icon-dspm.svg
Posture Control (DSPM)

Managing Application Details and Client Secret

While onboarding a Microsoft Entra tenant, a service principal or application is created within the Microsoft Entra tenant. The service principal defines the policies and permissions required for DSPM to access specific resources within the onboarded Microsoft Entra tenant. The service principal is identified by a unique identifier called the application or the client ID, along with a client secret used as a password.

You can update the application details and client secret of the service principal as required.

Updating Application Details

If the service principal is accidentally deleted, DSPM's access to the onboarded tenant is impacted, and all the onboarded subscriptions within the tenant move to the Needs Attention state. To restore access, you must update the application details.

Prerequisite

You must be assigned either an Administrator role or any role with Change Application Details permissions.

Updating Application Details

To update the application details:

  1. Go to Administration > Configuration > Cloud Accounts.
  2. Select the tenant for which you want to update the application details.
  3. Select the Roles and Templates tab.

  4. Download and run the Tree Discovery template:

    • Click Tree Discovery to download the template as a .zip file. Extract the file to your local system and create a new folder to store the extracted files. The .zip file contains two Terraform files (backend.tf and azure_tf_basic.tf).

      Close

    • Run the template in the Microsoft Entra tenant using the CLI app:

      1. Update the downloaded backend.tf file with the storage container names where you want to store the Terraform state files.

        • resource_group_name: Enter the resource group name.
        • storage_account_name: Enter the storage account name.
        • container_name: Enter the container name.

      2. Open the Command Prompt or any other CLI app in your local system.
      3. Switch to the directory containing the downloaded Terraform file.
      4. Run the following commands:

        1. To connect to your Microsoft Entra tenant:

          az login --tenant <tenant ID>

          You are directed to a web browser to authorize the Microsoft Entra tenant. Select your account to confirm the authorization.

          The command output returns the subscriptions available within your Microsoft Entra tenant.

        2. To set the subscription where you want to run the Terraform template:

          az account set --subscription <subscription ID>

        3. (Optional) To verify if the subscription is accurately set:

          az account show

        4. To initialize the working directory and apply Terraform configuration:

          terraform init

        5. To verify the changes in the Terraform configuration:

          terraform plan

          For Enter a value: Enter the regions where you want to deploy the template in the following format:

          ["region name1", "region name2", "region name3"]

        6. To run the script:

          terraform apply

          For Enter a value: Enter the regions where you want to deploy the template in the following format:

          ["region name1", "region name2", "region name3"]

          Under Do you want to perform these actions?, enter yes and then press Enter.

          The command output returns the client ID and client secret that is required to connect DSPM with the Microsoft Entra tenant.

      Close

    • After the template is successfully deployed, a service principal or application is created in the Microsoft Entra tenant. You need to grant API permissions to the service principal to access resources within the Microsoft Entra tenant.

      To grant API permissions:

      1. Sign in to the Microsoft Azure portal and go to Microsoft Entra ID.

      2. In the left-side navigation, select App registrations.

      3. Select the Owned applications tab.

      4. In the table, search for and select the service principal.

      5. In the left-side navigation, select API permissions.

      6. Click Grant admin consent for <tenant name>.

      7. In the Grand admin consent confirmation popup, click Yes.

      Close

  5. Click Manage and then select Change Application Details.

  6. In the Change Application Details window, enter the client ID and client secret generated in the CLI app:
    • Application ID: Enter the client ID.
    • Client Secret: Enter the client secret.

  7. Click Validate.

    DSPM validates the template deployment by verifying the application ID, client secret, and the custom roles created. If the validation is successful, a message appears indicating that the connection is established.

  8. Click Done.

  9. On the Roles and Templates tab, download and run the Azure Onboarding template:

    • Click Azure Onboarding to download the template as a .zip file and extract it to your local system.

      The .zip file contains multiple Terraform files that contain policies and permissions required for the DSPM to connect to the Microsoft Entra tenant.

      Close

    • Run the template in the Microsoft Entra tenant using the CLI app:

      1. Update the downloaded backend.tf file with the storage container names where you want to store the Terraform state files.

        • resource_group_name: Enter the resource group name.
        • storage_account_name: Enter the storage account name.
        • container_name: Enter the container name.

      2. Open the Command Prompt or any other CLI app in your local system.
      3. Switch to the directory containing the downloaded Terraform file.
      4. Run the following commands:

        1. To connect to your Microsoft Entra tenant:

          az login --tenant <tenant ID>

          You are directed to a web browser to authorize the Microsoft Entra tenant. Select your account to confirm the authorization.

          The command output returns the subscriptions available within your Microsoft Entra tenant.

        2. To set the subscription where you want to run the Terraform template:

          az account set --subscription <subscription ID>

        3. (Optional) To verify if the subscription is accurately set:

          az account show

        4. To initialize the working directory and apply Terraform configuration:

          terraform init

        5. To verify the changes in the Terraform configuration:

          terraform plan

          For Enter a value: Enter the regions where you want to deploy the template in the following format:

          ["region name1", "region name2", "region name3"]

        6. To run the script:

          terraform apply

          For Enter a value: Enter the regions where you want to deploy the template in the following format:

          ["region name1", "region name2", "region name3"]

          Under Do you want to perform these actions?, enter yes and then press Enter.

      Close

    After the template is successfully deployed, DSPM's access to the Microsoft Entra tenant is restored, and the onboarded subscriptions move to the Successfully Configured state.

Updating the Client Secret

The client secret ID in Microsoft Azure is a confidential string that is used as a password for the service principal or application. It comes with an expiration date and must be renewed for the service principal to remain functional. You can update the client secret ID that you provided while onboarding a tenant.

Prerequisite

  • You must be assigned either an Administrator role or any role with Change Application Details permissions in the DSPM Admin Portal.
  • Ensure that you have added a

    To add a new client secret:

    1. Sign in to the Microsoft Azure portal and go to Microsoft Entra ID.

    2. In the left-side navigation, select App registrations.

    3. Select the Owned applications tab.
    4. Search for and select the service principal you created while onboarding.

    5. In the left-side navigation, select Certificates & secrets.

    6. On the Client secrets tab, click New client secret.

    7. In the Add a client secret page:

      • Description: Enter a description for the client secret.
      • Expires: Select the expiry date from the drop-down menu.

    8. Click Add.

    9. In the Client secrets table, under Value, click the copy icon to copy the string to the clipboard.

    Close
    for the service principal in the Microsoft Entra tenant.

Updating the Client Secret

To update the client secret ID:

  1. Go to Administration > Configuration > Cloud Accounts.
  2. Select the tenant for which you want to update the client secret.

  3. Click Manage and then select Change Application Details.

  4. In the Change Application Details window, for Client Secret, paste the string copied from the Microsoft Entra tenant.

  5. Click Validate.

    DSPM validates the updated client secret by verifying it against the service principal and application ID. If the validation is successful, a message appears indicating that the connection is established.

    If the client secret is invalid, or it does not match the service principal, an error is displayed.

  6. Click Done.

    The client secret is updated for the service principal.

Related Articles
Onboarding a Microsoft Azure TenantAdding Tenant DetailsDeploying the Tree Discovery TemplateSelecting the Orchestrator and Monitoring ScopeDeploying the Azure Onboarding TemplateResolving Configuration Issues for Microsoft AzureViewing the Tenant Onboarding StatusChanging an Orchestrator SubscriptionManaging Monitoring Scope for Microsoft AzureManaging Application Details and Client SecretDownloading Roles and Templates for Microsoft AzureIAM Roles and Permissions for Microsoft AzureResetting Orchestrator & Monitoring Scope