Issues connecting to Azure AI Foundry models using MS Entra ID from Python

Question

Issues connecting to Azure AI Foundry models using MS Entra ID from Python

Terrence Rideau 11

I am trying to connect a non-Azure OpenAI embedding model in AI Foundry using Microsoft Entra ID.

I don't have an issue connecting to Azure OpenAI embedding models using Microsoft Entra ID.

After creating a client and executing the following simple code:

model = EmbeddingsClient(
    endpoint=endpoint,
    credential=DefaultAzureCredential(),
    model=model_name
)

response = model.embed(
    input=["first phrase","second phrase","third phrase"],
)

I get the following error when "response" is created:

Unauthorized. Access token is missing, invalid, audience is incorrect (https://cognitiveservices.azure.com or https://ai.azure.com), or have expired.

I have tried using the following in the code but I still have the issue

token_provider = get_bearer_token_provider(
    DefaultAzureCredential(), "https://cognitiveservices.azure.com/.default"
)

Sina Salam 20,591 Reputation points Moderator

2025-05-05T10:49:18.5366667+00:00
Hello Terrence Rideau,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you're having issues connecting to Azure AI Foundry models using MS Entra ID from Python.

Review the code below:

from azure.identity import DefaultAzureCredential from azure.ai.embeddings import EmbeddingsClient # Ensure the correct endpoint and model name endpoint = "your_endpoint" model_name = "your_model_name" # Initialize the credential and client credential = DefaultAzureCredential() model = EmbeddingsClient( endpoint=endpoint, credential=credential, model=model_name ) # Function to get the bearer token def get_bearer_token(): token = credential.get_token("https://your-non-azure-service/.default") print(f"Token: {token.token}") return token.token # Embed phrases response = model.embed( input=["first phrase", "second phrase", "third phrase"], token_provider=get_bearer_token ) print(response)

Right from the top of the code, check and be sure you have proper credential setup that your DefaultAzureCredential is correctly configured and has the necessary permissions to access the resource.

Check that the audience (aud) claim in your access token matches the expected audience for the non-Azure service. This might be different from the default Azure Cognitive Services audience.

Make sure the access token you're using hasn't expired. Tokens typically have a limited lifespan and need to be refreshed periodically.

Also, check that the scope you're requesting in your token is correct. For non-Azure services, you might need to specify a different scope.

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.
Manas Mohanty 3,955 Reputation points Microsoft External Staff Moderator

2025-05-07T09:04:06.4566667+00:00

Hello Terrence Rideau,

Please let us know if the below shared code helped address your issue.

Thank you.
Terrence Rideau 11 Reputation points

2025-05-07T20:03:39.16+00:00

I will try and let you know.
Manas Mohanty 3,955 Reputation points Microsoft External Staff Moderator

2025-05-09T11:09:18.62+00:00

Hi Terrence Rideau •

I have updated my answer with a similar approach provided earlier.

Basically, to Use below code, we are changing authentication to Entra id authentication in connected resource in which embedding model is created.

and using Default credential to get token.

Note: I was able to replicate the issue mentioned by you. Below code will only work if you are changing authentication to MS Entra from connected resources.

Thank you

1 answer

Your answer

Sina Salam 20,591 Reputation points Moderator

2025-05-05T10:49:18.5366667+00:00

Hello Terrence Rideau,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you're having issues connecting to Azure AI Foundry models using MS Entra ID from Python.

Review the code below:

from azure.identity import DefaultAzureCredential from azure.ai.embeddings import EmbeddingsClient # Ensure the correct endpoint and model name endpoint = "your_endpoint" model_name = "your_model_name" # Initialize the credential and client credential = DefaultAzureCredential() model = EmbeddingsClient( endpoint=endpoint, credential=credential, model=model_name ) # Function to get the bearer token def get_bearer_token(): token = credential.get_token("https://your-non-azure-service/.default") print(f"Token: {token.token}") return token.token # Embed phrases response = model.embed( input=["first phrase", "second phrase", "third phrase"], token_provider=get_bearer_token ) print(response)

Right from the top of the code, check and be sure you have proper credential setup that your DefaultAzureCredential is correctly configured and has the necessary permissions to access the resource.

