Share via

Getting Unauthorized exception when using DefaultAzureCredentials in Azure.AI.Inference.dll's ChatCompeletionsClient

Swamy Nallamalli 20 Reputation points Microsoft Employee
2025-03-14T00:48:31.66+00:00

I am trying to run AI inference using ChatCompeletionsClient class from Azure.AI.Inference and am hitting UnAuthorized issue when trying with DefaultAzureCredentials and trying as myself. I added myself as Cognitive Service User and even Cognitive Service contributor at resource group level. The code is working fine when I use key based authentication.

Code:


var endpoint = Environment.GetEnvironmentVariable("AZURE_INFERENCE_SDK_ENDPOINT") ?? "https://swamyntestaihu6969448557.services.ai.azure.com/models";
var uri = new Uri(endpoint);
var deploymentName = Environment.GetEnvironmentVariable("DEPLOYMENT_NAME") ?? "Phi-3-mini-4k-instruct";

/*
Working well with this uncommented and adding the key

var key = Environment.GetEnvironmentVariable("AZURE_INFERENCE_SDK_KEY") ?? "AZURE_INFERENCE_SDK_KEY";
AzureKeyCredential credential = new AzureKeyCredential(key);
*/

var credential = new DefaultAzureCredential();

var client = new ChatCompletionsClient(uri, credential, new AzureAIInferenceClientOptions());

var requestOptions = new ChatCompletionsOptions()
{
    Messages = {
        new ChatRequestSystemMessage("You are a helpful AI assistant helping me in testing some forms."),
        new ChatRequestUserMessage("Given the following metadata for a user input field, generate a random user input text suitable for the field. Do not include any explanation or metadata. Only output the random text."),
        new ChatRequestUserMessage(domElementConcept.ElementString)
    },
    MaxTokens = 1000,
    Model = deploymentName
};

Response<ChatCompletions> response = client.Complete(requestOptions);
string chatResponse = response.Value.Content ?? string.Empty;
chatResponse = chatResponse.Replace("\"", string.Empty).Trim();
return chatResponse;

Exception with stack:

Azure.RequestFailedException: Unauthorized. Access token is missing, invalid, audience is incorrect (https://cognitiveservices.azure.com), or have expired.
Status: 401 (Unauthorized)

Content:
{ "statusCode": 401, "message": "Unauthorized. Access token is missing, invalid, audience is incorrect (https://cognitiveservices.azure.com), or have expired." }

Headers:
x-ms-client-request-id: 7491a3a6-ad90-4110-817f-261a5d05ae8e
apim-request-id: REDACTED
Strict-Transport-Security: REDACTED
X-Content-Type-Options: REDACTED
Date: Wed, 12 Mar 2025 22:09:19 GMT
Content-Length: 161
Content-Type: application/json

   at Azure.Core.HttpPipelineExtensions.ProcessMessage(HttpPipeline pipeline, HttpMessage message, RequestContext requestContext, CancellationToken cancellationToken)
   at Azure.AI.Inference.ChatCompletionsClient.Complete(RequestContent content, String extraParams, RequestContext context)
   at Azure.AI.Inference.ChatCompletionsClient.Complete(ChatCompletionsOptions chatCompletionsOptions, CancellationToken cancellationToken)
Azure AI services
Azure AI services
A group of Azure services, SDKs, and APIs designed to make apps more intelligent, engaging, and discoverable.
3,603 questions
Accepted answer
  1. JAYA SHANKAR G S 4,035 Reputation points Microsoft External Staff Moderator
    2025-03-14T06:23:31.5133333+00:00

    Hi @Swamy Nallamalli ,

    When you trying default credential you need to add built-in policy to apply correct token scope.

    It's mentioned in this github repository kindly check it.

    Here, is the code.

    
var endpoint = new Uri(System.Environment.GetEnvironmentVariable("AZURE_OPENAI_CHAT_ENDPOINT"));

var credential = new DefaultAzureCredential(includeInteractiveCredentials: true);

AzureAIInferenceClientOptions clientOptions = new AzureAIInferenceClientOptions();

BearerTokenAuthenticationPolicy tokenPolicy = new BearerTokenAuthenticationPolicy(credential, new string[] { "https://cognitiveservices.azure.com/.default" });

clientOptions.AddPolicy(tokenPolicy, HttpPipelinePosition.PerRetry);

var client = new ChatCompletionsClient(endpoint, credential, clientOptions);

    Here, var credential = new DefaultAzureCredential(includeInteractiveCredentials: true); you make it true for entra id authentication, false for service principal, environment credential etc.. as per below flow.

    Also, if you are using service principal make sure you assign Cognitive Service User and Cognitive Service contributor roles to that service principal in Access Controle(IAM)

    enter image description here

    Let me know if you have any further queries.

    Thank you

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.