![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 81%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJB%3C/text%3E%3C/svg%3E)
Azure AI services
A group of Azure services, SDKs, and APIs designed to make apps more intelligent, engaging, and discoverable.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 15%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Hi James Brown
We provide "Azure AI user role" for user who are just sending inference requests.
Once end users are assigned above role, they can normally interact with default credentials as suggested here.
Regarding on behalf of Credentials, could you check below documentation.
https://devblogs.microsoft.com/identity/ai-agent-graph-api/?utm_source=chatgpt.com
Summary of steps
- User signs in → Foundry app gets Tc.
- App sends Tc to Agent Identity Blueprint.
- Blueprint obtains T1 using managed identity.
- Agent Identity exchanges Tc + T1 for final resource token.
- Optional: use refresh tokens for async tasks.
- Permissions can inherit from the parent blueprint.
Other relevant thread -
https://learn.microsoft.com/en-us/answers/questions/2247895/on-behalf-of-flow-in-azure-ai-agents
https://github.com/Azure-Samples/ms-identity-python-on-behalf-of
Hope above documentation helps you address your requirement.
Thank you.