Check that the audience (aud) claim in your access token matches the expected audience for the non-Azure service. This might be different from the default Azure Cognitive Services audience.

Make sure the access token you're using hasn't expired. Tokens typically have a limited lifespan and need to be refreshed periodically.

Also, check that the scope you're requesting in your token is correct. For non-Azure services, you might need to specify a different scope.

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.
Manas Mohanty 3,955 Reputation points Microsoft External Staff Moderator

2025-05-07T09:04:06.4566667+00:00

Hello Terrence Rideau,

Please let us know if the below shared code helped address your issue.

Thank you.
Terrence Rideau 11 Reputation points

2025-05-07T20:03:39.16+00:00

I will try and let you know.
Manas Mohanty 3,955 Reputation points Microsoft External Staff Moderator

2025-05-09T11:09:18.62+00:00

Hi Terrence Rideau •

I have updated my answer with a similar approach provided earlier.

Basically, to Use below code, we are changing authentication to Entra id authentication in connected resource in which embedding model is created.

and using Default credential to get token.

Note: I was able to replicate the issue mentioned by you. Below code will only work if you are changing authentication to MS Entra from connected resources.

Thank you

Answer 1

Hello Terrence Rideau,

Step 1

Go to your model endpoint, locate the OpenAI resource containing the embedding model

locateazureopenai

Step 2

Go to connected resource of your Azure AI project

Click on the resource (Azure OpenAI one) and switch to MS Entra id authentication as show in screenshot

Step 3

Click on the Azure OpenAI resource from connected resource

Please add your email address or ML studio as Cognitive Services User from "Add role assignment section of connected resource's IAM section.

Step 4

Do "az login" if you are testing from local terminal and authenticate your tenant prior

Reference - https://learn.microsoft.com/en-us/azure/ai-foundry/concepts/rbac-azure-ai-foundry

Then install OpenAI with below command

%pip install openai

Using default credentials, Please run below code (which can be procured from sample code section of your endpoint when switched to MS entra authentication on your endpoint)


import os
from azure.identity import DefaultAzureCredential, get_bearer_token_provider
from openai import AzureOpenAI

endpoint = "https://<yourazureopenAiurl>.openai.azure.com/openai/deployments/text-embedding-3-small/embeddings?api-version=2023-05-15" #endpoint copied from models+endpoints
model_name = "text-embedding-3-small"
deployment = "text-embedding-3-small"

token_provider = get_bearer_token_provider(DefaultAzureCredential(), "https://cognitiveservices.azure.com/.default")
api_version = "2024-02-01"


client = AzureOpenAI(
    api_version=api_version,
    azure_endpoint=endpoint,
    azure_ad_token_provider=token_provider,
)

response = client.embeddings.create(
    input=["first phrase","second phrase","third phrase"],
    model=deployment
)

for item in response.data:
    length = len(item.embedding)
    print(
        f"data[{item.index}]: length={length}, "
        f"[{item.embedding[0]}, {item.embedding[1]}, "
        f"..., {item.embedding[length-2]}, {item.embedding[length-1]}]"
    )
print(response.usage)

Output


data[0]: length=1536, [-0.00721184303984046, 0.007491494063287973, ..., 0.01611734740436077, -0.004887983202934265]
data[1]: length=1536, [-0.003025691257789731, 0.009231699630618095, ..., 0.029947662726044655, 0.020937401801347733]
data[2]: length=1536, [-0.013795719482004642, 0.031857650727033615, ..., 0.017506178468465805, 0.0226223636418581]
Usage(prompt_tokens=6, total_tokens=6)

Reference used -https://learn.microsoft.com/en-us/azure/ai-foundry/model-inference/how-to/configure-entra-id?tabs=python&pivots=ai-foundry-portal#understand-roles-in-the-context-of-resource-in-azure

Thank you.

Share via

Issues connecting to Azure AI Foundry models using MS Entra ID from Python

1 answer

Your answer