Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Bicep resource definition
The accounts/connections resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.CognitiveServices/accounts/connections resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.CognitiveServices/accounts/connections@2026-01-15-preview' = {
parent: resourceSymbolicName
name: 'string'
properties: {
category: 'string'
error: 'string'
expiryTime: 'string'
isSharedToAll: bool
metadata: {
{customized property}: 'string'
}
peRequirement: 'string'
peStatus: 'string'
sharedUserList: [
'string'
]
target: 'string'
useWorkspaceManagedIdentity: bool
authType: 'string'
// For remaining properties, see ConnectionPropertiesV2 objects
}
}
ConnectionPropertiesV2 objects
Set the authType property to specify the type of object.
For AAD, use:
{
authType: 'AAD'
}
For AccessKey, use:
{
authType: 'AccessKey'
credentials: {
accessKeyId: 'string'
secretAccessKey: 'string'
}
}
For AccountKey, use:
{
authType: 'AccountKey'
credentials: {
key: 'string'
}
}
For ApiKey, use:
{
authType: 'ApiKey'
credentials: {
key: 'string'
}
}
For CustomKeys, use:
{
authType: 'CustomKeys'
credentials: {
keys: {
{customized property}: 'string'
}
}
}
For ManagedIdentity, use:
{
authType: 'ManagedIdentity'
credentials: {
clientId: 'string'
resourceId: 'string'
}
}
For None, use:
{
authType: 'None'
}
For OAuth2, use:
{
authType: 'OAuth2'
credentials: {
authUrl: 'string'
clientId: 'string'
clientSecret: 'string'
developerToken: 'string'
password: 'string'
refreshToken: 'string'
tenantId: 'string'
username: 'string'
}
}
For PAT, use:
{
authType: 'PAT'
credentials: {
pat: 'string'
}
}
For SAS, use:
{
authType: 'SAS'
credentials: {
sas: 'string'
}
}
For ServicePrincipal, use:
{
authType: 'ServicePrincipal'
credentials: {
clientId: 'string'
clientSecret: 'string'
tenantId: 'string'
}
}
For UsernamePassword, use:
{
authType: 'UsernamePassword'
credentials: {
password: 'string'
securityToken: 'string'
username: 'string'
}
}
Property Values
Microsoft.CognitiveServices/accounts/connections
| Name | Description | Value |
|---|---|---|
| name | The resource name | string Constraints: Pattern = ^[a-zA-Z0-9][a-zA-Z0-9_-]{2,32}$ (required) |
| parent | In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource. For more information, see Child resource outside parent resource. |
Symbolic name for resource of type: accounts |
| properties | Connection property base schema. | ConnectionPropertiesV2 (required) |
AADAuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'AAD' (required) |
AccessKeyAuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'AccessKey' (required) |
| credentials | ConnectionAccessKey |
AccountKeyAuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'AccountKey' (required) |
| credentials | Account key object for connection credential. | ConnectionAccountKey |
ApiKeyAuthConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'ApiKey' (required) |
| credentials | Api key object for connection credential. | ConnectionApiKey |
ConnectionAccessKey
| Name | Description | Value |
|---|---|---|
| accessKeyId | string | |
| secretAccessKey | string Constraints: Sensitive value. Pass in as a secure parameter. |
ConnectionAccountKey
| Name | Description | Value |
|---|---|---|
| key | string Constraints: Sensitive value. Pass in as a secure parameter. |
ConnectionApiKey
| Name | Description | Value |
|---|---|---|
| key | string Constraints: Sensitive value. Pass in as a secure parameter. |
ConnectionManagedIdentity
| Name | Description | Value |
|---|---|---|
| clientId | string | |
| resourceId | string |
ConnectionOAuth2
| Name | Description | Value |
|---|---|---|
| authUrl | Required by Concur connection category | string |
| clientId | Client id in the format of UUID | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
| clientSecret | string Constraints: Sensitive value. Pass in as a secure parameter. |
|
| developerToken | Required by GoogleAdWords connection category | string Constraints: Sensitive value. Pass in as a secure parameter. |
| password | string Constraints: Sensitive value. Pass in as a secure parameter. |
|
| refreshToken | Required by GoogleBigQuery, GoogleAdWords, Hubspot, QuickBooks, Square, Xero, Zoho where user needs to get RefreshToken offline |
string Constraints: Sensitive value. Pass in as a secure parameter. |
| tenantId | Required by QuickBooks and Xero connection categories | string |
| username | Concur, ServiceNow auth server AccessToken grant type is 'Password' which requires UsernamePassword |
string |
ConnectionPersonalAccessToken
| Name | Description | Value |
|---|---|---|
| pat | string Constraints: Sensitive value. Pass in as a secure parameter. |
ConnectionPropertiesV2
| Name | Description | Value |
|---|---|---|
