Skip to content

Credentials

Jump to bottom
Bogdan Gavril edited this page Feb 3, 2026 · 2 revisions

What are client credentials

Credentials enable confidential applications to identify themselves to the authentication service when receiving tokens. These are configurable in the "Certificates & Secrets" section of the Entra Application Registration in the Azure Portal.

These are not the same as user credentials (i.e. user passwords), which are known to users.

Entra supports 3 types of credentials

  • secrets
  • certificates
  • federated credentials
Credential Type What Is It When to Use Advantages Considerations
Secret
Simple shared secret string • Development/testing
• Basic security requirements		 • Simple to use
• Easy to configure		 Not for production:
• Less secure
• No auto-rotation
• Easy to expose
Certificate
Certificate in Windows Certificate Store Applications not hosted on Azure • More secure than secrets • Only the public key is exposed Certificate rotation can be cumbersome
Federated Credentials
Credentials issued by another provider For federation with other Identity Providers (e.g. GitHub) or federation with Azure Managed Identity • Eliminates the need to an extra credential
• When federating with Managed Identity, 0 credential setup		 Ideal for apps hosted on Azure

The preferred credential to use in production is Federated Credential with Managed Identity.

MSAL APIs

WithClientSecret WithCertificate WithClientAssertion - for federated credential

Federated Identity Credential with Managed Identity

This guide assumes you have setup a Federated Identity Credential with Managed Identity, as per the Entra docs

// step 1 - get the credential from managed Identity
public async Task<string> GetCredential()
{
    var id = ManagedIdentityId.WithUserAssignedClientId(this.configuration["ManagedIdentityClientId"]);
    var mia = ManagedIdentityApplicationBuilder.Create(id).Build();
    var result = await mia.AcquireTokenForManagedIdentity("api://AzureADTokenExchange").ExecuteAsync();
    return result.AccessToken;
}

public async Task<string> GetToken()
{
    IConfidentialClientApplication app = ConfidentialClientApplicationBuilder.Create(this.configuration["AzureAd:ClientId"])
       .WithAuthority("https://login.microsoftonline.com/my_tenant")
       .WithClientAssertion(async (CancellationToken _) => await GetStep1Credential())  
       .Build();

    var scope = new[] { "api://my_api/.default" };
    var authResult = await app.AcquireTokenForClient(scope)  // also works with AcquireTokenOnBehalfOf and AcquireTokenByAuthorizationCode
                      .ExecuteAsync();
}

Federated Identify Credential with a different Identity Provider

This is the same as the above, but instead of asking managed identity for a credential, you ask your token provider.

// step 1 - get the credential 
public async Task<string> GetCredential()
{
    IConfidentialClientApplication app = ConfidentialClientApplicationBuilder.Create(this.configuration["AzureAd:ClientId"])
       .WithAuthority("https://login.microsoftonline.com/my_tenant")
       .WithCertificate(x509cert) // you must have a credential somewhere!
       .Build();

    var scope = new[] { "api://AzureADTokenExchange/.default" };
    var authResult = await app.AcquireTokenForClient(scope)  
                      .ExecuteAsync();
}

Getting started with MSAL.NET

Acquiring tokens

Web Apps / Web APIs / daemon apps

Desktop/Mobile apps

Advanced topics

FAQ

Other resources

Clone this wiki locally