-
Notifications
You must be signed in to change notification settings - Fork 241
Client Credentials
Bogdan Gavril edited this page Jul 23, 2025
·
6 revisions
Credentials enable confidential applications to identify themselves to the authentication service when receiving tokens. These are configurable in the "Certificates & Secrets" section of the Entra Application Registration in the Azure Portal.
These are not the same as user credentials (i.e. user passwords), which are known to users.
Entra supports 3 types of credentials
- secrets
- certificates
- federated credentials
| Credential Type | What Is It | When to Use | Advantages | Considerations |
|---|---|---|---|---|
|
Secret |
Simple shared secret string | • Development/testing • Basic security requirements |
• Simple to use • Easy to configure |
Not for production: • Less secure • No auto-rotation • Easy to expose |
|
Certificate |
Certificate in Windows Certificate Store | Applications not hosted on Azure | • More secure than secrets • Only the public key is exposed | Certificate rotation can be cumbersome |
|
Federated Credentials |
Credentials issued by another provider | For federation with other Identity Providers (e.g. GitHub) or federation with Azure Managed Identity | • Eliminates the need to an extra credential • When federating with Managed Identity, 0 credential setup |
Ideal for apps hosted on Azure |
The preferred credential to use in production is Federated Credential with Managed Identity.
- Home
- Why use Microsoft Identity Web?
- Web apps
- Web APIs
- Minimal support for .NET FW Classic
- Logging
- Azure AD B2C limitations
- Samples
- Certificates
- Managed Identity as Federated Credential
- Federated Credentials from other Identity Provider
- Extensibility: Bring your own credential
- Get client secrets from KeyVault
- Web apps
- Web app samples
- Web app template
- Call an API from a web app
- Managing incremental consent and conditional access
- Web app troubleshooting
- Deploy to App Services Linux containers or with proxies
- SameSite cookies
- Hybrid SPA
- Web APIs
- Web API samples
- Web API template
- Call an API from a web API
- Token Decryption
- Web API troubleshooting
- web API protected by ACLs instead of app roles
- gRPC apps
- Azure Functions
- Long running processes in web APIs
- Authorization policies
- Generic API
- Customization
- Logging
- Calling graph with specific scopes/tenant
- Multiple Authentication Schemes
- Utility classes
- Setting FIC+MSI
- Mixing web app and web API
- Deploying to Azure App Services
- Azure AD B2C issuer claim support
- Performance
- specify Microsoft Graph scopes and app-permissions
- Integrate with Azure App Services authentication
- Ajax calls and incremental consent and conditional access
- Back channel proxys
- Client capabilities