Entra ID Authentication for Azure AI Language, Translator, and Speech Services

Priya Maurya (LTIMindtree Limited) 0 Reputation points Microsoft External Staff
2026-06-22T05:50:00.4033333+00:00

We need help integrating the following Azure AI services into our

Azure AI Foundry project:

  • Azure Language Detection
  • Azure Text Translation
  • Azure Speech-to-Text
  • Azure Speech Translation

Issue: Sample codes use API Key authentication, but our environment

has key-based auth disabled. We use Microsoft Entra ID only.

How do we enable these services and authenticate using Entra ID?

Azure Speech in Foundry Tools

2 answers

Sort by: Most helpful
  1. SRILAKSHMI C 19,550 Reputation points Microsoft External Staff Moderator
    2026-06-22T07:52:21.93+00:00

    Hello @Priya Maurya (LTIMindtree Limited)

    Thank you for reaching out to Microsoft Q&A.

    Yes, Azure AI Language, Azure AI Translator, and Azure AI Speech services support Microsoft Entra ID (Azure AD) authentication, and it is possible to use these services without API keys when key-based authentication has been disabled on your Azure AI resources.

    The sample code available in many tutorials and quickstarts often uses API keys for simplicity; however, for enterprise environments where local authentication is disabled, the recommended approach is to use Microsoft Entra ID authentication with Managed Identities, Service Principals, or Azure Identity credentials.

    Recommended Architecture

    Since your environment is configured for Entra ID only, the recommended pattern is:

    • Azure AI Foundry Project

    Managed Identity (preferred) or Service Principal

    Azure Identity SDK (DefaultAzureCredential, ManagedIdentityCredential, etc.)

    Azure RBAC permissions on the target AI resources

    This allows all service calls to be authenticated through Microsoft Entra ID without requiring subscription keys.

    1. Azure AI Language Service (Language Detection)

    Azure AI Language services support Microsoft Entra ID authentication.

    For Language Detection and other Language APIs:

    Required configuration

    Enable Microsoft Entra authentication on the resource.

    Assign the appropriate RBAC role to the calling identity.

    Typical roles include:

    • Cognitive Services User
    • Cognitive Services Contributor (if management operations are required)

    Authentication approach

    Instead of passing:

    Ocp-Apim-Subscription-Key
    

    your application should:

    Obtain an Entra ID access token using Azure Identity.

    Authenticate requests using the token.

    If Azure AI Foundry is making the calls, we recommend granting permissions directly to the Foundry Project Managed Identity.

    2. Azure AI Translator (Text Translation)

    Azure AI Translator fully supports Microsoft Entra ID authentication.

    When using Entra ID, requests are authenticated using a bearer token rather than a subscription key.

    Authentication flow

    Obtain an access token through:

    Managed Identity

      Service Principal
    
      
         DefaultAzureCredential
    
         
         Include the token in the request:
    
    Authorization: Bearer <access-token>
    

    instead of:

    Ocp-Apim-Subscription-Key: <key>
    

    RBAC requirements

    Assign the appropriate Cognitive Services permissions to the identity calling the Translator service.

    If Translator is being consumed through Azure AI Foundry, the Foundry Managed Identity should be granted access to the Translator resource.

    3. Azure AI Speech Services

    Azure AI Speech services also support Microsoft Entra ID authentication.

    For Speech-to-Text and Speech Translation workloads:

    Required configuration

    • Configure Microsoft Entra authentication for the Speech resource.
    • Assign the required RBAC permissions to the Managed Identity or Service Principal.
    • Use Azure Identity to acquire access tokens.

    Recommended authentication

    Use Managed Identity, DefaultAzureCredential, ManagedIdentityCredential

    instead of Speech Keys.

    The Speech SDK can be configured to authenticate using Entra ID tokens rather than subscription keys.

    If you're integrating Speech into a platform that does not yet support direct Entra ID authentication, a common workaround is:

    Create an Azure Function with Managed Identity enabled.

    Authenticate to Speech using Entra ID from the Function.

    Expose the Function as an intermediary endpoint.