| authType | Set to 'AAD' for type AADAuthTypeConnectionProperties. Set to 'AccessKey' for type AccessKeyAuthTypeConnectionProperties. Set to 'AccountKey' for type AccountKeyAuthTypeConnectionProperties. Set to 'ApiKey' for type ApiKeyAuthConnectionProperties. Set to 'CustomKeys' for type CustomKeysConnectionProperties. Set to 'ManagedIdentity' for type ManagedIdentityAuthTypeConnectionProperties. Set to 'None' for type NoneAuthTypeConnectionProperties. Set to 'OAuth2' for type OAuth2AuthTypeConnectionProperties. Set to 'PAT' for type PATAuthTypeConnectionProperties. Set to 'SAS' for type SASAuthTypeConnectionProperties. Set to 'ServicePrincipal' for type ServicePrincipalAuthTypeConnectionProperties. Set to 'UsernamePassword' for type UsernamePasswordAuthTypeConnectionProperties. | 'AAD' 'AccessKey' 'AccountKey' 'ApiKey' 'CustomKeys' 'ManagedIdentity' 'None' 'OAuth2' 'PAT' 'SAS' 'ServicePrincipal' 'UsernamePassword' (required) |
| category | Category of the connection | 'ADLSGen2' 'AIServices' 'AmazonMws' 'AmazonRdsForOracle' 'AmazonRdsForSqlServer' 'AmazonRedshift' 'AmazonS3Compatible' 'ApiKey' 'ApiManagement' 'AppConfig' 'AppInsights' 'AzureBlob' 'AzureContainerAppEnvironment' 'AzureDatabricksDeltaLake' 'AzureDataExplorer' 'AzureKeyVault' 'AzureMariaDb' 'AzureMySqlDb' 'AzureOneLake' 'AzureOpenAI' 'AzurePostgresDb' 'AzureSqlDb' 'AzureSqlMi' 'AzureStorageAccount' 'AzureSynapseAnalytics' 'AzureTableStorage' 'BingLLMSearch' 'Cassandra' 'CognitiveSearch' 'CognitiveService' 'Concur' 'ContainerRegistry' 'CosmosDb' 'CosmosDbMongoDbApi' 'Couchbase' 'CustomKeys' 'Databricks' 'Db2' 'Drill' 'Dynamics' 'DynamicsAx' 'DynamicsCrm' 'Elasticsearch' 'Eloqua' 'FileServer' 'FtpServer' 'GenericContainerRegistry' 'GenericHttp' 'GenericRest' 'Git' 'GoogleAdWords' 'GoogleBigQuery' 'GoogleCloudStorage' 'Greenplum' 'GroundingWithBingSearch' 'GroundingWithCustomSearch' 'Hbase' 'Hdfs' 'Hive' 'Hubspot' 'Impala' 'Informix' 'Jira' 'Magento' 'ManagedOnlineEndpoint' 'MariaDb' 'Marketo' 'MicrosoftAccess' 'MicrosoftFabric' 'ModelGateway' 'MongoDbAtlas' 'MongoDbV2' 'MySql' 'Netezza' 'ODataRest' 'Odbc' 'Office365' 'OpenAI' 'Oracle' 'OracleCloudStorage' 'OracleServiceCloud' 'PayPal' 'Phoenix' 'Pinecone' 'PostgreSql' 'PowerPlatformEnvironment' 'Presto' 'PythonFeed' 'QuickBooks' 'Redis' 'RemoteA2A' 'RemoteTool' 'Responsys' 'S3' 'Salesforce' 'SalesforceMarketingCloud' 'SalesforceServiceCloud' 'SapBw' 'SapCloudForCustomer' 'SapEcc' 'SapHana' 'SapOpenHub' 'SapTable' 'Serp' 'Serverless' 'ServiceNow' 'Sftp' 'Sharepoint' 'SharePointOnlineList' 'Shopify' 'Snowflake' 'Spark' 'SqlServer' 'Square' 'Sybase' 'Teradata' 'Vertica' 'WebTable' 'Xero' 'Zoho' |
| error | Provides the error message if the connection fails | string |
| expiryTime | string | |
| isSharedToAll | bool | |
| metadata | Store user metadata for this connection | ConnectionPropertiesV2Metadata |
| peRequirement | Specifies how private endpoints are used with this connection: 'Required', 'NotRequired', or 'NotApplicable'. | 'NotApplicable' 'NotRequired' 'Required' |
| peStatus | Specifies the status of private endpoints for this connection: 'Inactive', 'Active', or 'NotApplicable'. | 'Active' 'Inactive' 'NotApplicable' |
| sharedUserList | string[] | |
| target | The connection URL to be used. | string |
| useWorkspaceManagedIdentity | bool |
ConnectionPropertiesV2Metadata
| Name | Description | Value |
|---|
ConnectionServicePrincipal
| Name | Description | Value |
|---|---|---|
| clientId | string | |
| clientSecret | string Constraints: Sensitive value. Pass in as a secure parameter. |
|
| tenantId | string |
ConnectionSharedAccessSignature
| Name | Description | Value |
|---|---|---|
| sas | string Constraints: Sensitive value. Pass in as a secure parameter. |
ConnectionUsernamePassword
| Name | Description | Value |
|---|---|---|
| password | string Constraints: Sensitive value. Pass in as a secure parameter. |
|
| securityToken | Optional, required by connections like SalesForce for extra security in addition to UsernamePassword | string Constraints: Sensitive value. Pass in as a secure parameter. |
| username | string |
CustomKeys
| Name | Description | Value |
|---|---|---|
| keys | Dictionary of <string> | CustomKeys |
CustomKeys
| Name | Description | Value |
|---|
CustomKeysConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'CustomKeys' (required) |
| credentials | Custom Keys credential object | CustomKeys |
ManagedIdentityAuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'ManagedIdentity' (required) |
| credentials | ConnectionManagedIdentity |
NoneAuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'None' (required) |
OAuth2AuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'OAuth2' (required) |
| credentials | ClientId and ClientSecret are required. Other properties are optional depending on each OAuth2 provider's implementation. |
ConnectionOAuth2 |
PATAuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'PAT' (required) |
| credentials | ConnectionPersonalAccessToken |
SASAuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'SAS' (required) |
| credentials | ConnectionSharedAccessSignature |
ServicePrincipalAuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'ServicePrincipal' (required) |
| credentials | ConnectionServicePrincipal |
UsernamePasswordAuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'UsernamePassword' (required) |
| credentials | ConnectionUsernamePassword |
ARM template resource definition
The accounts/connections resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.CognitiveServices/accounts/connections resource, add the following JSON to your template.
