Skip to main content
This guide explains how to configure certificate-based authentication using Microsoft Entra ID for Azure OpenAI and Azure AI Foundry models in TrueFoundry’s AI Gateway. Certificate authentication is also supported for Azure AI Foundry-based guardrails — Azure PII, Azure Content Safety, and Azure Prompt Shield.

Prerequisites

  • A Microsoft Entra ID application registered in your Azure tenant
  • Azure OpenAI or Azure AI Foundry resource deployed
  • An X.509 certificate (or OpenSSL to generate one)

Azure Configuration

1

Get Application Details from Entra ID

Navigate to Azure Portal > Microsoft Entra ID > App registrations and select your application.From the Overview page, note the following values:
  • Application (client) ID
  • Directory (tenant) ID
2

Prepare a Certificate

You can use an existing certificate or generate a new self-signed certificate.
# Generate private key and certificate
openssl req -x509 -newkey rsa:2048 \
  -keyout private-key.pem -out certificate.crt \
  -days 365 -nodes \
  -subj "/CN=TrueFoundry-Azure-Integration"
This creates:
  • private-key.pem - Keep this secure, you’ll provide it to TrueFoundry
  • certificate.crt - Upload this to Azure
If using an existing certificate, ensure you have:
  • The private key in PEM format
  • The public certificate to upload to Azure
3

Upload Certificate to App Registration

In your app registration, navigate to Certificates & secrets > Certificates > Upload certificate.Upload certificate.crt and note the Thumbprint value displayed after upload.
Certificates and secrets page showing uploaded certificate with thumbprint
4

Assign RBAC Role to App Registration

Navigate to your Azure resource > Access control (IAM) > Add role assignment.
Assign Cognitive Services OpenAI User role to your app registration.Learn more about Azure OpenAI RBAC
Access control IAM page showing role assignment
Role assignments may take a few minutes to propagate.

TrueFoundry Configuration

1

Add Provider Account with Certificate Authentication

Navigate to AI Gateway > Models and select your provider (Azure OpenAI or Azure AI Foundry).Click Add Account and select Certificate Authentication. Fill in the following:
FieldDescription
Tenant IDDirectory (tenant) ID from app registration overview
Client IDApplication (client) ID from app registration overview
CertificateContents of the private key in PEM format. You can also use a TrueFoundry Secret here.
Certificate ThumbprintThumbprint shown after uploading certificate to Azure
For Azure AI Foundry, certificate authentication is configured at the model level, not the account level.
Azure AI Foundry model form with certificate authentication fields
2

Add Models and Test

Add your models as described in the Azure OpenAI or Azure AI Foundry documentation.Test the connection using the Playground to verify authentication works.