# Configure delegated access for Azure OpenAI

## Overview

For Azure OpenAI, delegated access can use Microsoft Entra ID identities (managed identity or service principal) with RBAC, or Azure OpenAI keys where required.

The delegated approach focuses on identity-based authorization and short-lived tokens instead of broad static secrets.

## When to use this

* Production workloads under centralized identity governance.
* Organizations already using Entra ID, managed identities, and RBAC.
* Teams that need auditable, revocable, least-privilege AI access.

## Prerequisites

* Azure subscription with Azure OpenAI resource.
* Permission to manage role assignments and application identities.
* Service principal or managed identity designated for AI access.
* Flashback AI LLM setup path: [Configure an AI LLM](/guides/setup-the-cloud-and-ai-gateway/start-with-cloud-storage/create-a-bucket-1.md).

## Step-by-step (provider side)

{% stepper %}
{% step %}

#### Prepare identity and RBAC access

Create/select a managed identity or service principal and grant only required access on the Azure OpenAI resource scope.

Use least privilege and limit scope to the required resource(s).
{% endstep %}

{% step %}

#### Choose token-based or key-based provider auth

Preferred pattern:

* Use Entra ID token flow for short-lived access tokens.

Fallback pattern (if required by your integration constraints):

* Use Azure OpenAI key-based authentication with strict secret management.
  {% endstep %}

{% step %}

#### Implement token/key delivery pattern

If using Entra ID tokens, ensure your backend refreshes tokens before expiration.

If needed, place a controlled proxy between Flashback and Azure OpenAI so the proxy handles token management while Flashback uses stable endpoint + secret/token inputs.
{% endstep %}
{% endstepper %}

## Configure in Flashback

Use [Configure an AI LLM](/guides/setup-the-cloud-and-ai-gateway/start-with-cloud-storage/create-a-bucket-1.md) and map provider outputs to existing fields:

* Select the correct **AI LLM Type** for your Azure/OpenAI-compatible flow.
* Set **API Endpoint** to Azure OpenAI endpoint (or your proxy endpoint).
* Set **API Secret** to the token/secret expected by that endpoint.
* Set **API Key** only when your endpoint requires it.

Do not assume additional product toggles or delegated-mode fields beyond documented UI fields.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.flashback.tech/guides/configure-external-delegated-credentials/configure-delegated-access-for-azure-openai.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.