{
"type": "Microsoft.CognitiveServices/accounts/connections",
"apiVersion": "2026-01-15-preview",
"name": "string",
"properties": {
"category": "string",
"error": "string",
"expiryTime": "string",
"isSharedToAll": "bool",
"metadata": {
"{customized property}": "string"
},
"peRequirement": "string",
"peStatus": "string",
"sharedUserList": [ "string" ],
"target": "string",
"useWorkspaceManagedIdentity": "bool",
"authType": "string"
// For remaining properties, see ConnectionPropertiesV2 objects
}
}
ConnectionPropertiesV2 objects
Set the authType property to specify the type of object.
For AAD, use:
{
"authType": "AAD"
}
For AccessKey, use:
{
"authType": "AccessKey",
"credentials": {
"accessKeyId": "string",
"secretAccessKey": "string"
}
}
For AccountKey, use:
{
"authType": "AccountKey",
"credentials": {
"key": "string"
}
}
For ApiKey, use:
{
"authType": "ApiKey",
"credentials": {
"key": "string"
}
}
For CustomKeys, use:
{
"authType": "CustomKeys",
"credentials": {
"keys": {
"{customized property}": "string"
}
}
}
For ManagedIdentity, use:
{
"authType": "ManagedIdentity",
"credentials": {
"clientId": "string",
"resourceId": "string"
}
}
For None, use:
{
"authType": "None"
}
For OAuth2, use:
{
"authType": "OAuth2",
"credentials": {
"authUrl": "string",
"clientId": "string",
"clientSecret": "string",
"developerToken": "string",
"password": "string",
"refreshToken": "string",
"tenantId": "string",
"username": "string"
}
}
For PAT, use:
{
"authType": "PAT",
"credentials": {
"pat": "string"
}
}
For SAS, use:
{
"authType": "SAS",
"credentials": {
"sas": "string"
}
}
For ServicePrincipal, use:
{
"authType": "ServicePrincipal",
"credentials": {
"clientId": "string",
"clientSecret": "string",
"tenantId": "string"
}
}
For UsernamePassword, use:
{
"authType": "UsernamePassword",
"credentials": {
"password": "string",
"securityToken": "string",
"username": "string"
}
}
Property Values
Microsoft.CognitiveServices/accounts/connections
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2026-01-15-preview' |
| name | The resource name | string Constraints: Pattern = ^[a-zA-Z0-9][a-zA-Z0-9_-]{2,32}$ (required) |
| properties | Connection property base schema. | ConnectionPropertiesV2 (required) |
| type | The resource type | 'Microsoft.CognitiveServices/accounts/connections' |
AADAuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'AAD' (required) |
AccessKeyAuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'AccessKey' (required) |
| credentials | ConnectionAccessKey |
AccountKeyAuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'AccountKey' (required) |
| credentials | Account key object for connection credential. | ConnectionAccountKey |
ApiKeyAuthConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'ApiKey' (required) |
| credentials | Api key object for connection credential. | ConnectionApiKey |
ConnectionAccessKey
| Name | Description | Value |
|---|---|---|
| accessKeyId | string | |
| secretAccessKey | string Constraints: Sensitive value. Pass in as a secure parameter. |
ConnectionAccountKey
| Name | Description | Value |
|---|---|---|
| key | string Constraints: Sensitive value. Pass in as a secure parameter. |
ConnectionApiKey
| Name | Description | Value |
|---|---|---|
| key | string Constraints: Sensitive value. Pass in as a secure parameter. |
ConnectionManagedIdentity
| Name | Description | Value |
|---|---|---|
| clientId | string | |
| resourceId | string |
ConnectionOAuth2
| Name | Description | Value |
|---|---|---|
| authUrl | Required by Concur connection category | string |
| clientId | Client id in the format of UUID | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
| clientSecret | string Constraints: Sensitive value. Pass in as a secure parameter. |
|
| developerToken | Required by GoogleAdWords connection category | string Constraints: Sensitive value. Pass in as a secure parameter. |
| password | string Constraints: Sensitive value. Pass in as a secure parameter. |
|
| refreshToken | Required by GoogleBigQuery, GoogleAdWords, Hubspot, QuickBooks, Square, Xero, Zoho where user needs to get RefreshToken offline |
string Constraints: Sensitive value. Pass in as a secure parameter. |
| tenantId | Required by QuickBooks and Xero connection categories | string |
| username | Concur, ServiceNow auth server AccessToken grant type is 'Password' which requires UsernamePassword |
string |
ConnectionPersonalAccessToken
| Name | Description | Value |
|---|---|---|
| pat | string Constraints: Sensitive value. Pass in as a secure parameter. |
ConnectionPropertiesV2
| Name | Description | Value |
|---|---|---|
