Need verification if I can disable access keys for my Azure Language service

Question

Need verification if I can disable access keys for my Azure Language service

Aranca, Farimah 0

I have an Azure Language service which is used for Custom Question and Answering and recently I received information that for AI Search resource connected to Language service as part of Custom Question Answering, I must use key based authentication and can't switch to only RBAC authentication since CQA doesn't support RBAC authentication with AI Search at the moment. I just want to clarify if this is the case for the Language service as well ~ If it doesn't support RBAC authentication for CQA.

Aranca, Farimah 0 Reputation points

2026-03-09T09:31:14.5066667+00:00

If access keys on the Azure AI Search resource cannot be fully disabled if it is being used by CQA, does this imply that Language service access keys also can't be disabled if it CQA is enabled?
Rahul Jagdish Kamble 0 Reputation points

2026-03-09T09:47:13.57+00:00

hi @**Aranca, Farimah,

No - the Azure Language Service does NOT require API keys to remain enabled for Custom Question Answering (CQA).** Only the Azure AI Search resource must keep key‑based authentication enabled at this time. The Language Service does support RBAC and does not have a CQA‑specific requirement forcing you to keep its access keys enabled.****
Karnam Venkata Rajeswari 1,310 Reputation points Microsoft External Staff Moderator

2026-03-10T01:54:58.0466667+00:00

Hello Aranca, Farimah,

When Custom Question Answering (CQA) is enabled and integrated with Azure AI Search, the authentication requirements differ by service.

For Azure AI Search, API key–based authentication must remain enabled if the Search resource is used by CQA. This is because the CQA backend relies on the Search admin key to manage and operate the underlying search index. As a result, RBAC‑only (keyless) authentication is not currently supported for Azure AI Search in this integration scenario.

For the Azure AI Language service hosting CQA, RBAC authentication is fully supported. There is no requirement for Language service access keys to remain enabled when RBAC authentication is used.

So, the API key requirement applies only to the Azure AI Search resource used by CQA, not to the Azure AI Language service.

Thank you
Karnam Venkata Rajeswari 1,310 Reputation points Microsoft External Staff Moderator

2026-03-12T10:09:10.0533333+00:00

Hello Aranca, Farimah,

Did you get any chance to review the above response?

Do let me know if you have any further queries.

Thank you.

3 answers

Your answer

Aranca, Farimah 0 Reputation points

2026-03-09T09:31:14.5066667+00:00

If access keys on the Azure AI Search resource cannot be fully disabled if it is being used by CQA, does this imply that Language service access keys also can't be disabled if it CQA is enabled?
Rahul Jagdish Kamble 0 Reputation points

2026-03-09T09:47:13.57+00:00

hi @**Aranca, Farimah,

No - the Azure Language Service does NOT require API keys to remain enabled for Custom Question Answering (CQA).** Only the Azure AI Search resource must keep key‑based authentication enabled at this time. The Language Service does support RBAC and does not have a CQA‑specific requirement forcing you to keep its access keys enabled.****
Karnam Venkata Rajeswari 1,310 Reputation points Microsoft External Staff Moderator

2026-03-10T01:54:58.0466667+00:00

Hello Aranca, Farimah,

When Custom Question Answering (CQA) is enabled and integrated with Azure AI Search, the authentication requirements differ by service.

For Azure AI Search, API key–based authentication must remain enabled if the Search resource is used by CQA. This is because the CQA backend relies on the Search admin key to manage and operate the underlying search index. As a result, RBAC‑only (keyless) authentication is not currently supported for Azure AI Search in this integration scenario.

For the Azure AI Language service hosting CQA, RBAC authentication is fully supported. There is no requirement for Language service access keys to remain enabled when RBAC authentication is used.

So, the API key requirement applies only to the Azure AI Search resource used by CQA, not to the Azure AI Language service.

Thank you
Karnam Venkata Rajeswari 1,310 Reputation points Microsoft External Staff Moderator

2026-03-12T10:09:10.0533333+00:00

Hello Aranca, Farimah,

Did you get any chance to review the above response?

Do let me know if you have any further queries.

Thank you.

Answer 1

Manas Mohanty 16,030 Microsoft External Staff Moderator

Hi Aranca, Farimah,

I agree to above pointers from my colleague and community.

Only RBAC is not enough. We need to use API key-based authentication for AI search as part of pre-requisites.

Additional RBAC roles

But we also need the person establishing the account and project assigned as the Azure AI Account Owner role at the subscription level.

Alternatively, having either the Contributor or Cognitive Services Contributor role at the subscription scope also meets this requirement. For more information, see Role based access control (RBAC).

Reference used - https://dori-uw-1.kuma-moon.com/en-us/azure/ai-services/language-service/question-answering/how-to/configure-azure-resources

Please take a minute to accept this answer if you got the needed clarity.

Thank you

Manas Mohanty 16,030 Reputation points Microsoft External Staff Moderator

2026-03-18T01:46:02.75+00:00

Hi Aranca, Farimah,

Please share your availability if you had further queries on the same context.

Thank you.

Answer 2

Rahul Jagdish Kamble 0

Hi Aranca, Farimah,

No - the Azure Language Service** does NOT require API keys to remain enabled for Custom Question Answering (CQA).** Only the Azure AI Search resource must keep key‑based authentication enabled at this time. The Language Service does support RBAC and does not have a CQA‑specific requirement forcing you to keep its access keys enabled.

0 comments

Answer 3

Hello Aranca, Farimah,

Welcome to Microsoft Q&A .Thank you for reaching out.

We understand the concern around authentication when using Custom Question Answering (CQA) withAzure Language Service and Azure AI Search.

1. Azure AI Language Service (Custom Question Answering)

Azure AI Language supports both API key authentication and Microsoft Entra ID (Azure RBAC).

· When using Custom Question Answering:

· The Language service can be accessed using RBAC (Microsoft Entra ID).

· There is no requirement for the Language resource access keys to remain enabled when RBAC authentication is used.

· In other words, the Language service itself does not have a CQA-specific limitation that requires API keys to stay enabled.

2. Azure AI Search (when used with CQA)

In general , Azure AI Search supports RBAC . However, when it is integrated with custom question answering, the behavior is different.

In the CQA architecture:

· The service provisions and manages an Azure AI Search index that stores the knowledge base content.

· The backend service relies on the Search Admin Key to manage and query this index.

Because of this dependency:

· API key authentication must remain enabled on the Azure AI Search resource when it is used by Custom Question Answering.

· RBAC-only (keyless) authentication is currently not supported for Azure AI Search in the CQA integration scenario.

· As a result, Azure AI Search access keys cannot be fully disabled if the Search resource is being used by CQA.

So , to conclude,

· Azure AI Language: RBAC-only authentication can be used for Custom Question Answering.

· Azure AI Search: API key authentication must remain enabled when the Search resource is connected to CQA.

Please refer the following

Enable role-based access control - Azure AI Search | Microsoft Learn

Connect using Azure roles - Azure AI Search | Microsoft Learn

Configure the custom question answering service for fine-tune models - Foundry Tools | Microsoft Learn

Thank you

Share via

Need verification if I can disable access keys for my Azure Language service

3 answers

Your answer