# Configure delegated access for Azure OpenAI

## Overview

For Azure OpenAI, delegated access can use Microsoft Entra ID identities (managed identity or service principal) with RBAC, or Azure OpenAI keys where required.

The delegated approach focuses on identity-based authorization and short-lived tokens instead of broad static secrets.

## When to use this

* Production workloads under centralized identity governance.
* Organizations already using Entra ID, managed identities, and RBAC.
* Teams that need auditable, revocable, least-privilege AI access.

## Prerequisites

* Azure subscription with Azure OpenAI resource.
* Permission to manage role assignments and application identities.
* Service principal or managed identity designated for AI access.
* Flashback AI LLM setup path: [Configure an AI LLM](https://docs.flashback.tech/guides/setup-the-cloud-and-ai-gateway/start-with-cloud-storage/create-a-bucket-1).

## Step-by-step (provider side)

{% stepper %}
{% step %}

#### Prepare identity and RBAC access

Create/select a managed identity or service principal and grant only required access on the Azure OpenAI resource scope.

Use least privilege and limit scope to the required resource(s).
{% endstep %}

{% step %}

#### Choose token-based or key-based provider auth

Preferred pattern:

* Use Entra ID token flow for short-lived access tokens.

Fallback pattern (if required by your integration constraints):

* Use Azure OpenAI key-based authentication with strict secret management.
  {% endstep %}

{% step %}

#### Implement token/key delivery pattern

If using Entra ID tokens, ensure your backend refreshes tokens before expiration.

If needed, place a controlled proxy between Flashback and Azure OpenAI so the proxy handles token management while Flashback uses stable endpoint + secret/token inputs.
{% endstep %}
{% endstepper %}

## Configure in Flashback

Use [Configure an AI LLM](https://docs.flashback.tech/guides/setup-the-cloud-and-ai-gateway/start-with-cloud-storage/create-a-bucket-1) and map provider outputs to existing fields:

* Select the correct **AI LLM Type** for your Azure/OpenAI-compatible flow.
* Set **API Endpoint** to Azure OpenAI endpoint (or your proxy endpoint).
* Set **API Secret** to the token/secret expected by that endpoint.
* Set **API Key** only when your endpoint requires it.

Do not assume additional product toggles or delegated-mode fields beyond documented UI fields.