How to Intermediate · 3 min read

Azure OpenAI managed identity authentication

Quick answer
Use the AzureOpenAI client with azure_ad_token_provider set to DefaultAzureCredential() from azure.identity to authenticate via managed identity. This enables secure token-based access without storing API keys in your environment.

PREREQUISITES

  • Python 3.8+
  • pip install openai>=1.0 azure-identity
  • Azure subscription with managed identity enabled
  • Azure OpenAI resource deployed

Setup

Install the required Python packages and set environment variables for your Azure OpenAI endpoint and deployment name. Managed identity authentication requires the azure-identity package.

bash
pip install openai azure-identity
output 
Requirement already satisfied: openai in ...
Requirement already satisfied: azure-identity in ...

Step by step

This example shows how to authenticate to Azure OpenAI using managed identity with DefaultAzureCredential. It calls the chat completion endpoint securely without an API key.

python
import os
from openai import AzureOpenAI
from azure.identity import DefaultAzureCredential

# Set environment variables for your Azure OpenAI resource
os.environ["AZURE_OPENAI_ENDPOINT"] = "https://your-resource-name.openai.azure.com/"
os.environ["AZURE_OPENAI_DEPLOYMENT"] = "your-deployment-name"

# Create client with managed identity token provider
client = AzureOpenAI(
    azure_endpoint=os.environ["AZURE_OPENAI_ENDPOINT"],
    azure_ad_token_provider=DefaultAzureCredential()
)

response = client.chat.completions.create(
    model=os.environ["AZURE_OPENAI_DEPLOYMENT"],
    messages=[{"role": "user", "content": "Hello from managed identity!"}]
)
print(response.choices[0].message.content)
output 
Hello from managed identity! How can I assist you today?

Common variations

  • Use async with asyncio and await client.chat.completions.acreate(...) for asynchronous calls.
  • Switch models by changing the deployment name in model=.
  • Use environment variables or Azure Key Vault for endpoint configuration.
python
import asyncio

async def main():
    response = await client.chat.completions.acreate(
        model=os.environ["AZURE_OPENAI_DEPLOYMENT"],
        messages=[{"role": "user", "content": "Async hello!"}]
    )
    print(response.choices[0].message.content)

asyncio.run(main())
output 
Async hello! How can I assist you today?

Troubleshooting

  • If you get CredentialUnavailableError, ensure your environment supports managed identity (e.g., Azure VM, App Service, or Azure Functions).
  • Verify your Azure OpenAI resource has the correct role assignments for the managed identity.
  • Check that AZURE_OPENAI_ENDPOINT and deployment names are correct and accessible.

Key Takeaways

  • Use DefaultAzureCredential from azure.identity to enable managed identity authentication for Azure OpenAI.
  • No API key is needed; authentication is handled securely by Azure infrastructure.
  • Set azure_ad_token_provider when creating AzureOpenAI client for token-based access.
  • Ensure your Azure environment supports managed identity and has proper permissions.
  • Async calls are supported with acreate methods for scalable applications.
Verified 2026-04 · gpt-4o, AzureOpenAI
Verify ↗

People also ask

🛠 How to use managed identity with Azure OpenAI Azure OpenAI ⚖️ Azure OpenAI API key vs Entra ID authentication Azure OpenAI 🐛 Fix Azure OpenAI authentication error Azure OpenAI ⚖️ Claude API vs Azure OpenAI comparison Claude & Anthropic ⚖️ AWS Bedrock vs Azure OpenAI comparison AWS Bedrock

Up next

🛠 Azure OpenAI multi-region deployment 🛠 Azure OpenAI private endpoints ⚖️ Azure OpenAI PTU vs consumption pricing 🛠 Azure OpenAI quota management enterprise

More in Guides

🛠 Azure OpenAI audit logs 🛠 Azure OpenAI content filtering enterprise 🛠 Azure OpenAI data privacy policy 🛠 Azure OpenAI enterprise compliance