An Azure service that integrates speech processing into apps and services.
Hello @Priya Maurya (LTIMindtree Limited)
Thank you for reaching out to Microsoft Q&A.
Yes, Azure AI Language, Azure AI Translator, and Azure AI Speech services support Microsoft Entra ID (Azure AD) authentication, and it is possible to use these services without API keys when key-based authentication has been disabled on your Azure AI resources.
The sample code available in many tutorials and quickstarts often uses API keys for simplicity; however, for enterprise environments where local authentication is disabled, the recommended approach is to use Microsoft Entra ID authentication with Managed Identities, Service Principals, or Azure Identity credentials.
Recommended Architecture
Since your environment is configured for Entra ID only, the recommended pattern is:
- Azure AI Foundry Project
Managed Identity (preferred) or Service Principal
Azure Identity SDK (DefaultAzureCredential, ManagedIdentityCredential, etc.)
Azure RBAC permissions on the target AI resources
This allows all service calls to be authenticated through Microsoft Entra ID without requiring subscription keys.
1. Azure AI Language Service (Language Detection)
Azure AI Language services support Microsoft Entra ID authentication.
For Language Detection and other Language APIs:
Required configuration
Enable Microsoft Entra authentication on the resource.
Assign the appropriate RBAC role to the calling identity.
Typical roles include:
- Cognitive Services User
- Cognitive Services Contributor (if management operations are required)
Authentication approach
Instead of passing:
Ocp-Apim-Subscription-Key
your application should:
Obtain an Entra ID access token using Azure Identity.
Authenticate requests using the token.
If Azure AI Foundry is making the calls, we recommend granting permissions directly to the Foundry Project Managed Identity.
2. Azure AI Translator (Text Translation)
Azure AI Translator fully supports Microsoft Entra ID authentication.
When using Entra ID, requests are authenticated using a bearer token rather than a subscription key.
Authentication flow
Obtain an access token through:
Managed Identity
Service Principal
DefaultAzureCredential
Include the token in the request:
Authorization: Bearer <access-token>
instead of:
Ocp-Apim-Subscription-Key: <key>
RBAC requirements
Assign the appropriate Cognitive Services permissions to the identity calling the Translator service.
If Translator is being consumed through Azure AI Foundry, the Foundry Managed Identity should be granted access to the Translator resource.
3. Azure AI Speech Services
Azure AI Speech services also support Microsoft Entra ID authentication.
For Speech-to-Text and Speech Translation workloads:
Required configuration
- Configure Microsoft Entra authentication for the Speech resource.
- Assign the required RBAC permissions to the Managed Identity or Service Principal.
- Use Azure Identity to acquire access tokens.
Recommended authentication
Use Managed Identity, DefaultAzureCredential, ManagedIdentityCredential
instead of Speech Keys.
The Speech SDK can be configured to authenticate using Entra ID tokens rather than subscription keys.
If you're integrating Speech into a platform that does not yet support direct Entra ID authentication, a common workaround is:
Create an Azure Function with Managed Identity enabled.
Authenticate to Speech using Entra ID from the Function.
Expose the Function as an intermediary endpoint.
Call the Function from Azure AI Foundry, pipelines, or other applications.
This pattern is commonly used when integrating with services that expect token-based authentication but do not directly support Managed Identity configuration.
4. Azure AI Foundry Integration
For Azure AI Foundry projects, Microsoft recommends using the Project Managed Identity whenever possible.
The Managed Identity is granted the required RBAC permissions on:
Azure AI Language
Azure AI Translator
Azure AI Speech
This eliminates the need for API keys entirely and aligns with enterprise security requirements.
If you encounter authentication failures after switching to Entra ID, the most common causes are:
401 Unauthorized
Typically caused by:
- Missing access token
- Expired access token
- Incorrect token audience/scope
- Identity lacks RBAC permissions
403 Forbidden
Typically caused by:
- Identity authenticated successfully
- Identity lacks authorization on the target resource
Managed Identity Issues
Please verify:
- Managed Identity is enabled.
- RBAC assignments have propagated.
- The correct identity is being used.
- The target resource allows Microsoft Entra authentication.
Please refer this
Speech (Entra configuration): https://learn.microsoft.com/azure/ai-services/speech-service/how-to-configure-azure-ad-auth?tabs=portal&pivots=programming-language-csharp
Translator Entra auth (obtain access token): https://learn.microsoft.com/azure/ai-services/translator/how-to/microsoft-entra-id-auth
Translator Entra auth (REST bearer token usage): https://learn.microsoft.com/azure/ai-services/translator/how-to/microsoft-entra-id-auth?wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider#use-access-token-authentication-for-a-rest-api-request
Translator authentication reference (Entra/managed identity): https://learn.microsoft.com/azure/ai-services/translator/text-translation/reference/authentication?wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider#authentication-with-microsoft-entra-id
Speech SDK (Entra) – resource ID guidance: https://learn.microsoft.com/azure/ai-services/speech-service/how-to-configure-azure-ad-auth?wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider#get-the-speech-resource-id
I Hope this helps. Do let me know if you have any further queries.
If this answers your query, please do click Accept Answer and Yes for was this answer helpful.
Thank you!