Installation
Installation
Entra Auth Cli can be installed as a .NET global tool or downloaded as a self-contained executable for your platform.
Option 1: .NET Global Tool (Recommended)
Prerequisites: .NET Runtime 10.0 or later
Install
dotnet tool install -g EntraAuthCli
Update
dotnet tool update -g EntraAuthCli
Uninstall
dotnet tool uninstall -g EntraAuthCli
Verify Installation
entra-auth-cli --version
Option 2: Self-Contained Executables
Download the latest release for your platform from the Releases page.
Windows
- Download
entra-auth-cli-win-x64.exe - Place in a directory in your PATH (e.g.,
C:\Tools\) - Run from command prompt:
entra-auth-cli --version
macOS (Apple Silicon)
- Download
entra-auth-cli-osx-arm64 - Make executable and move to PATH:
chmod +x entra-auth-cli-osx-arm64
sudo mv entra-auth-cli-osx-arm64 /usr/local/bin/entra-auth-cli
- Verify:
entra-auth-cli --version
macOS (Intel)
- Download
entra-auth-cli-osx-x64 - Make executable and move to PATH:
chmod +x entra-auth-cli-osx-x64
sudo mv entra-auth-cli-osx-x64 /usr/local/bin/entra-auth-cli
- Verify:
entra-auth-cli --version
Linux
- Download
entra-auth-cli-linux-x64 - Make executable and move to PATH:
chmod +x entra-auth-cli-linux-x64
sudo mv entra-auth-cli-linux-x64 /usr/local/bin/entra-auth-cli
- Verify:
entra-auth-cli --version
β οΈ Linux Security Note: Linux uses XOR obfuscation for secret storage, not cryptographic encryption. Suitable for development only. See Platform-Specific Guides for production alternatives.
Microsoft Graph API Permissions
Some features require Microsoft Graph API permissions (delegated). The tool will prompt you to sign in and consent when needed.
| Permission | Purpose | Required For |
|---|---|---|
Application.Read.All | Search and list app registrations in your tenant | discover command |
Directory.Read.All | Resolve service principals and resource app information | discover command |
Application.ReadWrite.All | Create client secrets in app registrations | Client secret creation in config create, config edit, discover |
π‘ Note: Basic token generation (
get-token,config createwith existing secrets) does not require any Graph API permissions. These permissions are only needed for advanced discovery and secret creation features.
Permissions by Feature
| Feature | Commands | Permissions Needed |
|---|---|---|
| Generate tokens | get-token | None |
| Manage profiles | config create, config edit, config list | None |
| App discovery | discover | Application.Read.All, Directory.Read.All |
| API permissions lookup | discover (when selecting scope) | Application.Read.All, Directory.Read.All |
| Create client secrets | config create, config edit, discover | Application.ReadWrite.All |
Platform Requirements
Windows
- Windows 10+ (build 1607+)
- Secure storage via DPAPI
macOS
- macOS 10.15+ (Catalina or later)
- Secure storage via Keychain
Linux
- Ubuntu 20.04+, Fedora 35+, or compatible distributions
- XOR obfuscation (not cryptographically secure)
Next Steps
- Quick Start Guide β - Generate your first token
- Complete Tutorial β - Full walkthrough
- Core Concepts β - Understand how it works