App Credentials

Resources

Password Credential

Resource: microsoft365_graph_beta_applications_application_password_credential

Certificate Credential

Resource: microsoft365_graph_beta_applications_application_certificate_credential

Federated Identity

Resource: microsoft365_graph_beta_applications_application_federated_identity_credential

Password Credential (Client Secret)

resource "microsoft365_graph_beta_applications_application_password_credential" "secret" {
  application_id = microsoft365_graph_beta_applications_application.app.id
  display_name   = "Terraform-managed secret"
  end_date_time  = "2025-12-31T23:59:59Z"
}

# Output the secret value (sensitive)
output "client_secret" {
  value     = microsoft365_graph_beta_applications_application_password_credential.secret.secret_text
  sensitive = true
}

Certificate Credential

resource "microsoft365_graph_beta_applications_application_certificate_credential" "cert" {
  application_id = microsoft365_graph_beta_applications_application.app.id
  display_name   = "Production Certificate"
  
  key        = filebase64("path/to/certificate.cer")
  type       = "AsymmetricX509Cert"
  usage      = "Verify"
  end_date_time = "2025-12-31T23:59:59Z"
}

Federated Identity Credential

For workload identity federation (GitHub Actions, Azure, etc.):

resource "microsoft365_graph_beta_applications_application_federated_identity_credential" "github" {
  application_id = microsoft365_graph_beta_applications_application.app.id
  
  display_name = "GitHub Actions"
  description  = "Federated credential for GitHub Actions"
  
  audiences = ["api://AzureADTokenExchange"]
  issuer    = "https://token.actions.githubusercontent.com"
  subject   = "repo:organization/repository:ref:refs/heads/main"
}

Import Syntax

terraform import microsoft365_graph_beta_applications_application_password_credential.secret <app-id>/<key-id>

terraform import microsoft365_graph_beta_applications_application_certificate_credential.cert <app-id>/<key-id>

terraform import microsoft365_graph_beta_applications_application_federated_identity_credential.fed <app-id>/<credential-id>

Best Practices

Client secrets are sensitive values. Always mark outputs as sensitive and store them securely.

Rotate secrets regularly

Set expiry dates and implement automated rotation processes.

Prefer certificates in production

Certificates are more secure than client secrets for production workloads.

Use workload identity federation

For supported platforms, use federated credentials instead of secrets.

Overview

Device & App Management

Device Management

Identity & Access

Applications

Groups & Users

Microsoft Teams

Resources

Password Credential

Certificate Credential

Federated Identity

Password Credential (Client Secret)

Certificate Credential

Federated Identity Credential

Import Syntax

Best Practices

Build docs developers (and LLMs) love

Overview

Device & App Management

Device Management

Identity & Access

Applications

Groups & Users

Microsoft Teams

​Resources

Password Credential

Certificate Credential

Federated Identity

​Password Credential (Client Secret)

​Certificate Credential

​Federated Identity Credential

​Import Syntax

​Best Practices

Build docs developers (and LLMs) love

Resources

Password Credential (Client Secret)

Certificate Credential

Federated Identity Credential

Import Syntax

Best Practices