Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
Why does `az account get-access-token --resource=https://cognitiveservices.azure.com/` succeed but `--resource=https://<subdomain>.cognitiveservices.azure.com/` fail with AADSTS500011?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 16%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVT%3C/text%3E%3C/svg%3E)
Vu Thanh Trung
20
Reputation points
I'm trying to authenticate to Azure OpenAI using an Entra ID bearer token instead of an API key, following the workaround described in https://github.com/openai/codex/issues/1056.
When I run:
az account get-access-token \
--resource=https://cognitiveservices.azure.com/ \
--query accessToken --output tsv
```...it succeeds and returns a token.
But when I try to use my specific resource endpoint as the resource URI:
```dockerfile
az account get-access-token \
--resource=https://<my-resource>.cognitiveservices.azure.com/ \
--query accessToken --output tsv
```...it fails with:
```yaml
AADSTS500011: The resource principal named
https://<my-resource>.cognitiveservices.azure.com/
was not found in the tenant named <tenant-name>.
```I confirmed that the token obtained using the root `cognitiveservices.azure.com` resource URI does work when sent as a Bearer token to my specific subdomain endpoint.
**Environment:**
- Azure CLI 2.x
- Azure OpenAI resource in Japan East
- Tenant: corporate Entra ID tenant
Azure API Management
Answer accepted by question author
AI answer
az account get-access-token must be called with the Azure AD application ID URI (resource identifier) that exists in the tenant, not with the per‑resource endpoint URL.
For Azure OpenAI and other Cognitive Services resources, the resource identifier registered in Entra ID is the shared, global value:
https://cognitiveservices.azure.com
This is why:
-
az account get-access-token --resource=https://cognitiveservices.azure.comworks: that resource principal exists in the tenant and Entra ID can issue a token for it. -
az account get-access-token --resource=https://<my-resource>.cognitiveservices.azure.comfails withAADSTS500011: there is no resource principal with that exact identifier in Entra ID, so the STS reports that the resource was not found.
The correct pattern is:
- Request a token for the global Cognitive Services resource:
az account get-access-token \ --resource https://cognitiveservices.azure.com \ --query accessToken -o tsv - Use that token as a Bearer token when calling the specific Azure OpenAI endpoint, for example:
POST https://<my-resource>.openai.azure.com/openai/deployments/<deployment-id>/chat/completions?api-version=2025-04-01-preview Authorization: Bearer <token-from-az-cli>
This matches the documented guidance for Azure OpenAI / Azure AI Foundry, where tokens are obtained with the Cognitive Services resource scope and then used against the per‑resource endpoint.
References:
- Configure keyless authentication with Microsoft Entra ID (programming-language-cli)
- Azure OpenAI in Azure AI Foundry Models REST API preview reference
- Azure OpenAI reasoning models
- Azure OpenAI in Microsoft Foundry Models REST API v1 preview reference
- Azure OpenAI in Azure AI Foundry Models REST API v1 preview reference
AI-generated content may be incorrect. Read our transparency notes for more information.