Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

2.1.1. Project Endpoint, Authentication, and the SDK Client

💡 First Principle: Authentication is a choice between a long-lived shared secret (key) and a short-lived, identity-bound token (Entra ID via DefaultAzureCredential). The exam's default-correct answer is almost always the identity-based one, because keys are the thing that leaks.

In Python, the modern pattern initializes a project client with the project endpoint and a credential, then derives the model/agent clients from it:

from azure.ai.projects import AIProjectClient
from azure.identity import DefaultAzureCredential

project = AIProjectClient(
    endpoint="https://<your-project>.services.ai.azure.com/api/projects/<project>",
    credential=DefaultAzureCredential(),
)
# Obtain an authenticated OpenAI-style client for completions
client = project.get_openai_client()

DefaultAzureCredential is the key idea: it tries a chain of credential sources (managed identity in Azure, your CLI login locally) so the same code runs securely in production without embedding a secret. When a scenario says "the app runs on an Azure VM / container and must authenticate without storing credentials," the answer is managed identity through this credential chain.

⚠️ Exam Trap: API keys are what quickstarts show first, so they feel like the "normal" answer — but on a security or production-readiness question, key-based auth is the distractor. Recommended practice is Microsoft Entra ID with managed identity; keys, if used at all, belong in Key Vault, never in code or config.

Reflection Question: Why does DefaultAzureCredential let the same code authenticate both on your laptop and on a production container without changes — and why is that a security win, not just a convenience?

Alvin Varughese
Written byAlvin Varughese
Founder18 professional certifications