| authType | Set to 'AAD' for type AADAuthTypeConnectionProperties. Set to 'AccessKey' for type AccessKeyAuthTypeConnectionProperties. Set to 'AccountKey' for type AccountKeyAuthTypeConnectionProperties. Set to 'ApiKey' for type ApiKeyAuthConnectionProperties. Set to 'CustomKeys' for type CustomKeysConnectionProperties. Set to 'ManagedIdentity' for type ManagedIdentityAuthTypeConnectionProperties. Set to 'None' for type NoneAuthTypeConnectionProperties. Set to 'OAuth2' for type OAuth2AuthTypeConnectionProperties. Set to 'PAT' for type PATAuthTypeConnectionProperties. Set to 'SAS' for type SASAuthTypeConnectionProperties. Set to 'ServicePrincipal' for type ServicePrincipalAuthTypeConnectionProperties. Set to 'UsernamePassword' for type UsernamePasswordAuthTypeConnectionProperties. | 'AAD' 'AccessKey' 'AccountKey' 'ApiKey' 'CustomKeys' 'ManagedIdentity' 'None' 'OAuth2' 'PAT' 'SAS' 'ServicePrincipal' 'UsernamePassword' (required) |
| category | Category of the connection | 'ADLSGen2' 'AIServices' 'AmazonMws' 'AmazonRdsForOracle' 'AmazonRdsForSqlServer' 'AmazonRedshift' 'AmazonS3Compatible' 'ApiKey' 'ApiManagement' 'AppConfig' 'AppInsights' 'AzureBlob' 'AzureContainerAppEnvironment' 'AzureDatabricksDeltaLake' 'AzureDataExplorer' 'AzureKeyVault' 'AzureMariaDb' 'AzureMySqlDb' 'AzureOneLake' 'AzureOpenAI' 'AzurePostgresDb' 'AzureSqlDb' 'AzureSqlMi' 'AzureStorageAccount' 'AzureSynapseAnalytics' 'AzureTableStorage' 'BingLLMSearch' 'Cassandra' 'CognitiveSearch' 'CognitiveService' 'Concur' 'ContainerRegistry' 'CosmosDb' 'CosmosDbMongoDbApi' 'Couchbase' 'CustomKeys' 'Databricks' 'Db2' 'Drill' 'Dynamics' 'DynamicsAx' 'DynamicsCrm' 'Elasticsearch' 'Eloqua' 'FileServer' 'FtpServer' 'GenericContainerRegistry' 'GenericHttp' 'GenericRest' 'Git' 'GoogleAdWords' 'GoogleBigQuery' 'GoogleCloudStorage' 'Greenplum' 'GroundingWithBingSearch' 'GroundingWithCustomSearch' 'Hbase' 'Hdfs' 'Hive' 'Hubspot' 'Impala' 'Informix' 'Jira' 'Magento' 'ManagedOnlineEndpoint' 'MariaDb' 'Marketo' 'MicrosoftAccess' 'MicrosoftFabric' 'ModelGateway' 'MongoDbAtlas' 'MongoDbV2' 'MySql' 'Netezza' 'ODataRest' 'Odbc' 'Office365' 'OpenAI' 'Oracle' 'OracleCloudStorage' 'OracleServiceCloud' 'PayPal' 'Phoenix' 'Pinecone' 'PostgreSql' 'PowerPlatformEnvironment' 'Presto' 'PythonFeed' 'QuickBooks' 'Redis' 'RemoteA2A' 'RemoteTool' 'Responsys' 'S3' 'Salesforce' 'SalesforceMarketingCloud' 'SalesforceServiceCloud' 'SapBw' 'SapCloudForCustomer' 'SapEcc' 'SapHana' 'SapOpenHub' 'SapTable' 'Serp' 'Serverless' 'ServiceNow' 'Sftp' 'Sharepoint' 'SharePointOnlineList' 'Shopify' 'Snowflake' 'Spark' 'SqlServer' 'Square' 'Sybase' 'Teradata' 'Vertica' 'WebTable' 'Xero' 'Zoho' |
| error | Provides the error message if the connection fails | string |
| expiryTime | string | |
| isSharedToAll | bool | |
| metadata | Store user metadata for this connection | ConnectionPropertiesV2Metadata |
| peRequirement | Specifies how private endpoints are used with this connection: 'Required', 'NotRequired', or 'NotApplicable'. | 'NotApplicable' 'NotRequired' 'Required' |
| peStatus | Specifies the status of private endpoints for this connection: 'Inactive', 'Active', or 'NotApplicable'. | 'Active' 'Inactive' 'NotApplicable' |
| sharedUserList | string[] | |
| target | The connection URL to be used. | string |
| useWorkspaceManagedIdentity | bool |
ConnectionPropertiesV2Metadata
| Name | Description | Value |
|---|
ConnectionServicePrincipal
| Name | Description | Value |
|---|---|---|
| clientId | string | |
| clientSecret | string Constraints: Sensitive value. Pass in as a secure parameter. |
|
| tenantId | string |
ConnectionSharedAccessSignature
| Name | Description | Value |
|---|---|---|
| sas | string Constraints: Sensitive value. Pass in as a secure parameter. |
ConnectionUsernamePassword
| Name | Description | Value |
|---|---|---|
| password | string Constraints: Sensitive value. Pass in as a secure parameter. |
|
| securityToken | Optional, required by connections like SalesForce for extra security in addition to UsernamePassword | string Constraints: Sensitive value. Pass in as a secure parameter. |
| username | string |
CustomKeys
| Name | Description | Value |
|---|---|---|
| keys | Dictionary of <string> | CustomKeys |
CustomKeys
| Name | Description | Value |
|---|
CustomKeysConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'CustomKeys' (required) |
| credentials | Custom Keys credential object | CustomKeys |
ManagedIdentityAuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'ManagedIdentity' (required) |
| credentials | ConnectionManagedIdentity |
NoneAuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'None' (required) |
OAuth2AuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'OAuth2' (required) |
| credentials | ClientId and ClientSecret are required. Other properties are optional depending on each OAuth2 provider's implementation. |
ConnectionOAuth2 |
PATAuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'PAT' (required) |
| credentials | ConnectionPersonalAccessToken |
SASAuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'SAS' (required) |
| credentials | ConnectionSharedAccessSignature |
ServicePrincipalAuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'ServicePrincipal' (required) |
| credentials | ConnectionServicePrincipal |
UsernamePasswordAuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'UsernamePassword' (required) |
| credentials | ConnectionUsernamePassword |
Usage Examples
Terraform (AzAPI provider) resource definition
The accounts/connections resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.CognitiveServices/accounts/connections resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.CognitiveServices/accounts/connections@2026-01-15-preview"
name = "string"
parent_id = "string"
body = {
properties = {
category = "string"
error = "string"
expiryTime = "string"
isSharedToAll = bool
metadata = {
{customized property} = "string"
}
peRequirement = "string"
peStatus = "string"
sharedUserList = [
"string"
]
target = "string"
useWorkspaceManagedIdentity = bool
authType = "string"
// For remaining properties, see ConnectionPropertiesV2 objects
}
}
}
ConnectionPropertiesV2 objects
Set the authType property to specify the type of object.
For AAD, use:
{
authType = "AAD"
}
For AccessKey, use:
{
authType = "AccessKey"
credentials = {
accessKeyId = "string"
secretAccessKey = "string"
}
}
For AccountKey, use:
{
authType = "AccountKey"
credentials = {
key = "string"
}
}
For ApiKey, use:
{
authType = "ApiKey"
credentials = {
key = "string"
}
}
For CustomKeys, use:
{
authType = "CustomKeys"
credentials = {
keys = {
{customized property} = "string"
}
}
}
For ManagedIdentity, use:
{
authType = "ManagedIdentity"
credentials = {
clientId = "string"
resourceId = "string"
}
}
For None, use:
{
authType = "None"
}
For OAuth2, use:
{
authType = "OAuth2"
credentials = {
authUrl = "string"
clientId = "string"
clientSecret = "string"
developerToken = "string"
password = "string"
refreshToken = "string"
tenantId = "string"
username = "string"
}
}
For PAT, use:
{
authType = "PAT"
credentials = {
pat = "string"
}
}
For SAS, use:
{
authType = "SAS"
credentials = {
sas = "string"
}
}
For ServicePrincipal, use:
{
authType = "ServicePrincipal"
credentials = {
clientId = "string"
clientSecret = "string"
tenantId = "string"
}
}
For UsernamePassword, use:
{
authType = "UsernamePassword"
credentials = {
password = "string"
securityToken = "string"
username = "string"
}
}
Property Values
Microsoft.CognitiveServices/accounts/connections
| Name | Description | Value |
|---|---|---|
| name | The resource name | string Constraints: Pattern = ^[a-zA-Z0-9][a-zA-Z0-9_-]{2,32}$ (required) |
| parent_id | The ID of the resource that is the parent for this resource. | ID for resource of type: accounts |
| properties | Connection property base schema. | ConnectionPropertiesV2 (required) |
| type | The resource type | "Microsoft.CognitiveServices/accounts/connections@2026-01-15-preview" |
AADAuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'AAD' (required) |
AccessKeyAuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'AccessKey' (required) |
| credentials | ConnectionAccessKey |
AccountKeyAuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'AccountKey' (required) |
| credentials | Account key object for connection credential. | ConnectionAccountKey |
ApiKeyAuthConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'ApiKey' (required) |
| credentials | Api key object for connection credential. | ConnectionApiKey |
ConnectionAccessKey
| Name | Description | Value |
|---|---|---|
| accessKeyId | string | |
| secretAccessKey | string Constraints: Sensitive value. Pass in as a secure parameter. |
ConnectionAccountKey
| Name | Description | Value |
|---|---|---|
| key | string Constraints: Sensitive value. Pass in as a secure parameter. |
ConnectionApiKey
| Name | Description | Value |
|---|---|---|
| key | string Constraints: Sensitive value. Pass in as a secure parameter. |
ConnectionManagedIdentity
| Name | Description | Value |
|---|---|---|
| clientId | string | |
| resourceId | string |
ConnectionOAuth2
| Name | Description | Value |
|---|---|---|
| authUrl | Required by Concur connection category | string |
| clientId | Client id in the format of UUID | string Constraints: Min length = 36 Max length = 36 Pattern = ^[0-9a-fA-F]{8}-([0-9a-fA-F]{4}-){3}[0-9a-fA-F]{12}$ |
| clientSecret | string Constraints: Sensitive value. Pass in as a secure parameter. |
|
| developerToken | Required by GoogleAdWords connection category | string Constraints: Sensitive value. Pass in as a secure parameter. |
| password | string Constraints: Sensitive value. Pass in as a secure parameter. |
