fix(secret_managers/get_azure_Ad_token_providers.py): infer credential type from env var

don't default to ClientSecretCredential unless present in env var

Author: krrishdholakia

litellm/llms/azure/common_utils.py

@@ -561,7 +561,9 @@ def initialize_azure_sdk_client(
                 "Using Azure AD token provider based on Service Principal with Secret workflow for Azure Auth"
             )
             try:
-                azure_ad_token_provider = get_azure_ad_token_provider(azure_scope=scope)
+                azure_ad_token_provider = get_azure_ad_token_provider(
+                    azure_scope=scope,
+                )
             except ValueError:
                 verbose_logger.debug("Azure AD Token Provider could not be used.")
         if api_version is None:

litellm/proxy/_new_secret_config.yaml

@@ -7,3 +7,11 @@ model_list:
   - model_name: wildcard_models/*
     litellm_params:
       model: openai/*
+  - model_name: gpt-4o
+    litellm_params:
+      model: azure/gpt-4o
+      api_base: https://cog-cuda-atg-sage-eastus2.openai.azure.com
+      api_version: 2025-04-01-preview
+
+litellm_settings:
+  enable_azure_ad_token_refresh: true

litellm/secret_managers/get_azure_ad_token_provider.py

@@ -1,11 +1,36 @@
 import os
 from typing import Any, Callable, Optional, Union
 
+from litellm._logging import verbose_logger
 from litellm.types.secret_managers.get_azure_ad_token_provider import (
     AzureCredentialType,
 )
 
 
+def infer_credential_type_from_environment() -> AzureCredentialType:
+    if (
+        os.environ.get("AZURE_CLIENT_ID")
+        and os.environ.get("AZURE_CLIENT_SECRET")
+        and os.environ.get("AZURE_TENANT_ID")
+    ):
+        return AzureCredentialType.ClientSecretCredential
+    elif os.environ.get("AZURE_CLIENT_ID"):
+        return AzureCredentialType.ManagedIdentityCredential
+    elif (
+        os.environ.get("AZURE_CLIENT_ID")
+        and os.environ.get("AZURE_TENANT_ID")
+        and os.environ.get("AZURE_CERTIFICATE_PATH")
+        and os.environ.get("AZURE_CERTIFICATE_PASSWORD")
+    ):
+        return AzureCredentialType.CertificateCredential
+    elif os.environ.get("AZURE_CERTIFICATE_PASSWORD"):
+        return AzureCredentialType.CertificateCredential
+    elif os.environ.get("AZURE_CERTIFICATE_PATH"):
+        return AzureCredentialType.CertificateCredential
+    else:
+        return AzureCredentialType.DefaultAzureCredential
+
+
 def get_azure_ad_token_provider(
     azure_scope: Optional[str] = None,
     azure_credential: Optional[AzureCredentialType] = None,
@@ -42,9 +67,14 @@ def get_azure_ad_token_provider(
         )
 
     cred: str = (
-        azure_credential.value if azure_credential else None
-        or os.environ.get("AZURE_CREDENTIAL", AzureCredentialType.ClientSecretCredential)
-        or AzureCredentialType.ClientSecretCredential
+        azure_credential.value
+        if azure_credential
+        else None
+        or os.environ.get("AZURE_CREDENTIAL")
+        or infer_credential_type_from_environment()
+    )
+    verbose_logger.info(
+        f"For Azure AD Token Provider, choosing credential type: {cred}"
     )
     credential: Optional[
         Union[