Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Disable Local Authentication in Azure AI Foundry

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that local, key-based authentication is disabled for your Azure AI Foundry instances. This security best practice enforces the use of Microsoft Entra ID authentication, enhancing access security.

Security

Using access keys for authentication can create significant security vulnerabilities because of the potential leakage of secrets to source control systems and their exposure to the public. To achieve optimal security, it is recommended to disable key-based authentication for your Azure AI Foundry instances, enforcing your applications to use Microsoft Entra ID authentication instead. This method provides superior security and ease of use compared to shared access key authentication and allows secure connections via a user, service principal, or managed identity.

Audit

To determine if your Azure AI Foundry instances are using local authentication methods such as access keys, perform the following operations:

Getting the authentication configuration for AI Foundry instances using Microsoft Azure Portal is not currently supported.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run cognitiveservices account list command (Windows/macOS/Linux) with custom output filters to list the name and the associated resource group for each Azure AI Services (AI Foundry) instance available within the current subscription: 

az cognitiveservices account list
	--output table
	--query '[?(kind==`AIServices`)].{name:name, resourceGroup:resourceGroup}'

05 The command output should return the requested AI Foundry instance identifiers: 

Name                               ResourceGroup
-------------------------------    ------------------------------
tm-project5-ai-service-instance    cloud-shell-storage-westeurope
tm-project5-ai-foundry-instance    cloud-shell-storage-westeurope

06 Run cognitiveservices account show command (Windows/macOS/Linux) with the name of the Azure AI Foundry instance that you want to examine as the identifier parameter and custom output filters to determine if local (key-based) authentication is disabled for the selected instance: 

az cognitiveservices account show
	--name tm-project5-ai-service-instance
	--resource-group cloud-shell-storage-westeurope
	--query '{"disableLocalAuth":properties.disableLocalAuth}'

07 The command output should return the requested configuration settings status: 

{
	"disableLocalAuth": false
}

If the cognitiveservices account show command output returns null or false for the "disableLocalAuth" configuration setting, as shown in the example above, local (key-based) authentication is not disabled for the selected Azure AI Foundry instance.

Remediation / Resolution

To disable local authentication for your Azure AI Foundry instances so that clients or applications are required to use Microsoft Entra ID for authentication, perform the following operations:

Disabling local authentication methods for AI Foundry instances using Microsoft Azure Portal is not currently supported.

Using Azure CLI

01 Run account list command (Windows/macOS/Linux) with custom output filters to list the IDs of the cloud subscriptions available in your Azure cloud account: 

az account list
	--query '[*].id'

02 The command output should return the requested subscription identifiers (IDs): 

[
	"abcdabcd-1234-abcd-1234-abcdabcdabcd",
	"abcd1234-abcd-1234-abcd-abcd1234abcd"
]

03 Run account set command (Windows/macOS/Linux) with the ID of the Azure cloud subscription that you want to examine as the identifier parameter to set the selected subscription to be the current active subscription (the command does not produce an output): 

az account set
	--subscription abcdabcd-1234-abcd-1234-abcdabcdabcd

04 Run cognitiveservices account list command (Windows/macOS/Linux) with custom output filters to list the resource identifier (ID) of each Azure AI Services (AI Foundry) instance available within the current subscription: 

az cognitiveservices account list
	--query '[?(kind==`AIServices`)].id'

05 The command output should return the requested AI Foundry instance identifiers: 

[
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.CognitiveServices/accounts/tm-project5-ai-service-instance",
	"/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.CognitiveServices/accounts/tm-project5-ai-foundry-instance"
]

06 Run az rest command (Windows/macOS/Linux) with the ID of the Azure AI Foundry instance that you want to configure as the identifier parameter, to disable local (key-based) authentication for the selected instance. This operation doesn't take effect immediately. Allow a few minutes for the Azure service to block future authentication requests: 

az rest
	--method patch
	--url "https://management.azure.com/subscriptions/abcdabcd-1234-abcd-1234-abcdabcdabcd/resourceGroups/cloud-shell-storage-westeurope/providers/Microsoft.CognitiveServices/accounts/tm-project5-ai-service-instance?api-version=2023-05-01"
	--body "{\"properties\": {\"disableLocalAuth\": true}}"
	--query '{"disableLocalAuth":properties.disableLocalAuth}'

07 The command output should return the information available for the configured AI Foundry instance: 

{
	"disableLocalAuth": true
}

References

Publication date Sep 10, 2025

Related AIFoundry rules