--- title: "Microsoft Entra ID Authentication" slug: "microsoft-entra-id-authentication" updated: 2026-01-11T17:17:27Z published: 2026-01-11T17:17:27Z --- > ## Documentation Index > Fetch the complete documentation index at: https://docs.plainid.io/llms.txt > Use this file to discover all available pages before exploring further. # Microsoft Entra ID Authentication The **Azure Entra ID Auth Store** enables the PlainID Secrets Management Service to retrieve **Microsoft Entra access tokens** that can be used to authenticate to services that support Entra token-based authentication, such as Azure Managed Redis with Entra authentication enabled. By eliminating static credentials, this approach improves security and simplifies access management. This store is used when an application authenticates using **Entra tokens** instead of passwords or long-lived secrets. To enable integration with **Microsoft Entra ID**, you must configure permissions and, optionally, define which identity the Secrets Management Service uses. ### Required Microsoft Entra Prerequisites Ensure that the application registration in Microsoft Entra ID has the following **Microsoft Graph API** permissions: - `GroupMember.Read.All` - `User.Read.All` You can configure these permissions under **API Permissions** in the Azure portal. ![Azure AD Permissions](https://cdn.document360.io/726c7002-05a9-480e-b986-42c9e8824acd/Images/Documentation/image%20%281%29.png) For additional assistance, contact [PlainID Support](https://plainid.atlassian.net/servicedesk/customer/portals). ### Identity Selection Behavior (System-Assigned vs. User-Assigned) - **System-assigned managed identity** No client ID is required. - **User-assigned managed identity** If multiple user-assigned identities exist, Microsoft default behavior cannot infer which identity to use. In this case, you must explicitly specify the client ID by using the Environment Variable `AZURE_ENTRA_ID_AUTH_CLIENT_ID`. ## Azure Entra ID Auth Store-Specific Parameters The Azure Entra ID Auth Store is configured in the PlainID Secrets Management Service by using the store type `AzureEntraIdAuth`. You must also authenticate to Entra ID by using one of the supported authentication methods: - Client secret - Certificate Configure authentication by using the parameters described in the following table. | **Parameter** | **Description** | | --- | --- | | `type` | Set the secret store type to `AzureEntraIdAuth`. | | `details.auth` | Authentication configuration for Microsoft Entra ID using one of the supported methods. | | `details.auth.tenantID` | The Entra tenant ID. You can use the Environment Variable `${AZURE_ENTRA_ID_AUTH_TENANT_ID}`. | | `details.auth.clientID` | The Entra application (client) ID. Use together with `clientSecret` or for user-assigned managed identity selection. Not used with `certPath` and `keyPath`. Required for application-based authentication and **user-assigned managed identity selection**. You can use the Environment Variable `${AZURE_ENTRA_ID_AUTH_CLIENT_ID}`. | | `details.auth.clientSecret` | Client secret for application-based authentication. Use together with `clientID` or for user-assigned managed identity selection. Not used with `certPath` and `keyPath`.You can use the Environment Variable `${AZURE_ENTRA_ID_AUTH_CLIENT_SECRET}`. | | `details.auth.certPath` | Path to the certificate file for certificate-based authentication. Use together with `keyPath` or for user-assigned managed identity selection. Not used with `clientID` and `clientSecret`. You can use the Environment Variable `${AZURE_ENTRA_ID_AUTH_CERT_PATH}`. | | `details.auth.keyPath` | Path to the private key file for certificate-based authentication. Use together with `certPath` or for user-assigned managed identity selection. Not used with `clientID` and `clientSecret`. You can use the Environment Variable `${AZURE_ENTRA_ID_AUTH_KEY_PATH}`. | ## Example The following example shows a Secrets Management Service configuration that includes the Azure Entra ID Auth Store parameters: ``` secretsMgmt: ... plainIDConfig: ... # Secret Store configuration secretStore: - id: AZURE_ENTRA_ID_AUTH_STORE type: AzureEntraIdAuth isDefault: false details: auth: tenantID: ${AZURE_ENTRA_ID_AUTH_TENANT_ID} clientID: ${AZURE_ENTRA_ID_AUTH_CLIENT_ID} clientSecret: ${AZURE_ENTRA_ID_AUTH_CLIENT_SECRET} certPath: ${AZURE_ENTRA_ID_AUTH_CERT_PATH} keyPath: ${AZURE_ENTRA_ID_AUTH_KEY_PATH} ``` ## Secret Rotation Behavior (Token Refresh) Unlike static Redis passwords, Microsoft Entra access tokens are short-lived. Secret rotation is implemented by refreshing the token before it expires. To ensure uninterrupted Redis access: - The Secrets Management Store should return a **fresh Entra access token** each time the secret is read. - The client (as an example Redis client) should periodically **reauthenticate** by issuing an `AUTH` command with the refreshed token. ## Notes and Limitations - TLS or SSL must be enabled when using Entra token-based authentication. - Entra ID group-based authentication is not supported for Azure Managed Redis in this model. - Failure to refresh the token before expiration can result in Redis connection interruptions. --- Refer to [Azure Managed Redis Authentication](/v1/docs/azure-managed-redis-authentication) to see the use-case for the Microsoft Entra ID Authentication