2.1.1. Project Endpoint, Authentication, and the SDK Client
💡 First Principle: Authentication is a choice between a long-lived shared secret (key) and a short-lived, identity-bound token (Entra ID via DefaultAzureCredential). The exam's default-correct answer is almost always the identity-based one, because keys are the thing that leaks.
In Python, the modern pattern initializes a project client with the project endpoint and a credential, then derives the model/agent clients from it:
from azure.ai.projects import AIProjectClient
from azure.identity import DefaultAzureCredential
project = AIProjectClient(
endpoint="https://<your-project>.services.ai.azure.com/api/projects/<project>",
credential=DefaultAzureCredential(),
)
# Obtain an authenticated OpenAI-style client for completions
client = project.get_openai_client()
DefaultAzureCredential is the key idea: it tries a chain of credential sources (managed identity in Azure, your CLI login locally) so the same code runs securely in production without embedding a secret. When a scenario says "the app runs on an Azure VM / container and must authenticate without storing credentials," the answer is managed identity through this credential chain.
⚠️ Exam Trap: API keys are what quickstarts show first, so they feel like the "normal" answer — but on a security or production-readiness question, key-based auth is the distractor. Recommended practice is Microsoft Entra ID with managed identity; keys, if used at all, belong in Key Vault, never in code or config.
Reflection Question: Why does DefaultAzureCredential let the same code authenticate both on your laptop and on a production container without changes — and why is that a security win, not just a convenience?