Client Credentials
Applies to: Patch My PC Publisher
Overview
The Publisher authenticates to Microsoft Intune using client credentials associated with an Entra ID app registration. Client credentials allow the Publisher to authenticate using app-only (non-interactive) authentication, which is required for automation and unattended publishing.
Microsoft Entra ID supports two client credential types:
Both methods are supported by the Publisher, however, certificate-based authentication is strongly recommended.
Tip
Certificate-based authentication is recommended because it uses a "something you have" security model rather than a "something you know" model. The private key is stored securely on the device where the Publisher is isntalled and is never transmitted or shared. Authentication succeeds only if the calling service can prove possession of that private key, making it significantly harder to compromise than a client secret, which is simply a string value that can be copied, leaked, or reused from another location.
This approach aligns with Microsoft’s security best practices for service-to-service authentication and provides stronger protection for automated workloads that require unattended access to Microsoft Intune.
More guidance on why a certificate should be used instead of a client secret can be found at https://learn.microsoft.com/en-us/azure/active-directory/develop/security-best-practices-for-app-registration#certificates-and-secrets
Use a Certificate for Authentication
Certificate-based authentication is the preferred and recommended approach for securing the Publisher’s access to your Intune tenant. It uses a certificate that your Publisher service holds the private key for, while the public key is uploaded to the Entra ID app registration. This method aligns with Microsoft’s security best practices for service-to-service authentication.
Prerequisites
You must have registered an application in Entra ID.
You need access to the device where the Publisher will be installed to create and export certificates.
The certificate must meet the following requirements to be used for app authentication:
RSA key with 2048-bit minimum key length. (Entra ID currently supports only RSA).
Signed using SHA256 or stronger. (Entra ID also supports certificates signed with SHA384 and SHA512 hash algorithms).
Intended for client authentication.
Valid and not expired.
Private key accessible to the Publisher service.
Note
The following steps detail how to create a self-signed certificate for client authentication. However, this is not the only supported option. If your organization has an established PKI and your PKI administrators provide a client authentication certificate, you may use that certificate instead.
As long as the certificate meets Entra ID requirements and the private key is installed in the Local Machine certificate store on the server where Patch My PC Publisher is installed, the Publisher can use it for authentication in the same way as a self-signed certificate.
For more information on creating a self-signed certificate for authentication with an app registration, see Create a self-signed public certificate to authenticate your application.
Step 1: Create a Self-Signed Certificate
Open PowerShell as Administrator on the computer where Publisher is installed.
Run the following PowerShell snippet to create a new self-signed certificate in the Local Machine Personal store.
Open certlm.msc and verify the new certificate appears under Local Machine > Personal.
While still in the elevated PowerShell session, export the public key (.cer) to a temporary folder.
Confirm that the
.cerfile exists in C:\temp\certs.
Step 2: Upload the Certificate to the App Registration
In the Microsoft Entra admin center, open the app registration you created.
Navigate to Certificates & secrets.
Under Certificates, click Upload certificate.
Select the exported
.cerfile and click Add.Verify the certificate’s thumbprint appears in the list with the correct expiration.
Step 3: Configure the Publisher to use the Certificate
For more details on how to use the certificate for authnetication, see Intune Apps / Updates > Options > Intune Authentication
Use a Client Secret for Authentication
Client secret–based authentication is supported by the Publisher, but it is not the recommended approach for production environments. A client secret is a shared string value (similar to a password) that the Publisher uses to authenticate to Microsoft Intune via the Entra ID app registration.
This method may be suitable for:
Short-term testing or proof-of-concept scenarios.
Environments where certificate-based authentication is not possible.
Important
Because client secrets are considered a weak client credential, they carry a higher risk of exposure and should be rotated at regular intervals.
Prerequisites
You must have registered an application in Entra ID.
You have permission to create secrets for the app registration.
Step 1: Create a Client Secret
Sign in to the Microsoft Entra admin center.
Navigate to Entra ID > App registrations.
Select the app registration created for the Publisher.
In the left-hand menu, select Certificates & secrets.
Under Client secrets, select New client secret.
Enter a description (optional).
Choose an expiration period appropriate for your organization.
Note
Microsoft recommends short-lived secrets. Expiration periods of 6 months or less are strongly advised.
Select Add.
After the secret is created, copy the Value immediately and store it securely as you will not be able to retrieve the secret once you navigate away from the page.
Step 2: Configure the Publisher to use the Client Secret
For more details on how to use the certificate for authentication, see Intune Apps / Updates > Options > Authentication Settings.
Last updated
Was this helpful?