|
| refreshToken | Required by GoogleBigQuery, GoogleAdWords, Hubspot, QuickBooks, Square, Xero, Zoho where user needs to get RefreshToken offline |
string Constraints: Sensitive value. Pass in as a secure parameter. |
| tenantId | Required by QuickBooks and Xero connection categories | string |
| username | Concur, ServiceNow auth server AccessToken grant type is 'Password' which requires UsernamePassword |
string |
ConnectionPersonalAccessToken
| Name | Description | Value |
|---|---|---|
| pat | string Constraints: Sensitive value. Pass in as a secure parameter. |
ConnectionPropertiesV2
| Name | Description | Value |
|---|---|---|
| authType | Set to 'AAD' for type AADAuthTypeConnectionProperties. Set to 'AccessKey' for type AccessKeyAuthTypeConnectionProperties. Set to 'AccountKey' for type AccountKeyAuthTypeConnectionProperties. Set to 'ApiKey' for type ApiKeyAuthConnectionProperties. Set to 'CustomKeys' for type CustomKeysConnectionProperties. Set to 'ManagedIdentity' for type ManagedIdentityAuthTypeConnectionProperties. Set to 'None' for type NoneAuthTypeConnectionProperties. Set to 'OAuth2' for type OAuth2AuthTypeConnectionProperties. Set to 'PAT' for type PATAuthTypeConnectionProperties. Set to 'SAS' for type SASAuthTypeConnectionProperties. Set to 'ServicePrincipal' for type ServicePrincipalAuthTypeConnectionProperties. Set to 'UsernamePassword' for type UsernamePasswordAuthTypeConnectionProperties. | 'AAD' 'AccessKey' 'AccountKey' 'ApiKey' 'CustomKeys' 'ManagedIdentity' 'None' 'OAuth2' 'PAT' 'SAS' 'ServicePrincipal' 'UsernamePassword' (required) |
| category | Category of the connection | 'ADLSGen2' 'AIServices' 'AmazonMws' 'AmazonRdsForOracle' 'AmazonRdsForSqlServer' 'AmazonRedshift' 'AmazonS3Compatible' 'ApiKey' 'ApiManagement' 'AppConfig' 'AppInsights' 'AzureBlob' 'AzureContainerAppEnvironment' 'AzureDatabricksDeltaLake' 'AzureDataExplorer' 'AzureKeyVault' 'AzureMariaDb' 'AzureMySqlDb' 'AzureOneLake' 'AzureOpenAI' 'AzurePostgresDb' 'AzureSqlDb' 'AzureSqlMi' 'AzureStorageAccount' 'AzureSynapseAnalytics' 'AzureTableStorage' 'BingLLMSearch' 'Cassandra' 'CognitiveSearch' 'CognitiveService' 'Concur' 'ContainerRegistry' 'CosmosDb' 'CosmosDbMongoDbApi' 'Couchbase' 'CustomKeys' 'Databricks' 'Db2' 'Drill' 'Dynamics' 'DynamicsAx' 'DynamicsCrm' 'Elasticsearch' 'Eloqua' 'FileServer' 'FtpServer' 'GenericContainerRegistry' 'GenericHttp' 'GenericRest' 'Git' 'GoogleAdWords' 'GoogleBigQuery' 'GoogleCloudStorage' 'Greenplum' 'GroundingWithBingSearch' 'GroundingWithCustomSearch' 'Hbase' 'Hdfs' 'Hive' 'Hubspot' 'Impala' 'Informix' 'Jira' 'Magento' 'ManagedOnlineEndpoint' 'MariaDb' 'Marketo' 'MicrosoftAccess' 'MicrosoftFabric' 'ModelGateway' 'MongoDbAtlas' 'MongoDbV2' 'MySql' 'Netezza' 'ODataRest' 'Odbc' 'Office365' 'OpenAI' 'Oracle' 'OracleCloudStorage' 'OracleServiceCloud' 'PayPal' 'Phoenix' 'Pinecone' 'PostgreSql' 'PowerPlatformEnvironment' 'Presto' 'PythonFeed' 'QuickBooks' 'Redis' 'RemoteA2A' 'RemoteTool' 'Responsys' 'S3' 'Salesforce' 'SalesforceMarketingCloud' 'SalesforceServiceCloud' 'SapBw' 'SapCloudForCustomer' 'SapEcc' 'SapHana' 'SapOpenHub' 'SapTable' 'Serp' 'Serverless' 'ServiceNow' 'Sftp' 'Sharepoint' 'SharePointOnlineList' 'Shopify' 'Snowflake' 'Spark' 'SqlServer' 'Square' 'Sybase' 'Teradata' 'Vertica' 'WebTable' 'Xero' 'Zoho' |
| error | Provides the error message if the connection fails | string |
| expiryTime | string | |
| isSharedToAll | bool | |
| metadata | Store user metadata for this connection | ConnectionPropertiesV2Metadata |
| peRequirement | Specifies how private endpoints are used with this connection: 'Required', 'NotRequired', or 'NotApplicable'. | 'NotApplicable' 'NotRequired' 'Required' |
| peStatus | Specifies the status of private endpoints for this connection: 'Inactive', 'Active', or 'NotApplicable'. | 'Active' 'Inactive' 'NotApplicable' |
| sharedUserList | string[] | |
| target | The connection URL to be used. | string |
| useWorkspaceManagedIdentity | bool |
ConnectionPropertiesV2Metadata
| Name | Description | Value |
|---|
ConnectionServicePrincipal
| Name | Description | Value |
|---|---|---|
| clientId | string | |
| clientSecret | string Constraints: Sensitive value. Pass in as a secure parameter. |
|
| tenantId | string |
ConnectionSharedAccessSignature
| Name | Description | Value |
|---|---|---|
| sas | string Constraints: Sensitive value. Pass in as a secure parameter. |
ConnectionUsernamePassword
| Name | Description | Value |
|---|---|---|
| password | string Constraints: Sensitive value. Pass in as a secure parameter. |
|
| securityToken | Optional, required by connections like SalesForce for extra security in addition to UsernamePassword | string Constraints: Sensitive value. Pass in as a secure parameter. |
