From b97543d1a057bacb0f1ceed3e2e2f8688a694e7a Mon Sep 17 00:00:00 2001
From: Roman Lutz <romanlutz@users.noreply.github.com>
Date: Wed, 11 Mar 2026 05:56:27 -0700
Subject: [PATCH] fix: use cognitiveservices scope for all Azure AI endpoints

Remove incorrect special-case mapping of *.ai.azure.com endpoints to
https://ml.azure.com/.default scope. The ml.azure.com scope is for Azure
ML management APIs, not inference. The cognitiveservices scope is accepted
by all Azure AI endpoints (Azure OpenAI, AI Foundry, serverless MaaS).

Also add Mistral Large Foundry endpoint to Entra auth integration tests.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 pyrit/auth/azure_auth.py                          | 15 ++++-----------
 .../targets/test_entra_auth_targets.py            |  1 +
 2 files changed, 5 insertions(+), 11 deletions(-)

diff --git a/pyrit/auth/azure_auth.py b/pyrit/auth/azure_auth.py
index b606189636..00e2f8d6ff 100644
--- a/pyrit/auth/azure_auth.py
+++ b/pyrit/auth/azure_auth.py
@@ -6,7 +6,6 @@
 import logging
 import time
 from typing import TYPE_CHECKING, Any, Union, cast
-from urllib.parse import urlparse
 
 import msal
 from azure.core.credentials import AccessToken
@@ -257,25 +256,19 @@ def get_default_azure_scope(endpoint: str) -> str:
     """
     Determine the appropriate Azure token scope based on the endpoint URL.
 
+    The Cognitive Services scope is accepted by all Azure AI endpoints including
+    Azure OpenAI (*.openai.azure.com) and AI Foundry (*.ai.azure.com).
+
     Args:
         endpoint (str): The Azure endpoint URL.
 
     Returns:
-        str: The appropriate token scope for the endpoint.
-            - 'https://ml.azure.com/.default' for AI Foundry endpoints (*.ai.azure.com)
-            - 'https://cognitiveservices.azure.com/.default' for other Azure endpoints
+        str: The token scope 'https://cognitiveservices.azure.com/.default'.
 
     Example:
         >>> scope = get_default_azure_scope('https://myresource.openai.azure.com')
         >>> # Returns 'https://cognitiveservices.azure.com/.default'
     """
-    try:
-        parsed_uri = urlparse(endpoint)
-        if parsed_uri.hostname and parsed_uri.hostname.lower().endswith(".ai.azure.com"):
-            return "https://ml.azure.com/.default"
-    except Exception:
-        pass
-
     return "https://cognitiveservices.azure.com/.default"
 
 
diff --git a/tests/integration/targets/test_entra_auth_targets.py b/tests/integration/targets/test_entra_auth_targets.py
index bf068bfb26..6d9fc92ae4 100644
--- a/tests/integration/targets/test_entra_auth_targets.py
+++ b/tests/integration/targets/test_entra_auth_targets.py
@@ -42,6 +42,7 @@
         ("AZURE_OPENAI_GPTV_CHAT_ENDPOINT", "AZURE_OPENAI_GPTV_CHAT_MODEL", True),
         ("AZURE_FOUNDRY_DEEPSEEK_ENDPOINT", "", True),
         ("AZURE_FOUNDRY_PHI4_ENDPOINT", "", True),
+        ("AZURE_FOUNDRY_MISTRAL_LARGE_ENDPOINT", "AZURE_FOUNDRY_MISTRAL_LARGE_MODEL", True),
     ],
 )
 async def test_openai_chat_target_entra_auth(sqlite_instance, endpoint, model_name, supports_seed):