Skip to main content
Infisical currently only supports two methods for connecting to Azure, which are OAuth and Client Secrets.
Using the Azure Client Secrets connection on a self-hosted instance of Infisical requires configuring an application in Azure and registering your instance with it.Prerequisites:
  • Set up Azure.
1

Create an application in Azure

Navigate to Azure Active Directory > App registrations to create a new application.
Azure Active Directory is now Microsoft Entra ID.
Azure client secretsAzure client secretsCreate the application. As part of the form, set the Redirect URI to https://your-domain.com/organization/app-connections/azure/oauth/callback.
The domain you defined in the Redirect URI should be equivalent to the SITE_URL configured in your Infisical instance.
Azure client secrets
2

Assign API permissions to the application

For the Azure Connection to work with Client Secrets, you need to assign the following permission to the application.

Azure Client Secrets permissions

Set the API permissions of the Azure application to include the following permissions:
  • Microsoft Graph
    • Application.ReadWrite.All
    • Application.ReadWrite.OwnedBy
    • Application.ReadWrite.All (Delegated)
    • Directory.ReadWrite.All (Delegated)
    • User.Read (Delegated) Azure client secrets
3

Add your application credentials to Infisical

Obtain the Application (Client) ID and Directory (Tenant) ID (this will be used later in the Infisical connection) in Overview and generate a Client Secret in Certificate & secrets for your Azure application.Azure client secretsAzure client secretsAzure client secretsBack in your Infisical instance, add two new environment variables for the credentials of your Azure application.
  • INF_APP_CONNECTION_AZURE_CLIENT_SECRETS_CLIENT_ID: The Application (Client) ID of your Azure application.
  • INF_APP_CONNECTION_AZURE_CLIENT_SECRETS_CLIENT_SECRET: The Client Secret of your Azure application.
Once added, restart your Infisical instance and use the Azure Client Secrets connection.
Ensure your Azure application has the required permissions that Infisical needs for the Azure Client Secrets connection to work.Prerequisites:
  • An active Azure setup.
1

Assign API permissions to the application

For the Azure Client Secrets connection to work, assign the following permissions to your Azure application:

Required API Permissions

Microsoft Graph
  • Application.ReadWrite.All
  • Application.ReadWrite.OwnedBy
  • Application.ReadWrite.All (Delegated)
  • Directory.ReadWrite.All (Delegated)
  • User.Read (Delegated) Azure client secrets
Ensure your Azure application has the required permissions that Infisical needs for the Azure Client Secrets connection to work.Prerequisites:
  • An active Azure setup.
1

Assign API permissions to the application

For the Azure Client Secrets connection to work, assign the following permissions to your Azure application:

Required API Permissions

Microsoft Graph
  • Application.ReadWrite.All
  • Application.ReadWrite.OwnedBy
  • Application.ReadWrite.All (Delegated)
  • Directory.ReadWrite.All (Delegated)
  • User.Read (Delegated) Azure client secrets
2

Upload your certificate to your Azure App Registration

Navigate to the Certificates & secrets section of your Azure App Registration, and press the Upload certificate button.Select the Upload button and upload your certificate.Upload certificate
Keep in mind that both the certificate and its private key are required to configure the Azure Client Secrets connection in Infisical.

Setup Azure Connection in Infisical

1

Navigate to App Connections

Navigate to the Integrations tab in the desired project, then select App Connections. App Connections Tab
2

Add Connection

Select the Azure Connection option from the connection options modal. Select Azure Connection
3

Create Connection

1

Authorize Connection

Fill in the Tenant ID field with the Directory (Tenant) ID you obtained in the previous step.Now select the OAuth method and click Connect to Azure.Connect via Azure OAUth
1

Grant Access

You will then be redirected to Azure to grant Infisical access to your Azure account. Once granted, you will be redirected back to Infisical’s App Connections page. Azure Client Secrets Authorization
4

Connection Created

Your Azure Client Secrets Connection is now available for use. Azure Client Secrets

Automatic Credential Rotation

When using the Client Secret authentication method, Infisical can automatically rotate the Client Secret of your Azure application on a recurring schedule. When enabled, Infisical will immediately generate a new Client Secret on connection creation and revoke the original one, ensuring that no external party retains access using the credentials you provided.
Automatic Credential Rotation is only available for the Client Secret authentication method.
1

Locate the Key ID of your Client Secret

Before enabling rotation, you’ll need the Key ID of the Client Secret you are using to authenticate. Navigate to your App Registration in the Azure Portal, then go to Certificates & secrets. Copy the Secret ID (Key ID) of the secret you are providing to Infisical.Azure Client Secret Key ID
2

Enable Automatic Credential Rotation

When creating or editing your connection, toggle on the Automatic Credential Rotation switch.Enable Automatic Credential Rotation
3

Provide the Client Secret Key ID

Enter the Key ID you copied in the previous step into the Client Secret Key ID field. Infisical uses this to revoke your original secret after generating a new one.Client Secret Key ID Field
4

Configure the Rotation Schedule

Set the Rotation Interval (in days) to define how often the credential should be rotated, and set Rotate At to the local time of day at which the rotation should occur.
  • Rotation Interval – How many days between each rotation.
  • Rotate At – The local time of day at which the rotation will be triggered. Rotation Schedule