Introduction
When using a web API, private client apps need credentials. Web apps and other web APIs are a few examples of secret clients. With the aid of credentials, your application can identify itself during runtime without the need for user input.
Your private client app registration can include credentials in the form of certificates, client secrets (a string), or federated identity credentials.
![App Registration]()
Register your certificate with the Microsoft Identity platform
A certificate is the recommended credential type because they're considered more secure than client secrets.
Through the Azure portal, you can link the certificate credentials with the client application in the Microsoft identity platform using the following:
- Choose your application from the list of App registrations in the Azure portal.
- Then click Upload certificate under Certificates & Secrets.
- Make your desired upload file selection. One of the following file types is required: .crt,.cer, and .pem.
- Click Add.
![Description]()
Add a client's secret
A client secret is a string value that your app can use to identify itself instead of a certificate.
Less secure than certificate credentials are client secrets. Because they are so simple to use, client secrets are occasionally used by application developers when creating local apps. For any of your applications that are active in production, you must use certificate credentials.
- Select your application under App registrations in the Azure portal.
- To create a new client secret, select Certificates & secrets > Client secrets.
![Client Secret]()
- For your client's secret, include a description.
- Choose a secret expiration time or enter a custom lifetime.
- Notes. The lifetime of a client's secret cannot exceed two years (24 months). A custom lifetime that is longer than 24 months cannot be specified. Microsoft advises setting an expiration value of less than a year.
![Add Client Secrets]()
- Choose Add.
- Notes. For use in the code of your client application, note the value of the secret. After you leave this page, this secret value is never again displayed.
![Client Secret Added]()
Add a federated credential
Federated identity credentials are a type of credential that enables workloads to access Azure AD-protected resources without the need to manage secrets through workload identity federation. Examples of such workloads include GitHub Actions, workloads running on Kubernetes, and workloads running in computing platforms outside of Azure.
Use these steps to add a federated credential:
- Select your application under App registrations in the Azure portal.
- To add a credential, select Certificates & Secrets> Federated credentials.
![Federated]()
- Choose one of the supported scenarios from the Federated credential scenario drop-down box, then follow the corresponding instructions to finish configuring it.
- Data encryption in your tenant using Customer-managed keys stored in an Azure Key Vault in a different tenant.
- Configure a GitHub workflow to obtain tokens for your application and distribute assets to Azure using GitHub actions.
- To configure a Kubernetes service account and obtain tokens for your application, Kubernetes accesses Azure resources.
- To obtain tokens for your application and gain access to Azure resources, you can use another issuer to configure an identity that is managed by a third-party OpenID Connect provider.
![Select senario]()