| username | string |
CustomKeys
| Name | Description | Value |
|---|---|---|
| keys | Dictionary of <string> | CustomKeys |
CustomKeys
| Name | Description | Value |
|---|
CustomKeysConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'CustomKeys' (required) |
| credentials | Custom Keys credential object | CustomKeys |
ManagedIdentityAuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'ManagedIdentity' (required) |
| credentials | ConnectionManagedIdentity |
NoneAuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'None' (required) |
OAuth2AuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'OAuth2' (required) |
| credentials | ClientId and ClientSecret are required. Other properties are optional depending on each OAuth2 provider's implementation. |
ConnectionOAuth2 |
PATAuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'PAT' (required) |
| credentials | ConnectionPersonalAccessToken |
SASAuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'SAS' (required) |
| credentials | ConnectionSharedAccessSignature |
ServicePrincipalAuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'ServicePrincipal' (required) |
| credentials | ConnectionServicePrincipal |
UsernamePasswordAuthTypeConnectionProperties
| Name | Description | Value |
|---|---|---|
| authType | Authentication type of the connection target | 'UsernamePassword' (required) |
| credentials | ConnectionUsernamePassword |
Usage Examples
Terraform Samples
A basic example of deploying Cognitive Services Account Connection.
terraform {
required_providers {
azapi = {
source = "Azure/azapi"
}
}
}
provider "azapi" {
skip_provider_registration = false
}
variable "resource_name" {
type = string
default = "acctest0001"
}
variable "location" {
type = string
default = "westeurope"
}
variable "oauth2_client_id" {
type = string
sensitive = true
description = "OAuth2 Client ID for the connection."
}
variable "oauth2_client_secret" {
type = string
sensitive = true
description = "OAuth2 Client Secret for the connection."
}
variable "oauth2_tenant_id" {
type = string
sensitive = true
description = "OAuth2 Tenant ID for the connection."
}
variable "oauth2_developer_token" {
type = string
sensitive = true
description = "OAuth2 Developer Token for the connection."
}
variable "oauth2_refresh_token" {
type = string
sensitive = true
description = "OAuth2 Refresh Token for the connection."
}
variable "oauth2_username" {
type = string
sensitive = true
description = "OAuth2 Username for the connection."
}
variable "oauth2_password" {
type = string
sensitive = true
description = "OAuth2 Password for the connection."
}
data "azapi_client_config" "current" {}
resource "azapi_resource" "resourceGroup" {
type = "Microsoft.Resources/resourceGroups@2020-06-01"
name = var.resource_name
location = var.location
}
resource "azapi_resource" "userAssignedIdentity" {
type = "Microsoft.ManagedIdentity/userAssignedIdentities@2024-11-30"
name = var.resource_name
location = var.location
parent_id = azapi_resource.resourceGroup.id
response_export_values = ["*"]
}
resource "azapi_resource" "account" {
type = "Microsoft.CognitiveServices/accounts@2025-06-01"
parent_id = azapi_resource.resourceGroup.id
name = var.resource_name
location = var.location
identity {
type = "SystemAssigned, UserAssigned"
identity_ids = [azapi_resource.userAssignedIdentity.id]
}
body = {
kind = "AIServices"
properties = {
allowProjectManagement = true
allowedFqdnList = [
]
apiProperties = {
}
disableLocalAuth = false
dynamicThrottlingEnabled = false
publicNetworkAccess = "Enabled"
restrictOutboundNetworkAccess = false
}
sku = {
name = "S0"
tier = "Standard"
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
resource "azapi_resource" "account_openai" {
type = "Microsoft.CognitiveServices/accounts@2025-06-01"
parent_id = azapi_resource.resourceGroup.id
name = "${var.resource_name}-openai"
location = var.location
identity {
type = "SystemAssigned"
}
body = {
kind = "OpenAI"
properties = {
allowProjectManagement = true
allowedFqdnList = [
]
apiProperties = {
}
disableLocalAuth = false
dynamicThrottlingEnabled = false
publicNetworkAccess = "Enabled"
restrictOutboundNetworkAccess = false
}
sku = {
name = "S0"
tier = "Standard"
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
resource "azapi_resource" "storageAccount" {
type = "Microsoft.Storage/storageAccounts@2021-09-01"
parent_id = azapi_resource.resourceGroup.id
name = var.resource_name
location = var.location
body = {
kind = "StorageV2"
properties = {
accessTier = "Hot"
allowBlobPublicAccess = false
allowCrossTenantReplication = true
allowSharedKeyAccess = false
defaultToOAuthAuthentication = false
encryption = {
keySource = "Microsoft.Storage"
services = {
queue = {
keyType = "Service"
}
