1) I believe Azure Vision read analyse API has both options for auth - via API key and with AAD?
Yes, there are both options for computer vision service.
2) I want to understand for API key vs AAD, which one is recommended mechanism for authentication and why?
The most commonly used way is to use the API key, AAD provides the option to use SP and is more secure because a token is used which expires after a while rather than a key. Depending on the scenario you can choose any of the above. An API key can also be rotated regularly with Azure keyvault to provide a more secure mechanism to handle keys.
3) For AAD, I believe we have to first register custom subdomain on Azure portal which will generate a custom end point for vision API. Along with that, I believe application ID and password will also be required. In our case we are using Rest API to call Azure vision from external program. The link for documentation - https://video2.skills-academy.com/en-us/azure/cognitive-services/authentication?tabs=powershell#authenticate-with-azure-active-directory doesn't suggest how will I get the token first with AAD using application ID and password.
You can set a password for the AD application and get the token when you run the following:
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList "https://login.windows.net/<TENANT_ID>"
$secureSecretObject = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.SecureClientSecret" -ArgumentList $SecureStringPassword
$clientCredential = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential" -ArgumentList $app.ApplicationId, $secureSecretObject
$token=$authContext.AcquireTokenAsync("https://cognitiveservices.azure.com/", $clientCredential).Result
$token
The token will have the expiration limit where you can use it until expiry for other API calls to computer vision
A new token will only be required after it expires.
4) Any other recommended way to authenticate except these API Key and AAD?
Currently these are the supported ways to use the API.