Client Secret Creation link

Instead of manually creating secrets in the Azure Portal and copying them, you can now create client secrets directly from Entra Auth Cli. The secret is automatically saved to your profile.

Quick Reference link

Overview link

When configuring a profile with client secret authentication, you’re presented with two options:

  Client secret:
> Create new
  Enter existing
  

Create new automates the process of:

1. Authenticating to Microsoft Graph API
2. Creating a new secret in the app registration
3. Naming the secret with the expiry date
4. Displaying the secret value (one-time view)
5. Saving the secret to your profile

📸 Screenshot placeholder: secret-create-options.png Description: Terminal showing the “Create new” and “Enter existing” selection prompt

Creating a New Secret link

Step 1: Select “Create new” link

When prompted for a client secret, choose “Create new”:

  Client secret:
> Create new
  Enter existing
  

Step 2: Authenticate link

If not already authenticated, a browser window opens:

  Creating a new secret requires signing in with an account that has
Application.ReadWrite.All or Application.ReadWrite.OwnedBy permission.

Opening browser for authentication...
  

Sign in with an account that has permission to modify the app registration.

📸 Screenshot placeholder: secret-auth-browser.png Description: Browser authentication prompt for Microsoft Graph permissions

Step 3: Secret Created link

The secret is created and displayed:

  ┌──────────────────────────────────────────────────────────────────┐
│ ⚠ Secret Value (copy now - shown only once!)                     │
├──────────────────────────────────────────────────────────────────┤
│ abc123...your-secret-value-here...xyz789                         │
└──────────────────────────────────────────────────────────────────┘

┌─────────────────┬────────────────────────────────────────────────┐
│ Property        │ Value                                          │
├─────────────────┼────────────────────────────────────────────────┤
│ Application     │ My Application Name                            │
│ Secret Name     │ EAC-EXP-30-JUL-26                              │
│ Expires         │ 30 Jul 2026 (180 days)                         │
└─────────────────┴────────────────────────────────────────────────┘

✓ Secret created and saved to profile
  

📸 Screenshot placeholder: secret-created-display.png Description: Terminal showing the created secret value in a highlighted panel with warning, plus details table

Secret Naming Convention link

Secrets are named with a predictable format for easy management:

  EAC-EXP-DD-MMM-YY
  

Full example: EAC-EXP-30-JUL-26

This naming makes it easy to:

• Identify secrets created by the CLI
• See when secrets expire at a glance
• Manage rotation schedules

📸 Screenshot placeholder: azure-portal-secrets.png Description: Azure Portal showing Certificates & secrets page with EAC-named secrets visible

Required Permissions link

Microsoft Graph Permissions link

Azure AD Roles link

Your account also needs one of these roles:

• Application Administrator - Full app management
• Cloud Application Administrator - App management without directory access
• Owner - Owner of the specific app registration

Authentication Flow link

The CLI uses interactive browser authentication with Microsoft Graph PowerShell’s public client ID. This ensures:

• Proper consent flow
• User context for permissions
• No need to configure additional apps

Error Handling link

Insufficient Permissions link

If you don’t have permission to create secrets:

  ⚠ Insufficient permissions to create client secret.
Required permission: Application.ReadWrite.All or Application.ReadWrite.OwnedBy

Would you like to enter an existing secret instead? (y/n): y
Enter client secret: ****
  

📸 Screenshot placeholder: secret-permission-error.png Description: Terminal showing permission error with fallback option to enter existing secret

Application Not Found link

  Application with client ID '12345678-...' not found.

Would you like to enter an existing secret instead? (y/n):
  

Causes:

• App was deleted
• Client ID is incorrect
• You don’t have read access to the app

Network Errors link

If the Graph API call fails:

  Error creating client secret: Network error occurred

Would you like to enter an existing secret instead? (y/n):
  

Where Secret Creation is Available link

config create link

When creating a new profile:

  entra-auth-cli config create

# ... profile name, tenant, client ID prompts ...

Authentication method:
> ClientSecret

Client secret:
> Create new
  Enter existing
  

config edit link

When editing an existing profile:

  entra-auth-cli config edit -p my-profile

# Choose to change authentication method or update secret

Update client secret? (y/n): y

Client secret:
> Create new
  Enter existing
  

discover link

When creating a profile from app discovery:

  entra-auth-cli discover -s "MyApp*"

# Select app, name profile, select scope...

Authentication method:
> ClientSecret

Client secret:
> Create new
  Enter existing
  

Best Practices link

✅ Copy the Secret Immediately link

The secret value is only shown once. While it’s automatically saved to your profile, you may want to:

• Copy it for backup
• Store it in a password manager
• Document it securely

✅ Track Expiry Dates link

With the EAC-EXP-DD-MMM-YY naming:

• Set calendar reminders 2 weeks before expiry
• Plan rotation before secrets expire
• Monitor secrets in Azure Portal

✅ Use for Development link

Secret creation is ideal for:

• Development environments
• Testing and debugging
• Personal/team apps you own

⚠️ Production Considerations link

For production environments, consider:

• Using certificates instead of secrets
• Managing secrets through Azure Key Vault
• Implementing automated rotation
• Following your organization’s security policies

❌ Avoid link

• Creating secrets for apps you don’t manage
• Sharing the displayed secret value insecurely
• Ignoring expiry dates

Rotating Secrets link

Create New, Keep Old Active link

1. Edit your profile:

     entra-auth-cli config edit -p my-profile
     

2. Choose to update the secret

3. Select “Create new” - this creates a new secret, doesn’t delete the old one

4. Test the new secret works:

     entra-auth-cli get-token -p my-profile
     

5. Delete the old secret from Azure Portal

Why Keep Both Temporarily link

• Zero-downtime rotation
• Rollback capability if issues arise
• Time for dependent systems to update

Security Considerations link

Secret Visibility link

The secret is displayed in your terminal:

• Clear terminal history after viewing
• Don’t share screenshots of the output
• Be aware of screen recording/sharing

Audit Trail link

Secret creation is logged in Azure AD:

• Who created the secret
• When it was created
• Which application

Least Privilege link

Request only the permissions you need:

• Application.ReadWrite.OwnedBy for apps you own
• Avoid Application.ReadWrite.All if not needed

Comparison: Create vs Enter Existing link

Troubleshooting link

“Opening browser for authentication” hangs link

Solutions:

1. Check your default browser is working
2. Try a different browser
3. Check for popup blockers
4. Ensure you have internet connectivity

Secret created but token fails link

Causes:

• Secret hasn’t propagated yet (wait 30 seconds)
• Wrong tenant ID in profile
• App permissions not configured correctly

Solutions:

1. Wait and retry
2. Verify profile settings match the app registration
3. Check app has required API permissions in Azure Portal

Can’t find the created secret in Azure Portal link

The secret appears under:

1. Azure Portal → Azure Active Directory
2. App registrations → Your app
3. Certificates & secrets → Client secrets

Look for the EAC-EXP-DD-MMM-YY name.

See Also link

• App Discovery - Discover apps and create profiles
• Managing Profiles - Full profile management guide
• Certificate Authentication - Alternative to secrets
• Security Best Practices - Securing your setup