Add and manage application credentials in Microsoft Entra ID

Sometimes called a public key, a certificate is the recommended credential type because they're considered more secure than client secrets.

1. In the Microsoft Entra admin center, in App registrations, select your application.

2. Select Certificates & secrets > Certificates > Upload certificate.

3. Select the file you want to upload. It must be one of the following file types: .cer, .pem, .crt.

4. Select Add.

5. Record the certificate Thumbprint for use in your client application code.

   

Sometimes called an application password, a client secret is a string value your app can use in place of a certificate to identify itself.

Client secrets are less secure than certificate or federated credentials and therefore should not be used in production environments. While they may be convenient for local app development, it's imperative to use certificate or federated credentials for any applications running in production to ensure higher security.

1. In the Microsoft Entra admin center, in App registrations, select your application.

2. Select Certificates & secrets > Client secrets > New client secret.

3. Add a description for your client secret.

4. Select an expiration for the secret or specify a custom lifetime.

   • Client secret lifetime is limited to two years (24 months) or less. You can't specify a custom lifetime longer than 24 months.
   • Microsoft recommends that you set an expiration value of less than 12 months.

5. Select Add.

6. Record the client secret Value for use in your client application code. This secret value is never displayed again after you leave this page.

   

Federated identity credentials are a type of credential that allows workloads, such as GitHub Actions, workloads running on Kubernetes, or workloads running in compute platforms outside of Azure access Microsoft Entra protected resources without needing to manage secrets using workload identity federation.

To add a federated credential, follow these steps:

1. In the Microsoft Entra admin center, in App registrations, select your application.

2. Select Certificates & secrets > Federated credentials > Add credential.

   

3. In the Federated credential scenario drop-down box, select one of the supported scenarios, and follow the corresponding guidance to complete the configuration.

   • Customer managed keys for encrypting data in your tenant using Azure Key Vault in another tenant.
   • GitHub actions deploying Azure resources to configure a GitHub workflow to get tokens for your application and deploy assets to Azure.
   • Kubernetes accessing Azure resources to configure a Kubernetes service account to get tokens for your application and access Azure resources.
   • Other issuer to configure the application to trust a managed identity or an identity managed by an external OpenID Connect provider to get tokens for your application and access Azure resources.

For more information on how to get an access token with a federated credential, see Microsoft identity platform and the OAuth 2.0 client credentials flow.