Share via

How to authenticate to Azure AI Foundry (ai.azure.com) using Service Principal instead of az login?

Hanif Farahnak 20 Reputation points
2025-06-06T16:14:14.3633333+00:00

I’ve created an Azure AI Foundry (AI Studio) project at https://ai.azure.com and deployed a model there.

User's image

All official samples and videos seem to rely on az login for authentication when using the azure-ai-agents SDK or CLI tools.

However, my production server is outside of Azure, and I dont want to use az login. Instead, I created a Service Principal and assigned it several roles (Cognitive Services Contributor, Contributor, etc.) on the Foundry resource.

But authentication using DefaultAzureCredential + Service Principal does not work — I get errors like:

**
ResourceNotFound: Subdomain does not map to a resource.**

❓ My Questions:

  1. What exact environment variables should I define in .env (e.g., AZURE_CLIENT_ID, AZURE_TENANT_ID, etc.)?
  2. Where do I get a correct endpoint for AI Studio Foundry projects to use with Python SDKs?
  3. Does the azure-ai-agents SDK support AI Studio projects (services.ai.azure.com), or is it limited to openai.azure.com resources only?
  4. Is there any supported way to authenticate and access agents in Azure AI Studio projects from a production server without using CLI-based login?

🔧 My Current Setup:
PROJECT_ENDPOINT=https://xxxxxx.services.ai.azure.com/api/projects/yyyyy

MODEL_DEPLOYMENT_NAME=gpt-4.1

AZURE_CLIENT_ID=...

AZURE_TENANT_ID=...

AZURE_CLIENT_SECRET=...

Azure AI services
Azure AI services
A group of Azure services, SDKs, and APIs designed to make apps more intelligent, engaging, and discoverable.
3,602 questions
0 comments
Accepted answer
  1. Suwarna S Kale 3,391 Reputation points
    2025-06-06T23:45:48.0433333+00:00

    Hello Hanif Farahnak,

    Thank you for posting your question in the Microsoft Q&A forum. 

    To authenticate with Azure AI Foundry (AI Studio) from a production server outside Azure without using az login, you must properly configure your Service Principal (SP) and SDK initialization. First, ensure your SP has the necessary permissions by assigning it the Cognitive Services User and AI Developer roles at the project or resource group level, rather than relying on broad roles like Contributor. Configure your environment with the required variables: AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_CLIENT_SECRET, and AZURE_SUBSCRIPTION_ID, which the DefaultAzureCredential() will automatically use for authentication. 

    The endpoint must be project-specific, obtained from AI Studio --> Project Settings --> API Access, following the format https://<project-name>.api.<region>.cognitive.microsoft.com. Avoid using generic OpenAI endpoints, as they won’t work with AI Foundry resources. Initialize the AIClient in Python with this endpoint and DefaultAzureCredential(), ensuring the SDK can authenticate without CLI dependencies. 

    If issues persist, verify the SP’s validity and permissions using az ad sp show, and enable debug logging to capture authentication errors. 

     

    If the above answer helped, please do not forget to "Accept Answer" as this may help other community members to refer the info if facing a similar issue. Your contribution to the Microsoft Q&A community is highly appreciated. 

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.