# Microsoft Entra ID (Azure AD)

{% hint style="info" %}
These settings should only be applied to the SCEPman App Service, not the Certificate Master. Please refer to [SCEPman Settings](/scepman-configuration/application-settings.md).
{% endhint %}

## AppConfig:AuthConfig:ApplicationId

*Linux: AppConfig\_\_AuthConfig\_\_ApplicationId*

The [Application (client) ID](/scepman-deployment/permissions/azure-app-registration.md#basic-app-registration-application-id) from your Microsoft Entra ID (Azure AD) App registration. This setting is configured during the setup.

{% hint style="warning" %}
Please do not mix this up with the "Client Secret ID". We need the "Application (client) ID", here.
{% endhint %}

{% hint style="danger" %}
Changes can harm your service!
{% endhint %}

## AppConfig:AuthConfig:ApplicationKey

*Linux: AppConfig\_\_AuthConfig\_\_ApplicationKey*

The [Application Key (client secret **value**)](/scepman-deployment/permissions/azure-app-registration.md#azure-app-registration-client-secret) from your Microsoft Entra ID (Azure AD) App registration. This setting is configured during the setup of a SCEPman 1.x version. SCEPman 2.x usually does not use this setting and instead relies on [Managed Identity authentication](/scepman-deployment/permissions/post-installation-config.md).

{% hint style="warning" %}
Please do not mix this up with the "Client Secret **ID**". We need the "Client Secret **Value**", here.
{% endhint %}

{% hint style="danger" %}
Changes can harm your service!
{% endhint %}

## AppConfig:AuthConfig:TenantId

*Linux: AppConfig\_\_AuthConfig\_\_TenantId*

The Microsoft Entra ID (Azure AD) Tenant ID. This setting is automatically configured during the setup.

{% hint style="danger" %}
Changes can harm your service!
{% endhint %}

## AppConfig:AuthConfig:HomeTenantId

*Linux: AppConfig\_\_AuthConfig\_\_HomeTenantId*

When running SCEPman in a different tenant than Intune, this specifies the Id of the tenant hosting the SCEPman Azure resource, while [AppConfig:AuthConfig:TenantId](#appconfig-authconfig-tenantid) specifies the tenant of Intune. In this case, you cannot use the more convenient [authentication based on Managed Identities](/scepman-deployment/permissions/post-installation-config.md), but must use authentication using [an Azure App Registration and a Client Secret](/scepman-deployment/permissions/azure-app-registration.md).

{% hint style="danger" %}
Changes can harm your service!
{% endhint %}

## AppConfig:AuthConfig:HomeApplicationId

*Linux: AppConfig\_\_AuthConfig\_\_HomeApplicationId*

This setting is only used for situations where SCEPman runs in a different tenant than Intune. The HomeApplicationId specifies the application ID of your `scepman-api` app registration in the tenant where the SCEPman and Certificate Master App Services run. [AppConfig:AuthConfig:ApplicationId](#appconfig-authconfig-applicationid) and [AppConfig:AuthConfig:ApplicationKey](#appconfig-authconfig-applicationkey) specify the application ID and Client Secret Value, respectively, of the app registration in the tenant where Intune runs.

{% hint style="warning" %}
Please do not mix this up with the "Client Secret ID". We need the "Application (client) ID", here.
{% endhint %}

{% hint style="danger" %}
Changes can harm your service!
{% endhint %}

## AppConfig:AuthConfig:ManagedIdentityEnabledOnUnixTime

*Linux: AppConfig\_\_AuthConfig\_\_ManagedIdentityEnabledOnUnixTime*

The time as Unix epoch when the required permissions to the Managed Identity were granted. SCEPman acquires a token using the Managed Identity only after a short delay (60 seconds in SCEPman 2.0) after this time, because only then do the roles in the token reflect the correct permissions added by the CMDlet. The tokens are cached [for 24 hours with no way to force refresh the cache](https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Cdotnet#configure-target-resource), so if you added a permission after SCEPman has acquired a token, you need to wait up to 24 hours until SCEPman can use this new permission.

{% hint style="danger" %}
Changes can harm your service!
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.scepman.com/scepman-configuration/application-settings/dependencies-azure-services/azure-ad.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.