Azure AI Foundry
Connect Azure-hosted OpenAI-compatible endpoints to Fabric Agents using Microsoft Entra ID (Azure AD) Bearer-token auth. Resource discovery, deployment selection, and token refresh are handled automatically.
Azure AI Foundry exposes Azure-hosted OpenAI-compatible endpoints. Fabric Agents talks to Foundry via the Pi SDK and authenticates with Microsoft Entra ID (Azure AD) Bearer tokens — not the older api-key header — so deployments behind tenant-scoped IAM work without manual key rotation.
When to use this provider
- Your organisation requires Azure AD authentication for AI workloads.
- You have a Foundry resource with one or more model deployments under it (e.g.,
gpt-5.2-codex,gpt-5.1-codex-mini, deployed Llamas, custom finetunes). - You want token refresh + deployment discovery handled by the app instead of curating a static
api-key.
If you only have an api-key for the older Azure OpenAI Service (not Foundry), pick Azure OpenAI in the provider list instead — same Pi-SDK plumbing, simpler auth.
Prerequisites
- A registered Azure AD app with
User.Readand a Cognitive Services scope (https://cognitiveservices.azure.com/.default). - The app's tenant ID and client ID.
- Permission on the target Foundry resource (Reader or higher).
If your org uses device-code OAuth, no client secret is needed; the desktop app handles the flow inline.
Connect in Fabric Agents
- Open Settings → AI → Connections → Add.
- Choose Azure AI Foundry from the provider picker.
- Paste your Tenant ID and Client ID. (App registration must be configured for public-client / device-code flow.)
- Click Sign in with Microsoft — Fabric Agents opens the device-code dialog. Complete the OAuth dance in your browser.
- After token exchange, Fabric Agents lists your Foundry resources. Pick the one you want.
- The app discovers deployments under the resource and populates the model picker. Save.
Subsequent launches refresh the access token in the background — no re-sign-in unless your refresh token is revoked or the app is uninstalled.
What gets stored
Per the credentials flow, the connection holds:
tenantId,clientId,resourceId,resourceNameaccessToken,refreshToken,expiresAt(encrypted via the OS keychain where available)- The discovered model deployment list
Tokens are refreshed on the silent path before each request — if a 401 surfaces despite a fresh token, Fabric Agents marks the connection as needing reauth and prompts inline.
Selecting a deployment
Foundry deployments are named instances of a base model. The picker shows the deployment id (what you set when you created it in the Foundry portal) and the underlying base model. A session locks to the connection on first message but can switch deployments freely within the connection.
Connection failures
| Error | Likely cause |
|---|---|
AADSTS65001: ... has not consented to ... | The user/admin hasn't consented to the Cognitive Services scope. Ask your AD admin to grant tenant-wide consent for the app. |
403 Forbidden discovering resources | The signed-in user doesn't have Reader on any Foundry resource in the tenant. |
404 deployment not found on send | Deployment was deleted in Azure Portal but cached locally — reopen the connection, click Refresh deployments. |
invalid_grant on token refresh | Refresh token expired or revoked. Click Reconnect to re-run the OAuth flow. |
Related
- Providers overview — the full provider matrix
- LLM connection schema —
azure_ai_foundryfield reference - Custom OpenAI-compatible endpoints — alternative if you front Foundry with a gateway
Moonshot Kimi
Connect Moonshot's Kimi Coding 2.6 (and Kimi K2 Thinking) to Fabric Agents. Setup, model ids, and notes on the unified kimi-for-coding endpoint.
Sources
Connect Fabric Agents to external data — MCP servers, REST APIs, and local folders. How sources work, how to add one, and how the agent uses them in conversations.