Azure OpenAI enterprise SSO
Quick answer
To enable enterprise Single Sign-On (SSO) with
Azure OpenAI, configure Azure Active Directory (Azure AD) authentication and assign appropriate roles to your users or managed identities. Use the AzureOpenAI client with Azure AD tokens or managed identity authentication to securely access the service without API keys.PREREQUISITES
Python 3.8+Azure subscription with Azure OpenAI resourceAzure Active Directory tenant with user or managed identitypip install azure-identity openai
Setup Azure AD authentication
First, create an Azure OpenAI resource in your Azure portal and enable Azure Active Directory authentication. Assign users or managed identities the Azure OpenAI User role to grant access. Then, install the required Python packages for Azure identity and OpenAI SDK.
pip install azure-identity openai output
Collecting azure-identity Collecting openai Successfully installed azure-identity-1.15.0 openai-1.8.0
Step by step usage with managed identity
Use the DefaultAzureCredential from azure-identity to authenticate via enterprise SSO or managed identity. Then create an AzureOpenAI client with this credential to call the API securely without an API key.
import os
from azure.identity import DefaultAzureCredential
from openai import AzureOpenAI
# Set environment variables for your Azure OpenAI endpoint and deployment
os.environ["AZURE_OPENAI_ENDPOINT"] = "https://your-resource-name.openai.azure.com/"
os.environ["AZURE_OPENAI_DEPLOYMENT"] = "your-deployment-name"
# Authenticate using DefaultAzureCredential (supports enterprise SSO and managed identity)
credential = DefaultAzureCredential()
client = AzureOpenAI(
azure_endpoint=os.environ["AZURE_OPENAI_ENDPOINT"],
azure_ad_token_provider=credential
)
response = client.chat.completions.create(
model=os.environ["AZURE_OPENAI_DEPLOYMENT"],
messages=[{"role": "user", "content": "Hello from enterprise SSO!"}]
)
print(response.choices[0].message.content) output
Hello from enterprise SSO! How can I assist you today?
Common variations
- Use user authentication with
InteractiveBrowserCredentialfor local development. - Switch models by changing the deployment name in
AZURE_OPENAI_DEPLOYMENT. - Use async calls with
asyncioandawaitfor scalable applications.
import asyncio
from azure.identity.aio import InteractiveBrowserCredential
from openai import AzureOpenAI
async def main():
credential = InteractiveBrowserCredential()
client = AzureOpenAI(
azure_endpoint=os.environ["AZURE_OPENAI_ENDPOINT"],
azure_ad_token_provider=credential
)
response = await client.chat.completions.create(
model=os.environ["AZURE_OPENAI_DEPLOYMENT"],
messages=[{"role": "user", "content": "Async hello from SSO!"}]
)
print(response.choices[0].message.content)
asyncio.run(main()) output
Async hello from SSO! How can I help you today?
Troubleshooting
- If authentication fails, verify your Azure AD role assignments and that your identity has access to the Azure OpenAI resource.
- Ensure environment variables
AZURE_OPENAI_ENDPOINTandAZURE_OPENAI_DEPLOYMENTare correctly set. - For local development, confirm you are logged in with
az loginor have valid credentials.
Key Takeaways
- Use Azure AD authentication with DefaultAzureCredential for secure enterprise SSO access to Azure OpenAI.
- Assign the Azure OpenAI User role to identities to enable permissioned API calls without API keys.
- Set environment variables for endpoint and deployment to configure the AzureOpenAI client.
- Use InteractiveBrowserCredential for local development with user login.
- Verify role assignments and environment variables if authentication errors occur.