    Call the Function from Azure AI Foundry, pipelines, or other applications.

    This pattern is commonly used when integrating with services that expect token-based authentication but do not directly support Managed Identity configuration.

    4. Azure AI Foundry Integration

    For Azure AI Foundry projects, Microsoft recommends using the Project Managed Identity whenever possible.

    The Managed Identity is granted the required RBAC permissions on:

    Azure AI Language

    Azure AI Translator

    Azure AI Speech

    This eliminates the need for API keys entirely and aligns with enterprise security requirements.

    If you encounter authentication failures after switching to Entra ID, the most common causes are:

    401 Unauthorized

    Typically caused by:

    • Missing access token
    • Expired access token
    • Incorrect token audience/scope
    • Identity lacks RBAC permissions

    403 Forbidden

    Typically caused by:

    • Identity authenticated successfully
    • Identity lacks authorization on the target resource

    Managed Identity Issues

    Please verify:

    • Managed Identity is enabled.
    • RBAC assignments have propagated.
    • The correct identity is being used.
    • The target resource allows Microsoft Entra authentication.

    Please refer this

    Speech (Entra configuration): https://learn.microsoft.com/azure/ai-services/speech-service/how-to-configure-azure-ad-auth?tabs=portal&pivots=programming-language-csharp

    Translator Entra auth (obtain access token): https://learn.microsoft.com/azure/ai-services/translator/how-to/microsoft-entra-id-auth

    Translator Entra auth (REST bearer token usage): https://learn.microsoft.com/azure/ai-services/translator/how-to/microsoft-entra-id-auth?wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider#use-access-token-authentication-for-a-rest-api-request

    Translator authentication reference (Entra/managed identity): https://learn.microsoft.com/azure/ai-services/translator/text-translation/reference/authentication?wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider#authentication-with-microsoft-entra-id

    Speech SDK (Entra) – resource ID guidance: https://learn.microsoft.com/azure/ai-services/speech-service/how-to-configure-azure-ad-auth?wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider#get-the-speech-resource-id

    I Hope this helps. Do let me know if you have any further queries.


    If this answers your query, please do click Accept Answer and Yes for was this answer helpful.

    Thank you!

    Was this answer helpful?

    0 comments No comments

  2. AI answer

    2026-06-22T05:50:40.49+00:00

    To use Microsoft Entra ID (no keys) with Azure AI Language Detection, Text Translation, and Speech services in an Azure AI Foundry scenario, configure Entra-based auth for each resource and then call them with access tokens instead of API keys.

    Below is what is supported in the provided context and how to apply it.

    1. General pattern: Entra ID auth for Azure AI services

    For Azure AI services (Translator, Speech, etc.), the pattern is:

    1. Register an application in Microsoft Entra ID.
    2. Add API permissions for Microsoft Cognitive Services.
    3. Assign an RBAC role on the specific AI resource (for example, Translator) to that app.
    4. Acquire an Entra access token in code using that app registration.
    5. Call the service REST endpoint or SDK using the Bearer token instead of a key.

    The context provides full detail for Translator and general guidance for Speech.


    2. Configure Microsoft Entra ID for Azure Translator (Language Detection & Text Translation)

    Language detection and text translation are part of Azure Translator. To enable Entra ID auth:

    2.1. Add API permissions for Cognitive Services

    In the Entra app registration:

    1. Go to API permissionsAdd a permission.
    2. Select APIs my organization uses.
    3. Search for Microsoft Cognitive Services and select it.
    4. Under Permissions, choose Delegated permissions.
    5. Check Access Cognitive Services API as organization users.
    6. Select Add permissions.

    This allows the app to access Cognitive Services (including Translator) as an organization user.

    2.2. Assign RBAC role on the Translator resource

    On the Translator resource in the Azure portal:

    1. Open the Translator resource.
    2. Select Access control (IAM).
    3. Select Add role assignment.
    4. Choose the Cognitive Services User role and select Next.
    5. Under Assign access to, choose User, group, or service principal.
    6. Select Select members, search for the Entra app (for example, text-translation-app), select it, and choose Select.
    7. Select Review + assign to complete.

