docs/integrations/app-connections/azure-client-secrets.mdx
Infisical currently only supports two methods for connecting to Azure, which are OAuth and Client Secrets.
<Accordion title="Self-Hosted Instance"> Using the Azure Client Secrets connection on a self-hosted instance of Infisical requires configuring an application in Azure and registering your instance with it.Prerequisites:
<Info>
Azure Active Directory is now Microsoft Entra ID.
</Info>
Create the application. As part of the form, set the **Redirect URI** to `https://your-domain.com/organization/app-connections/azure/oauth/callback`.
<Tip>
The domain you defined in the Redirect URI should be equivalent to the `SITE_URL` configured in your Infisical instance.
</Tip>
</Step>
<Step title="Assign API permissions to the application">
For the Azure Connection to work with Client Secrets, you need to assign the following permission to the application.
#### Azure Client Secrets permissions
Set the API permissions of the Azure application to include the following permissions:
- Microsoft Graph
- `Application.ReadWrite.All`
- `Application.ReadWrite.OwnedBy`
- `Application.ReadWrite.All` (Delegated)
- `Directory.ReadWrite.All` (Delegated)
- `User.Read` (Delegated)
</Step>
<Step title="Add your application credentials to Infisical">
Obtain the **Application (Client) ID** and **Directory (Tenant) ID** (this will be used later in the Infisical connection) in Overview and generate a **Client Secret** in Certificate & secrets for your Azure application.
Back in your Infisical instance, add two new environment variables for the credentials of your Azure application.
- `INF_APP_CONNECTION_AZURE_CLIENT_SECRETS_CLIENT_ID`: The **Application (Client) ID** of your Azure application.
- `INF_APP_CONNECTION_AZURE_CLIENT_SECRETS_CLIENT_SECRET`: The **Client Secret** of your Azure application.
Once added, restart your Infisical instance and use the Azure Client Secrets connection.
</Step>
</Steps>
**Prerequisites:**
- An active Azure setup.
<Steps>
<Step title="Assign API permissions to the application">
For the Azure Client Secrets connection to work, assign the following permissions to your Azure application:
#### Required API Permissions
**Microsoft Graph**
- `Application.ReadWrite.All`
- `Application.ReadWrite.OwnedBy`
- `Application.ReadWrite.All` (Delegated)
- `Directory.ReadWrite.All` (Delegated)
- `User.Read` (Delegated)
</Step>
</Steps>
**Prerequisites:**
- An active Azure setup.
<Steps>
<Step title="Assign API permissions to the application">
For the Azure Client Secrets connection to work, assign the following permissions to your Azure application:
#### Required API Permissions
**Microsoft Graph**
- `Application.ReadWrite.All`
- `Application.ReadWrite.OwnedBy`
- `Application.ReadWrite.All` (Delegated)
- `Directory.ReadWrite.All` (Delegated)
- `User.Read` (Delegated)
</Step>
<Step title="Upload your certificate to your Azure App Registration">
Navigate to the **Certificates & secrets** section of your Azure App Registration, and press the **Upload certificate** button.
Select the **Upload** button and upload your certificate.
<Tip>
Keep in mind that both the certificate and its private key are required to configure the Azure Client Secrets connection in Infisical.
</Tip>
</Step>
</Steps>
Now select the **OAuth** method and click **Connect to Azure**.
</Step>
<Step title="Grant Access">
You will then be redirected to Azure to grant Infisical access to your Azure account. Once granted,
you will be redirected back to Infisical's App Connections page. 
</Step>
</Tab>
<Tab title="Client Secret">
<Step title="Create Connection">
Fill in the **Tenant ID**, **Client ID** and **Client Secret** fields with the Directory (Tenant) ID, Application (Client) ID and Client Secret you obtained in the previous step.
<Tip>
You can optionally enable **Automatic Credential Rotation** for this connection. See the [Automatic Credential Rotation](#automatic-credential-rotation) section below for details.
</Tip>
</Step>
</Tab>
<Tab title="Certificate">
<Step title="Create Connection">
Fill in the **Tenant ID**, **Client ID**, **Certificate (PEM format)**, and **Private Key** fields with the Directory (Tenant) ID, Application (Client) ID, Certificate and Private Key you obtained in the [previous step](#certificate-authentication).
<Tip>
The private key is never transmitted to Azure, and it is only used to sign the client assertion used to authenticate with Azure.
</Tip>
</Step>
</Tab>
</Tabs>
When using the Client Secret authentication method, Infisical can automatically rotate the Client Secret of your Azure application on a recurring schedule. When enabled, Infisical will immediately generate a new Client Secret on connection creation and revoke the original one, ensuring that no external party retains access using the credentials you provided.
<Note> Automatic Credential Rotation is only available for the **Client Secret** authentication method. </Note> <Steps> <Step title="Locate the Key ID of your Client Secret"> Before enabling rotation, you'll need the **Key ID** of the Client Secret you are using to authenticate. Navigate to your App Registration in the Azure Portal, then go to **Certificates & secrets**. Copy the **Secret ID** (Key ID) of the secret you are providing to Infisical. 
</Step>
<Step title="Enable Automatic Credential Rotation">
When creating or editing your connection, toggle on the **Automatic Credential Rotation** switch.
</Step>
<Step title="Provide the Client Secret Key ID">
Enter the **Key ID** you copied in the previous step into the **Client Secret Key ID** field. Infisical uses this to revoke your original secret after generating a new one.
</Step>
<Step title="Configure the Rotation Schedule">
Set the **Rotation Interval** (in days) to define how often the credential should be rotated, and set **Rotate At** to the local time of day at which the rotation should occur.
- **Rotation Interval** – How many days between each rotation.
- **Rotate At** – The local time of day at which the rotation will be triggered.
</Step>