mssparkutils.credentials.getToken() does not support CognitiveServices or AIServices audience aliases — no way to acquire SAMI token for Azure OpenAI or Azure AI Foundry from Spark notebook.

Question

We are migrating Synapse Spark pipeline authentication from certificate-based Service Principal to workspace System-Assigned Managed Identity (SAMI) to comply with SFI. The SAMI has been granted the required RBAC roles (Cognitive Services OpenAI Contributor, Azure AI User) and the configuration is verified. However, mssparkutils.credentials.getToken() does not support Azure Cognitive Services or Azure AI Foundry as audiences. Per the official documentation (Introduction to Microsoft Spark utilities - Azure Synapse Analytics | Microsoft Learn), the supported audiences are limited to: AzureManagement, Storage, AzureDataExplorer, Synapse, DW, etc. Neither Cognitive Services nor AI Foundry is listed.

This blocks our SFI migration — we cannot eliminate certificate-based auth because there is no way to acquire tokens for these audiences via managed identity from within a Synapse Spark notebook.

What we tested (2026-05-20) Cognitive Services (https://cognitiveservices.azure.com):  

1. mssparkutils.credentials.getToken("https://cognitiveservices.azure.com") → 400: "Audience has invalid characters"  
2. mssparkutils.credentials.getToken("CognitiveServices") → Not a recognized alias  
3. mssparkutils.credentials.getToken("AzureOpenAI") → Not a recognized alias  
4. mssparkutils.credentials.getToken("AzureCognitiveServices") → Not a recognized alias

AI Foundry (https://ai.azure.com):

5. mssparkutils.credentials.getToken("https://ai.azure.com") → 400: "Audience has invalid characters"
6. mssparkutils.credentials.getToken("AIServices") → Not a recognized alias

7.  mssparkutils.credentials.getToken("AzureAIServices") → Not a recognized alias All other scopes work correctly via named aliases (AzureManagement, Storage, AzureDataExplorer).

Ask

Could we have the following audience aliases added to the Synapse Token Service?  

• CognitiveServices → https://cognitiveservices.azure.com (for Azure OpenAI API calls)  
• AIServices → https://ai.azure.com (for Azure AI Foundry project access)

This would allow mssparkutils.credentials.getToken("CognitiveServices") and mssparkutils.credentials.getToken("AIServices") to return tokens using the workspace managed identity, enabling SFI-compliant authentication for AI workloads in Synapse Spark.

Thank you

Answer 1

Hi @Lilu Wan

Thank you for the detailed investigation and testing results.

Based on the current Microsoft Spark utilities implementation, mssparkutils.credentials.getToken() supports only a predefined set of audience aliases, and currently Azure Cognitive Services / Azure AI Foundry audiences are not included. This explains why requests such as:

mssparkutils.credentials.getToken("https://cognitiveservices.azure.com")

or aliases like:

mssparkutils.credentials.getToken("CognitiveServices")

are failing.

At present, the recommended workaround is to use the Azure Identity SDK directly inside the Synapse Spark notebook with the workspace Managed Identity, for example:

from azure.identity import DefaultAzureCredential

credential = DefaultAzureCredential()

token = credential.get_token(
    "https://cognitiveservices.azure.com/.default"
)

print(token.token)

This approach allows token acquisition using the workspace System Assigned Managed Identity without relying on certificate-based authentication.

Similarly, for Azure AI Foundry scenarios, the corresponding scope can be requested using:

"https://ai.azure.com/.default"

Your feedback regarding additional aliases such as:

CognitiveServices

AIServices

is valid and would improve managed identity integration experience within Synapse Spark. We recommend submitting this through official feedback/support channels so the Product Group can evaluate adding support in the Synapse Token Service.

Thank you for highlighting this scenario and sharing the detailed validation results.

Answer 2

Hello Lilu Wan,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that your mssparkutils.credentials.getToken() does not support CognitiveServices or AIServices audience aliases and you need away to acquire SAMI token for Azure OpenAI or Azure AI Foundry from Spark notebook.

I reviewed this against the current Microsoft documentation, and the issue is a product limitation, not a misconfiguration. In Azure Synapse Spark, mssparkutils.credentials.getToken() only supports a fixed, documented set of audiences, and Azure OpenAI / Azure AI Foundry audiences are not in that supported list today. That is why values such as CognitiveServices, AIServices, AzureOpenAI, AzureAIServices, https://cognitiveservices.azure.com, and https://ai.azure.com do not work from the notebook. - https://learn.microsoft.com/en-us/azure/synapse-analytics/spark/apache-spark-secure-credentials-with-tokenlibrary, https://learn.microsoft.com/en-us/azure/synapse-analytics/spark/microsoft-spark-utilities

There is also a second documented limitation: in Synapse notebooks and Spark job definitions, the workspace system-assigned managed identity is only supported through linked services and mssparkutils APIs, and MSAL / other authentication libraries cannot use that SAMI path inside the Spark notebook runtime. Because of that, switching to ManagedIdentityCredential, DefaultAzureCredential, or MSAL inside the Synapse notebook is not a supported fix for this exact scenario. - https://learn.microsoft.com/en-us/azure/synapse-analytics/synapse-service-identity, https://learn.microsoft.com/en-us/python/api/azure-identity/azure.identity.managedidentitycredential?view=azure-python, https://learn.microsoft.com/en-us/python/api/overview/azure/identity-readme?view=azure-python

So, my best advice since there is no supported way today to obtain an Azure OpenAI / Azure AI Foundry token directly from a Synapse Spark notebook by using the workspace system-assigned managed identity. Adding RBAC such as Cognitive Services OpenAI User / Contributor or Foundry roles is necessary for authorization, but it does not solve this case because the failure happens earlier, at token acquisition. - https://learn.microsoft.com/en-us/dotnet/ai/how-to/app-service-aoai-auth, https://learn.microsoft.com/en-us/azure/foundry/concepts/authentication-authorization-foundry, https://learn.microsoft.com/en-us/azure/synapse-analytics/spark/apache-spark-secure-credentials-with-tokenlibrary

If the requirement is to remain secretless and managed-identity-based, the only reliable and supportable design is to move the Azure OpenAI / Azure AI Foundry call to an Azure host that supports managed identity directly, such as Azure Functions, App Service, Container Apps, AKS, or VM, assign the required AI roles there, and call that service from Synapse. Microsoft documents that model for Azure-hosted applications using managed identity with Azure OpenAI, and Foundry documentation recommends Microsoft Entra ID for production workloads. - https://learn.microsoft.com/en-us/dotnet/ai/how-to/app-service-aoai-auth, https://learn.microsoft.com/en

If the requirement is specifically “keep the call inside Synapse Spark and use workspace SAMI directly”, then this remains an unsupported scenario and should be treated as a feature gap in Synapse TokenLibrary / Token Service, not as a notebook-level fix. There is a supported Foundry Tools linked service path in Synapse, but the documented setup uses Key Vault-stored keys, so it changes the authentication model and does not meet your original “SAMI-only / no-secrets” requirement. - https://learn.microsoft.com/en-us/azure/synapse-analytics/synapse-service-identity, https://learn.microsoft.com/en-us/azure/synapse-analytics/machine-learning/tutorial-configure-cognitive-services-synapse

I hope this is helpful! Do not hesitate to let me know if you have any other questions, steps or clarifications.

---

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.