    This grants the app permission to call the Translator resource using Entra tokens.

    2.3. Call Translator with an Entra access token

    After acquiring an Entra access token for Cognitive Services, call Translator using either the global endpoint plus Ocp-Apim-ResourceId or the custom domain endpoint.

    Option A – Global endpoint with Resource ID header

    1. In the Translator resource:
      • Global endpoint: Resource Management → Keys and Endpoint → Web API → Text translation.
      • Resource ID: Resource Management → Properties (format /subscriptions/<subscriptionId>/resourceGroups/<resourceGroupName>/providers/Microsoft.CognitiveServices/accounts/<resourceName>/).
    2. Use curl with the access token and resource ID:
    curl -X POST "https://api.cognitive.microsofttranslator.com/translate?api-version=3.0&to=en" \
      -H "Authorization: Bearer {access-token}" \
      -H "Ocp-Apim-ResourceId: {your-resource-ID}" \
      -H "Content-Type: application/json" \
      -d "[{'Text':'Hola'}]"
    

    Option B – Custom domain endpoint

    Alternatively, use the custom domain endpoint (based on the resource name) and send the same Authorization: Bearer {access-token} header. The context shows the pattern for a custom domain:

    curl -X POST "https://{your-custom-domain}.cognitiveservices.azure.com/translator/text/v3.0/translate?api-version=3.0&to=en" \
      -H "Authorization: Bearer {access-token}" \
      -H "Content-Type: application/json" \
      -d "[{'Text':'Hola'}]"
    

    Language detection and translation both use this Translator endpoint; only the route and parameters differ in the REST API, but the authentication pattern remains the same.


    3. Configure Microsoft Entra ID for Speech & Speech Translation

    The Speech quickstarts in the context show key-based auth via environment variables, but also explicitly recommend Entra ID with managed identities for production.

    3.1. Security guidance

    For Speech services:

    • Use Microsoft Entra ID authentication with managed identities for Azure resources to avoid storing credentials with applications that run in the cloud.
    • If keys are used, they should be stored in Key Vault, but in this scenario key-based auth is disabled, so Entra ID is the recommended path.

    The quickstarts describe using environment variables such as SPEECH_KEY, SPEECH_REGION, and ENDPOINT for key-based auth. For Entra ID, replace key-based auth in code with token-based auth using Entra ID and/or managed identities. The context does not provide the exact token acquisition code for Speech, but it establishes that Entra ID is the recommended method.

    3.2. Environment setup for Speech SDK (JavaScript/TypeScript/Java)

    For JavaScript and TypeScript quickstarts:

    1. Create a project folder and initialize package.json:
      • mkdir translation-quickstart && cd translation-quickstart
      • npm init -y
    2. Install the Speech SDK:
      • npm install microsoft-cognitiveservices-speech-sdk
    3. For TypeScript, also:
      • npm pkg set type=module
      • npm install --save-dev @types/node

    For Java quickstarts:

    1. Install Apache Maven and verify with mvn -v.
    2. Create pom.xml and run:
      • mvn clean dependency:copy-dependencies

    These steps prepare the environment to integrate Speech and Speech Translation into the Foundry project. Then, instead of using SPEECH_KEY, configure the SDK to use Entra ID / managed identity (per Speech SDK docs) in line with the recommendation in the context.


    4. Summary for Azure AI Foundry integration

    Within an Azure AI Foundry project:

    • For Language Detection and Text Translation:
      • Use Azure Translator with Entra ID as described above: add Cognitive Services API permissions, assign Cognitive Services User role, obtain an access token, and call Translator with Authorization: Bearer.
    • For Speech-to-Text and Speech Translation:
      • Use the Speech SDKs (JavaScript/TypeScript/Java) in the Foundry tools environment.
      • Follow the security guidance to use Microsoft Entra ID authentication with managed identities instead of keys.

    This keeps all four services aligned with Entra-only authentication and avoids key-based auth, consistent with the environment configuration.


    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.