Skip to content

[Enhancement]: Support EntraID authorization for Azure OpenAI #9638

New issue
New issue
Open
#9640
Open
[Enhancement]: Support EntraID authorization for Azure OpenAI#9638
#9640
Labels
✨ enhancementNew feature or request
@victorbjor

Description

@victorbjor
victorbjor
opened on Sep 15, 2025

What features would you like to see added?

Summary

LibreChat currently authenticates to Azure OpenAI using API keys. This feature request proposes adding support for Entra ID authentication via an app principal. This approach aligns with corporate Azure deployment practices and simplifies integration in enterprise environments.

Motivation

  • Reduced Key Management – Eliminates the need to distribute, rotate, or secure API keys.
  • Corporate Identity Integration – Leverages existing Entra ID infrastructure for authentication.
  • Improved Compliance – Provides clearer audit trails and better access control.
  • Future-Proofing – Follows Azure’s recommended practices for authentication.
  • Mandatory in Some Environments – Certain corporate Azure environments (including the one I work in) only allow Entra ID–based authentication. API key–based access is explicitly disallowed, making this feature a blocker for adoption.

Proposed Technical Approach

  • Add an environment variable (e.g., AZURE_OPENAI_USE_ENTRA_ID=true) to enable Entra ID mode.
  • Use the @azure/identity package.
  • Authenticate with DefaultAzureCredential, supporting both managed identity and service principal flows.
  • Attach the acquired bearer token as an Authorization header instead of the API key.
  • Maintain full backward compatibility with the existing API key authentication.

Scope of Change

  • Azure OpenAI client initialization logic
  • Authentication logic in the OpenAI service layer
  • Environment configuration options

Open Questions

  • Would this feature be useful in your deployments?
  • Do you have preferred Entra ID authentication patterns (service principal vs. managed identity)?
  • Any concerns about the proposed approach or potential side effects?

Status

A working prototype has been prepared:

  • If AZURE_OPENAI_USE_ENTRA_ID is set to true, LibreChat requests an access token from Entra ID and attaches it as an Authorization header.
  • I’m ready to open a PR to contribute this feature upstream.

As per discussion in #1207

More details

Which components are impacted by your request?

General

Pictures

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Labels

    ✨ enhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions