Share via

Authentication in Azure Vision APIs

Mayank Goyal 16 Reputation points
2020-12-22T16:46:07.887+00:00

Hi,

I have few questions regarding authentication process of Azure Vision API with API Key vs AAD.

1) I believe Azure Vision read analyse API has both options for auth - via API key and with AAD?
2) I want to understand for API key vs AAD, which one is recommended mechanism for authentication and why?
3) For AAD, I believe we have to first register custom subdomain on Azure portal which will generate a custom end point for vision API. Along with that, I believe application ID and password will also be required. In our case we are using Rest API to call Azure vision from external program. The link for documentation - https://learn.microsoft.com/en-us/azure/cognitive-services/authentication?tabs=powershell#authenticate-with-azure-active-directory doesn't suggest how will I get the token first with AAD using application ID and password.

I believe it will be 2 API calls, first one to get the token and 2nd one to call API along with token.
Also I believe each time I call the vision API, will have to request token first. Looking for details on steps to be done

4) Any other recommended way to authenticate except these API Key and AAD?

Azure Computer Vision
Azure Computer Vision
An Azure artificial intelligence service that analyzes content in images and video.
339 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,426 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. romungi-MSFT 43,676 Reputation points Microsoft Employee
    2020-12-23T10:50:47.967+00:00

    @Mayank Goyal

    1) I believe Azure Vision read analyse API has both options for auth - via API key and with AAD?

    Yes, there are both options for computer vision service.

    2) I want to understand for API key vs AAD, which one is recommended mechanism for authentication and why?

    The most commonly used way is to use the API key, AAD provides the option to use SP and is more secure because a token is used which expires after a while rather than a key. Depending on the scenario you can choose any of the above. An API key can also be rotated regularly with Azure keyvault to provide a more secure mechanism to handle keys.

    3) For AAD, I believe we have to first register custom subdomain on Azure portal which will generate a custom end point for vision API. Along with that, I believe application ID and password will also be required. In our case we are using Rest API to call Azure vision from external program. The link for documentation - https://learn.microsoft.com/en-us/azure/cognitive-services/authentication?tabs=powershell#authenticate-with-azure-active-directory doesn't suggest how will I get the token first with AAD using application ID and password.

    You can set a password for the AD application and get the token when you run the following:

    $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList "https://login.windows.net/<TENANT_ID>"  
$secureSecretObject = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.SecureClientSecret" -ArgumentList $SecureStringPassword     
$clientCredential = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential" -ArgumentList $app.ApplicationId, $secureSecretObject  
$token=$authContext.AcquireTokenAsync("https://cognitiveservices.azure.com/", $clientCredential).Result  
$token

    The token will have the expiration limit where you can use it until expiry for other API calls to computer vision

    A new token will only be required after it expires.

    4) Any other recommended way to authenticate except these API Key and AAD?

    Currently these are the supported ways to use the API.