feat: add Azure AD token-based authentication support

[devin-ai-integration]

feat: add Azure AD token-based authentication support

Summary

This PR adds support for Azure AD token-based authentication in the Azure AI Inference provider, addressing issue #4018. Users can now authenticate using Azure AD tokens instead of API keys, which is required by organizations that have deprecated API key usage.

The implementation adds two new parameters to AzureCompletion:

• azure_ad_token_provider: A callable (typically from azure.identity.get_bearer_token_provider()) that returns tokens
• credential: A TokenCredential instance (e.g., DefaultAzureCredential, ManagedIdentityCredential)

Authentication priority: credential > azure_ad_token_provider > api_key

Example usage:

from azure.identity import DefaultAzureCredential, get_bearer_token_provider
from crewai import LLM

# Option 1: Using token provider
token_provider = get_bearer_token_provider(
    DefaultAzureCredential(),
    "https://cognitiveservices.azure.com/.default"
)
llm = LLM(
    model="azure/gpt-4",
    base_url="https://your-resource.openai.azure.com",
    azure_ad_token_provider=token_provider
)

# Option 2: Using credential directly
llm = LLM(
    model="azure/gpt-4",
    base_url="https://your-resource.openai.azure.com",
    credential=DefaultAzureCredential()
)

Review & Testing Checklist for Human

• Verify _TokenProviderCredential wrapper behavior: The wrapper assumes token providers are zero-arg callables and assigns a 1-hour default expiry for string tokens. Confirm this aligns with azure.identity.get_bearer_token_provider() behavior.
• Test with real Azure AD credentials: Unit tests use mocks only. Recommend testing with actual DefaultAzureCredential or ManagedIdentityCredential in an Azure environment.
• Verify async client compatibility: Both sync and async clients share the same credential instance. Confirm this works correctly for async operations.

Recommended test plan:

1. Set up an Azure OpenAI resource with Azure AD authentication enabled
2. Test with DefaultAzureCredential using the credential parameter
3. Test with get_bearer_token_provider using the azure_ad_token_provider parameter
4. Verify a simple crew execution completes successfully

Notes

Fixes #4018

Link to Devin run: https://app.devin.ai/sessions/760e5d73df0c449db4afd2506026d78e
Requested by: João ([email protected])

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[cursor]

You have run out of free Bugbot PR reviews for this billing cycle. This will reset on December 28.

To receive reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.