Azure
Incorrect token scope when using project.get_openai_client leads to 401
- azure-ai-projects:
- 2.0.0b2:
- Windows:
- python 3.12:
Describe the bug
openai_client = project.get_openai_client() response = openai_client.responses.create( model="gpt-4.1", input="What is the size of France in square miles?", )
...fails with AuthenticationError: Error code: 401 - {'statusCode': 401, 'message': 'Unauthorized. Access token is missing, invalid, audience is incorrect (https://ai.azure.com/), or have expired.'}
(I have 'Azure AI Developer' role and 'Cognitive Services OpenAI User' set on the Foundry project.)
My impression is, get_openai_client() is supposed to switch contexts to the Data Plane Scope (https://cognitiveservices.azure.com), but it is failing to do so.
To Reproduce Steps to reproduce the behavior:
Try the samples of the official Foundry (new) docs: https://learn.microsoft.com/en-us/azure/ai-foundry/how-to/develop/sdk-overview?view=foundry&pivots=programming-language-python#foundry-sdk
Expected behavior
It should reach and use the endpoint without error.
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @dargilco @glharper @howieleung @kingernupur @nick863 @trangevi @trrwilson.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
@robert4os Thank you for opening this GitHub issue. The scope is correctly set to https://ai.azure.com/.default as shown here: https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/ai/azure-ai-projects/azure/ai/projects/_patch.py#L244 . That scope applies to all data-plane REST API routes on the Foundry endpoint (everything under https://<your-ai-services-account-name>.services.ai.azure.com/api/projects/<your-project-name>). You are getting this error due to some other permissions issue. This is the page that discussed Entra ID roles: https://learn.microsoft.com/en-us/azure/ai-foundry/concepts/rbac-azure-ai-foundry?view=foundry
@dargilco Thank you, according to the Entra ID roles you have cited, 'Azure AI User' on the foundry-project should be fine to 'Build and develop in a project (data actions)'...
But I had this role already assigned when I opened this issue. And the above error persists.
@robert4os we are working to update the document https://learn.microsoft.com/en-us/azure/ai-foundry/concepts/rbac-azure-ai-foundry?view=foundry . Can you try the following:
Sign in to the Azure portal.
- On the Azure Resource of type 'Foundry project':
- From the left pane, select Resource Management > Identity.
- Use the toggle to enable a system-assigned managed identity. By default, this is enabled for all projects, unless user-assigned managed identity is selected at creation of the Foundry project.
- On the Azure Resource of type 'Foundry' that contains your project:
- From the left pane, select Access control (IAM).
- Select Add > Add role assignment.
- Under Role, select Azure AI User as the built-in role to assign.
- Under Members, select Assign access to Managed Identity. Select the Managed Identity of your Foundry project within your subscription.
- Finally Review + assign the role.