table = {
keyType = "Service"
}
}
}
isHnsEnabled = false
isNfsV3Enabled = false
isSftpEnabled = false
minimumTlsVersion = "TLS1_2"
networkAcls = {
bypass = "AzureServices"
defaultAction = "Deny"
resourceAccessRules = [
{
resourceId = azapi_resource.account.id
tenantId = data.azapi_client_config.current.tenant_id
}
]
}
publicNetworkAccess = "Enabled"
supportsHttpsTrafficOnly = true
}
sku = {
name = "Standard_LRS"
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
resource "azapi_resource" "container" {
type = "Microsoft.Storage/storageAccounts/blobServices/containers@2024-01-01"
parent_id = "${azapi_resource.storageAccount.id}/blobServices/default"
name = var.resource_name
body = {
properties = {
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
# Retrieving keys
resource "azapi_resource_action" "account_keys" {
type = "Microsoft.CognitiveServices/accounts@2025-06-01"
resource_id = azapi_resource.account.id
action = "listKeys"
method = "POST"
sensitive_response_export_values = ["key1"]
}
resource "azapi_resource_action" "account_openai_keys" {
type = "Microsoft.CognitiveServices/accounts@2025-06-01"
resource_id = azapi_resource.account_openai.id
action = "listKeys"
method = "POST"
sensitive_response_export_values = ["key1", "key2"]
}
## Connections note:
# Credentials will not be returned since it's a sensitive data. if we want credentials, we can use .../{connectionName}/listsecrets
## Resources depend on each other so that they get deleted one after another instead of together.
# This helps escape a transient error that occurs when deleting all the connections together on cleanup.
resource "azapi_resource" "connection_aad" {
type = "Microsoft.CognitiveServices/accounts/connections@2025-06-01"
parent_id = azapi_resource.account.id
name = "${var.resource_name}-aad"
body = {
properties = {
authType = "AAD"
category = "AzureBlob"
target = azapi_resource.storageAccount.output.properties.primaryEndpoints.blob
metadata = {
containerName = azapi_resource.container.name
accountName = azapi_resource.storageAccount.name
}
}
}
schema_validation_enabled = false
ignore_casing = false
ignore_missing_property = false
}
resource "azapi_resource" "connection_apikey" {
type = "Microsoft.CognitiveServices/accounts/connections@2025-06-01"
parent_id = azapi_resource.account.id
name = "${var.resource_name}-apikey"
body = {
properties = {
authType = "ApiKey"
category = "AzureOpenAI"
target = azapi_resource.account_openai.output.properties.endpoint
metadata = {
ApiType = "Azure"
ResourceId = azapi_resource.account_openai.id
location = var.location
}
}
}
sensitive_body = {
properties = {
credentials = {
key = azapi_resource_action.account_openai_keys.sensitive_output.key1
}
}
}
schema_validation_enabled = false
ignore_casing = false
ignore_missing_property = false
}
resource "azapi_resource" "connection_customkeys" {
type = "Microsoft.CognitiveServices/accounts/connections@2025-06-01"
parent_id = azapi_resource.account.id
name = "${var.resource_name}-custom"
body = {
properties = {
authType = "CustomKeys"
category = "CustomKeys"
target = azapi_resource.account_openai.output.properties.endpoint
metadata = {
ApiType = "Azure"
ResourceId = azapi_resource.account_openai.id
location = var.location
}
}
}
sensitive_body = {
properties = {
credentials = {
keys = {
primaryKey = azapi_resource_action.account_openai_keys.sensitive_output.key1
secondaryKey = azapi_resource_action.account_openai_keys.sensitive_output.key2
}
}
}
}
schema_validation_enabled = false
ignore_casing = false
ignore_missing_property = false
}
# This is example is based on having an external resource that uses OAuth2.
resource "azapi_resource" "connection_oauth" {
type = "Microsoft.CognitiveServices/accounts/connections@2025-06-01"
parent_id = azapi_resource.account.id
name = "${var.resource_name}-oauth"
body = {
properties = {
authType = "OAuth2"
category = "AzureBlob"
target = azapi_resource.storageAccount.output.properties.primaryEndpoints.blob
metadata = {
containerName = azapi_resource.container.name
accountName = azapi_resource.storageAccount.name
}
}
}
sensitive_body = {
properties = {
credentials = {
# Not all fields are required.
# Use the fields that are necessary in an actual use of the credentials, you don't need to use all of them, they are just placeholders for validation in this connection.
authUrl = "https://login.microsoftonline.com/${var.oauth2_tenant_id}/oauth2/v2.0/token"
clientId = var.oauth2_client_id
clientSecret = var.oauth2_client_secret
tenantId = var.oauth2_tenant_id
developerToken = var.oauth2_developer_token
refreshToken = var.oauth2_refresh_token
username = var.oauth2_username
password = var.oauth2_password
}
}
}
schema_validation_enabled = false
ignore_casing = false
ignore_missing_property = false
}