Skip to content

[BUG] Question: How to use Azure AD token based auth to run crews! #4018

New issue
New issue
Open
Open
[BUG] Question: How to use Azure AD token based auth to run crews!#4018
Labels
bugSomething isn't working
@aceandro2812

Description

@aceandro2812
aceandro2812
opened on Dec 2, 2025

Description

I am using an ENTRA ID Azure ad token based auth to access Azure openAI LLM's , as my company has deprecated the use of API Keys.
The latest version of Crewai , for that matter all versions post 0.203.xx through me an error when trying to use the Ad token based auth , which used to work perfectly in versions prior to 1.x.x
It throws me this error :-
Error importing native provider: Azure API key is required. Set AZURE_API_KEY environment variable or pass api_key parameter.

Here is my code for reference :-
`
from openai import AsyncAzureOpenAI, AsyncOpenAI
from azure.identity import DefaultAzureCredential, get_bearer_token_provider
from langchain_openai import AzureChatOpenAI

def get_azure_openai_crewai_llm(model: str = "gpt-4.1-mini"):
"""
Retrieves a CrewAI LLM instance using cached Azure Active Directory authentication.

This function follows the same pattern as get_azure_openai_lanchain_client(),
using the cached token provider from get_token_provider() to avoid multiple
authentication calls across all CrewAI controllers.

Args:
    model (str): Azure deployment name (without 'azure/' prefix). 
                Examples: "gpt-4.1-mini", "gpt-4.1-nano", "o3-mini"

Returns:
    LLM: A configured CrewAI LLM instance ready for use in agents and crews

Example:
    # In your crew controller:
    from functions.azure_ai.azure_openai import get_azure_openai_crewai_llm

    self.llm = get_azure_openai_crewai_llm("gpt-4.1-mini")
    self.planning_llm = get_azure_openai_crewai_llm("o3-mini")
"""
if not CREWAI_AVAILABLE:
    raise ImportError(
        "CrewAI is not available. Please install it with: pip install crewai")


    llm = LLM(
        model=f"azure/{model}",
        base_url=AZURE_OPENAI_API_BASE,
        azure_ad_token_provider=get_token_provider(),
        api_version=AZURE_OPENAI_API_VERSION
    )
  return llm

def get_azure_ai_token():
"""Retrieves an Azure Cognitive Services token.
If a token has already been retrieved, it returns the existing token. Otherwise, it retrieves a new token using the DefaultAzureCredential.
Args:
interactive (bool, optional): Whether to allow interactive login. Defaults to False.
Returns:
AccessToken: The Azure Cognitive Services token.
"""
token_provider = get_token_provider()

return token_provider()

def get_token_provider():
"""
Retrieves a token provider for Azure Cognitive Services.

    The function uses a global credential and token_provider to ensure that the credential is only created once.
    If a managed identity client ID is provided, it uses that to create the credential.
    Otherwise, it uses the default Azure credential, excluding the interactive browser credential if the environment variable SYSTEM_ID is not set to "LOCAL".
    Finally, it creates a token provider using the credential and the Azure Cognitive Services scope.

    Returns:
        The token provider for Azure Cognitive Services.
    """
global credential, token_provider
if not credential:
    if MANAGED_IDENTITY_CLIENT_ID:
        credential = DefaultAzureCredential(
            managed_identity_client_id=MANAGED_IDENTITY_CLIENT_ID)
    else:
        credential = DefaultAzureCredential(
            exclude_interactive_browser_credential=os.environ.get("SYSTEM_ID") != "LOCAL")
    token_provider = get_bearer_token_provider(
        credential, "https://cognitiveservices.azure.com/.default")

return token_provider

`
Please help me with this ! , i am not getting any documentation for this issue

Steps to Reproduce

1.install crewai (the latest version)
2. as shown in the attached code snippet , just initialize the llm
3. sign in using azure credentials
4. run the code

Expected behavior

The crew has to run and give proper output!

Screenshots/Code snippets

`
from openai import AsyncAzureOpenAI, AsyncOpenAI
from azure.identity import DefaultAzureCredential, get_bearer_token_provider
from langchain_openai import AzureChatOpenAI

def get_azure_openai_crewai_llm(model: str = "gpt-4.1-mini"):
"""
Retrieves a CrewAI LLM instance using cached Azure Active Directory authentication.

This function follows the same pattern as get_azure_openai_lanchain_client(),
using the cached token provider from get_token_provider() to avoid multiple
authentication calls across all CrewAI controllers.

Args:
    model (str): Azure deployment name (without 'azure/' prefix). 
                Examples: "gpt-4.1-mini", "gpt-4.1-nano", "o3-mini"

Returns:
    LLM: A configured CrewAI LLM instance ready for use in agents and crews

Example:
    # In your crew controller:
    from functions.azure_ai.azure_openai import get_azure_openai_crewai_llm

    self.llm = get_azure_openai_crewai_llm("gpt-4.1-mini")
    self.planning_llm = get_azure_openai_crewai_llm("o3-mini")
"""
if not CREWAI_AVAILABLE:
    raise ImportError(
        "CrewAI is not available. Please install it with: pip install crewai")


    llm = LLM(
        model=f"azure/{model}",
        base_url=AZURE_OPENAI_API_BASE,
        azure_ad_token_provider=get_token_provider(),
        api_version=AZURE_OPENAI_API_VERSION
    )
  return llm

def get_azure_ai_token():
"""Retrieves an Azure Cognitive Services token.
If a token has already been retrieved, it returns the existing token. Otherwise, it retrieves a new token using the DefaultAzureCredential.
Args:
interactive (bool, optional): Whether to allow interactive login. Defaults to False.
Returns:
AccessToken: The Azure Cognitive Services token.
"""
token_provider = get_token_provider()

return token_provider()

def get_token_provider():
"""
Retrieves a token provider for Azure Cognitive Services.

    The function uses a global credential and token_provider to ensure that the credential is only created once.
    If a managed identity client ID is provided, it uses that to create the credential.
    Otherwise, it uses the default Azure credential, excluding the interactive browser credential if the environment variable SYSTEM_ID is not set to "LOCAL".
    Finally, it creates a token provider using the credential and the Azure Cognitive Services scope.

    Returns:
        The token provider for Azure Cognitive Services.
    """
global credential, token_provider
if not credential:
    if MANAGED_IDENTITY_CLIENT_ID:
        credential = DefaultAzureCredential(
            managed_identity_client_id=MANAGED_IDENTITY_CLIENT_ID)
    else:
        credential = DefaultAzureCredential(
            exclude_interactive_browser_credential=os.environ.get("SYSTEM_ID") != "LOCAL")
    token_provider = get_bearer_token_provider(
        credential, "https://cognitiveservices.azure.com/.default")

return token_provider

`

Operating System

Windows 11

Python Version

3.11

crewAI Version

1.6.x

crewAI Tools Version

x.x.x

Virtual Environment

Venv

Evidence

Image

Possible Solution

None

Additional context

none

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions