Skip to main content
Confidential client credentials allow Himmelblau to authenticate to Entra ID as an application rather than on behalf of a specific user. This is required for operations such as querying rfc2307 attributes (uidNumber, gidNumber, etc.) across all users and groups without delegated access. Credentials are stored in Himmelblau’s encrypted cache, protected by the machine key. All cred subcommands must be run as root.

cred secret

Store a client secret for confidential client authentication.
1

Open your app registration

In the Entra ID portal, go to Azure Active Directory → App registrations and open (or create) your application.
2

Create a client secret

Under Manage → Certificates & secrets, go to the Client secrets tab. Click New client secret, choose an expiry, and click Add.
3

Copy the secret value

Copy the Value (not the Secret ID) immediately. You will not be able to retrieve it again after navigating away.
4

Store the secret in Himmelblau

Run aad-tool cred secret with the client ID and the secret value you copied:
sudo aad-tool cred secret \
  --client-id <CLIENT_ID> \
  --domain example.onmicrosoft.com \
  --secret <SECRET_VALUE>
5

Renew when it expires

When the secret expires, create a new one in the portal and run this command again to replace it.
FlagDescription
--client-idThe Azure AD application (client) ID this secret is associated with.
--domainThe tenant domain this secret is associated with (e.g. example.onmicrosoft.com).
--secretThe client secret value copied from the Entra ID portal.
--debug / -dEnable verbose debug logging.

cred cert

Generate an RSA 256 HSM-backed key pair and self-signed certificate for confidential client authentication. The private key is generated inside the TPM (or SoftHSM) and never leaves it.
1

Open your app registration

In the Entra ID portal, go to Azure Active Directory → App registrations and open (or create) your application.
2

Generate the key pair and certificate

Run the command to generate the key and write the PEM certificate to a file:
sudo aad-tool cred cert \
  --client-id <CLIENT_ID> \
  --domain example.onmicrosoft.com \
  --valid-days 365 \
  --cert-out /tmp/himmelblau-cert.pem
3

Upload the certificate to Entra ID

Under Manage → Certificates & secrets, go to the Certificates tab. Click Upload certificate and select the PEM file written to --cert-out. Azure stores this certificate for authenticating via public key.
4

Renew when it expires

When the certificate expires, run this command again to generate a new key pair and certificate, then upload the new PEM to the portal.
FlagDescription
--client-idThe Azure AD application (client) ID this certificate is associated with.
--domainThe tenant domain this certificate is associated with.
--valid-daysNumber of days the self-signed certificate will be valid.
--cert-outPath to write the generated PEM certificate file. This is the file you upload to Entra ID.
--debug / -dEnable verbose debug logging.

cred delete

Delete stored confidential client credentials from Himmelblau’s encrypted cache. If neither --secret nor --cert is specified, both are deleted. 
# Delete both secret and certificate for the domain
sudo aad-tool cred delete --domain example.onmicrosoft.com

# Delete only the client secret
sudo aad-tool cred delete --domain example.onmicrosoft.com --secret

# Delete only the client certificate
sudo aad-tool cred delete --domain example.onmicrosoft.com --cert
FlagDescription
--domain(Required) The tenant domain whose credentials will be deleted.
--secretDelete only the client secret, leaving any certificate in place.
--certDelete only the client certificate, leaving any secret in place.
--debug / -dEnable verbose debug logging.

cred list

Check Himmelblau’s encrypted cache for the presence of confidential client credentials for a given domain. Reports whether a client secret and/or client certificate exists. 
sudo aad-tool cred list --domain example.onmicrosoft.com
FlagDescription
--domain(Required) The tenant domain to check.
--debug / -dEnable verbose debug logging.

Build docs developers (and LLMs) love

Get started for freeTalk to us