App Registration for Azure AI Foundry
Here is the definitive guide for setting up an App Registration in Microsoft Entra ID specifically for Azure AI Foundry (formerly Azure OpenAI in “Foundry Models” or “Azure AI Model Inference”).
This is significantly simpler than Graph or other Azure services because Foundry AI does NOT require adding any API permissions in the Entra App Registration.
Instead, you do two things only:
1. No API Permissions Are Required in the App Registration
This is crucial: Azure AI Foundry does NOT use Entra API permissions (OAuth2 scopes or application permissions).
You do NOT add:
- ✗ Microsoft Graph permissions
- ✗ API permissions for Azure Cognitive Services
- ✗ Scopes for your Foundry model
- ✗ Anything under "API permissions" at all
Why? Because Foundry uses a resource-based role assignment model, not delegated or application permissions.
2. Assign the App Registration a Role on the Azure AI Resource
Your App Registration must be granted access directly on the Azure AI resource that hosts your Foundry models.
You assign the role in one of these places:
Azure Portal → Resource → Access control (IAM)
You must assign one of:
Recommended roles for server-to-server use:
️ Azure AI Developer Role (preferred)
or
️ Cognitive Services User
or
️ Cognitive Services Contributor (broadest access)
These roles allow:
- Running inference on Foundry models
- Querying deployments
- Using the REST API
- Generating embeddings
- Running chat/completions
- Managing or listing models (Contributor only)
3. Correct OAuth2 resource (“scope”) for Foundry
Azure AI Foundry uses the Cognitive Services scope, irrespective of the model type.
Use this in your client-credential token request:
scope = https://cognitiveservices.azure.com/.default
Chilkat parameters:
client_id=...
client_secret=...
tenant_id=...
grant_type=client_credentials
scope=https://cognitiveservices.azure.com/.default
This tells Entra:
“Give me a token for the Cognitive Services resource provider.”
4. Final Token Endpoint (v2)
POST https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token
Your Chilkat app will receive a valid Bearer token usable for Foundry inference endpoints.
5. Example call to a Foundry endpoint
(Different workspaces have different endpoints, but standard format:)
POST https://{your-workspace}.models.ai.azure.com/inference/v1/chat/completions?api-version=2024-05-01-preview
Authorization: Bearer {access_token}
Content-Type: application/json
Summary — What You MUST configure in Azure Entra ID for Foundry
| Requirement | Needed? | Where to configure? |
|---|---|---|
| API permissions (Graph, etc.) | ✗ No | Do NOT add anything |
| Add scopes / delegated perms | ✗ No | Do NOT add anything |
| Create client secret | ️ Yes | App Registration → Certificates & secrets |
| Add Reply URLs | ✗ No | Not used for client credentials |
| Assign IAM Role | ️ Yes | Azure AI resource → IAM |
| Scope for token | ️ Yes | https://cognitiveservices.azure.com/.default |
Therefore: You only set up 2 things
- Client secret in App Registration
- IAM role assignment on the Azure AI resource
- Azure AI Developer (best)
- Cognitive Services User (minimal)
- Cognitive Services Contributor (admin-ish)