How to configure Azure OpenAI Service with managed identities

More complex security scenarios require Azure role-based access control (Azure RBAC). This document covers how to authenticate to your OpenAI resource using Microsoft Entra ID.

In the following sections, you'll use the Azure CLI to assign roles, and obtain a bearer token to call the OpenAI resource. If you get stuck, links are provided in each section with all available options for each command in Azure Cloud Shell/Azure CLI.


Sign into the Azure CLI

To sign-in to the Azure CLI, run the following command and complete the sign-in. You may need to do it again if your session has been idle for too long.

az login

Assign yourself to the Cognitive Services User role

Assigning yourself to the "Cognitive Services User" role will allow you to use your account for access to the specific Azure AI services resource.

  1. Get your user information

    export user=$(az account show --query "" -o tsv)
  2. Assign yourself to “Cognitive Services User” role.

    export resourceId=$(az group show -g $RG --query "id" -o tsv)
    az role assignment create --role "Cognitive Services User" --assignee $user --scope $resourceId


    Role assignment change will take ~5 mins to become effective.

  3. Acquire a Microsoft Entra access token. Access tokens expire in one hour. you'll then need to acquire another one.

    export accessToken=$(az account get-access-token --resource --query "accessToken" -o tsv)
  4. Make an API call

Use the access token to authorize your API call by setting the Authorization header value.

curl ${endpoint%/}/openai/deployments/YOUR_DEPLOYMENT_NAME/completions?api-version=2023-05-15 \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $accessToken" \
-d '{ "prompt": "Once upon a time" }'

Authorize access to managed identities

OpenAI supports Microsoft Entra authentication with managed identities for Azure resources. Managed identities for Azure resources can authorize access to Azure AI services resources using Microsoft Entra credentials from applications running in Azure virtual machines (VMs), function apps, virtual machine scale sets, and other services. By using managed identities for Azure resources together with Microsoft Entra authentication, you can avoid storing credentials with your applications that run in the cloud.

Enable managed identities on a VM

Before you can use managed identities for Azure resources to authorize access to Azure AI services resources from your VM, you must enable managed identities for Azure resources on the VM. To learn how to enable managed identities for Azure Resources, see:

For more information about managed identities, see Managed identities for Azure resources.