BerriAI · you-n-g · Feb 6, 2025 · Feb 6, 2025 · krrishdholakia · Feb 7, 2025
diff --git a/litellm/router_utils/client_initalization_utils.py b/litellm/router_utils/client_initalization_utils.py
@@ -195,7 +195,8 @@ def set_client(  # noqa: PLR0915
                 organization = get_secret_str(organization_env_name)
                 litellm_params["organization"] = organization
             azure_ad_token_provider: Optional[Callable[[], str]] = None
-            if litellm_params.get("tenant_id"):
+            # If we have api_key, then we have higher priority
+            if not api_key and litellm_params.get("tenant_id"):
                 verbose_router_logger.debug(
                     "Using Azure AD Token Provider for Azure Auth"
                 )
@@ -232,7 +233,7 @@ def set_client(  # noqa: PLR0915
                     if azure_ad_token.startswith("oidc/"):
                         azure_ad_token = get_azure_ad_token_from_oidc(azure_ad_token)
                 elif (
-                    azure_ad_token_provider is None
+                     not api_key and azure_ad_token_provider is None
                     and litellm.enable_azure_ad_token_refresh is True
                 ):
                     try:

diff --git a/litellm/secret_managers/get_azure_ad_token_provider.py b/litellm/secret_managers/get_azure_ad_token_provider.py
@@ -1,6 +1,5 @@
 import os
-from typing import Callable, Union
-
+from typing import Callable
 from litellm._logging import verbose_logger
 
 
@@ -16,31 +15,20 @@ def get_azure_ad_token_provider() -> Callable[[], str]:
     Returns:
         Callable that returns a temporary authentication token.
     """
-    from azure.identity import (
-        ClientSecretCredential,
-        DefaultAzureCredential,
-        get_bearer_token_provider,
-    )
+    from azure.identity import get_bearer_token_provider
+    import azure.identity as identity
+    azure_scope = os.environ.get("AZURE_SCOPE", "https://cognitiveservices.azure.com/.default")
+    cred = os.environ.get("AZURE_CREDENTIAL", "ClientSecretCredential")
 
-    try:
-        credential: Union[ClientSecretCredential, DefaultAzureCredential] = (
-            ClientSecretCredential(
-                client_id=os.environ["AZURE_CLIENT_ID"],
-                client_secret=os.environ["AZURE_CLIENT_SECRET"],
-                tenant_id=os.environ["AZURE_TENANT_ID"],
-            )
-        )
-    except KeyError as e:
-        verbose_logger.exception(
-            "Missing environment variable required by Azure AD workflow. "
-            "DefaultAzureCredential will be used"
-            " {}".format(str(e))
+    cred_cls = getattr(identity, cred)
+    # ClientSecretCredential, DefaultAzureCredential, AzureCliCredential
+    if cred == "ClientSecretCredential":
+        credential = cred_cls(
+            client_id=os.environ["AZURE_CLIENT_ID"],
+            client_secret=os.environ["AZURE_CLIENT_SECRET"],
+            tenant_id=os.environ["AZURE_TENANT_ID"],
         )
-        credential = DefaultAzureCredential()
-    except Exception:
-        raise
+    else:
+        credential = cred_cls()
 
-    return get_bearer_token_provider(
-        credential,
-        "https://cognitiveservices.azure.com/.default",
-    )
+    return get_bearer_token_provider(credential, azure_scope)