First sign in with the Connect-AzAccount
command. Then use the Set-AzCognitiveServicesAccount
cmdlet with the parameter -DisableLocalAuth $true
, like the following example:
Set-AzCognitiveServicesAccount -ResourceGroupName "my-resource-group" -Name "my-resource-name" -DisableLocalAuth $true
Verify local authentication status
Disabling local authentication doesn't take effect immediately. Allow a few minutes for the service to block future authentication requests.
You can use PowerShell to determine whether the local authentication policy is currently enabled. First sign in with the Connect-AzAccount
command. Then use the cmdlet Get-AzCognitiveServicesAccount to retrieve your resource, and check the property DisableLocalAuth
. A value of true
means local authentication is disabled.
Re-enable local authentication
To enable local authentication, execute the PowerShell cmdlet Set-AzCognitiveServicesAccount with the parameter -DisableLocalAuth $false
.  Allow a few minutes for the service to accept the change to allow local authentication requests.