Command Reference

Complete documentation for all Entra Token CLI commands, options, and arguments.

Command Overview

Command	Description
`get-token`	Generate access tokens
`refresh`	Refresh expired tokens
`inspect`	Decode and inspect JWT tokens
`discover`	Quick token information
`config`	Manage authentication profiles
`--help`	Display help information
`--version`	Show version information

`get-token`

Generate an access token using a configured profile.

Synopsis

1
entratool get-token [OPTIONS]

Options

Option	Alias	Required	Description
`--profile <NAME>`	`-p`	Yes	Profile name to use
`--scope <SCOPE>`	`-s`	No	Override profile scope
`--flow <FLOW>`	`-f`	No	OAuth2 flow to use
`--silent`		No	Suppress output except token
`--output <FILE>`	`-o`	No	Save token to file
`--json`		No	Output as JSON

OAuth2 Flows

ClientCredentials - Service-to-service
AuthorizationCode - Web applications
DeviceCode - Limited-input devices
InteractiveBrowser - Desktop applications

Examples

Basic usage:

1
entratool get-token -p my-profile

Override scope:

1
2
entratool get-token -p my-profile \
  --scope "https://graph.microsoft.com/User.Read Mail.Read"

Specify flow:

1
entratool get-token -p my-profile -f ClientCredentials

Silent output (for scripts):

1
TOKEN=$(entratool get-token -p my-profile --silent)

Save to file:

1
entratool get-token -p my-profile -o token.txt

JSON output:

1
entratool get-token -p my-profile --json

Multiple scopes:

1
2
entratool get-token -p my-profile \
  --scope "https://graph.microsoft.com/User.Read,Mail.Read,Calendars.Read"

Device code flow:

1
entratool get-token -p headless-server -f DeviceCode

Interactive browser:

1
entratool get-token -p user-app -f InteractiveBrowser

Certificate authentication:

1
entratool get-token -p cert-profile -f ClientCredentials

Full documentation →

`refresh`

Refresh an expired access token using a refresh token.

Synopsis

1
entratool refresh [OPTIONS]

Options

Option	Alias	Required	Description
`--profile <NAME>`	`-p`	Yes	Profile name to use
`--silent`		No	Suppress output except token
`--output <FILE>`	`-o`	No	Save token to file

Examples

Refresh token:

1
entratool refresh -p my-profile

Silent output:

1
TOKEN=$(entratool refresh -p my-profile --silent)

Save to file:

1
entratool refresh -p my-profile -o token.txt

Notes

Requires offline_access scope in original token request
Not available for Client Credentials flow
Refresh tokens expire after 90 days of inactivity

Full documentation →

`inspect`

Decode and display JWT token claims.

Synopsis

1
entratool inspect [OPTIONS]

Options

Option	Alias	Required	Description
`--token <TOKEN>`	`-t`	Conditional	Token string to inspect
`--file <FILE>`	`-f`	Conditional	File containing token

Note: Provide either --token or --file, or pipe token via stdin.

Examples

Inspect token string:

1
entratool inspect -t "eyJ0eXAiOiJKV1Qi..."

Inspect from file:

1
entratool inspect -f token.txt

Inspect from pipeline:

1
entratool get-token -p my-profile --silent | entratool inspect

Extract specific claim:

1
entratool inspect -t "$TOKEN" | jq -r .payload.scp

Check expiration:

1
entratool inspect -t "$TOKEN" | jq -r .payload.exp

View all claims:

1
entratool inspect -f token.txt | jq

Full documentation →

`discover`

Quick token information and validation.

Synopsis

1
entratool discover [OPTIONS]

Options

Option	Alias	Required	Description
`--token <TOKEN>`	`-t`	Conditional	Token string to discover
`--file <FILE>`	`-f`	Conditional	File containing token

Exit Codes

0 - Token is valid
1 - Token is expired or invalid

Examples

Discover token info:

1
entratool discover -t "eyJ0eXAiOiJKV1Qi..."

Check if token is valid:

1
2
3
4
5
if entratool discover -t "$TOKEN" &>/dev/null; then
  echo "Token is valid"
else
  echo "Token is expired"
fi

From file:

1
entratool discover -f token.txt

In script:

1
2
3
4
if ! entratool discover -f token.txt; then
  # Token expired, get new one
  entratool get-token -p my-profile --silent > token.txt
fi

Full documentation →

`config`

Manage authentication profiles.

Synopsis

1
entratool config <SUBCOMMAND> [OPTIONS]

Subcommands

Subcommand	Description
`create`	Create new profile
`list`	List all profiles
`edit`	Edit existing profile
`delete`	Delete profile
`export`	Export profile(s)
`import`	Import profile(s)

`config create`

Create a new authentication profile interactively.

Synopsis:

1
entratool config create

Example:

1
2
3
4
5
6
7
8
9
entratool config create

# Interactive prompts:
# - Profile name
# - Client ID
# - Tenant ID
# - Authentication method
# - Scope
# - OAuth2 flow (optional)

`config list`

List all configured profiles.

Synopsis:

1
entratool config list [OPTIONS]

Options:

Option	Description
`--json`	Output as JSON

Examples:

1
2
3
4
5
# List profiles
entratool config list

# JSON output
entratool config list --json

`config edit`

Edit an existing profile interactively.

Synopsis:

1
entratool config edit [OPTIONS]

Options:

Option	Alias	Required	Description
`--profile <NAME>`	`-p`	Yes	Profile name to edit

Example:

1
2
3
4
5
6
7
8
9
entratool config edit -p my-profile

# Select what to edit:
# - Client ID
# - Tenant ID
# - Client Secret
# - Scope
# - OAuth2 Flow
# - Authority URL

`config delete`

Delete a profile and its associated secrets.

Synopsis:

1
entratool config delete [OPTIONS]

Options:

Option	Alias	Required	Description
`--profile <NAME>`	`-p`	Yes	Profile name to delete
`--force`		No	Skip confirmation

Examples:

1
2
3
4
5
# Delete with confirmation
entratool config delete -p my-profile

# Delete without confirmation
entratool config delete -p my-profile --force

`config export`

Export profile configuration (without secrets).

Synopsis:

1
entratool config export [OPTIONS]

Options:

Option	Alias	Required	Description
`--profile <NAME>`	`-p`	No	Profile name (omit for all)
`--output <FILE>`	`-o`	Yes	Output file path

Examples:

1
2
3
4
5
# Export single profile
entratool config export -p my-profile -o profile.json

# Export all profiles
entratool config export -o all-profiles.json

`config import`

Import profile configuration from file.

Synopsis:

1
entratool config import [OPTIONS]

Options:

Option	Alias	Required	Description
`--file <FILE>`	`-f`	Yes	File to import

Example:

1
entratool config import -f profile.json

Full config documentation →

`--help`

Display help information.

Synopsis

1
2
entratool --help
entratool <COMMAND> --help

Examples

General help:

1
entratool --help

Command-specific help:

1
2
3
entratool get-token --help
entratool config --help
entratool config create --help

`--version`

Display version information.

Synopsis

1
entratool --version

Output:

                 _             _              _
  ___ _ __  _ __| |_ _ __ __ _| |_ ___   ___ | |
 / _ \ '_ \| '__| __| '__/ _` | __/ _ \ / _ \| |
|  __/ | | | |  | |_| | | (_| | || (_) | (_) | |
 \___|_| |_|_|   \__|_|  \__,_|\__\___/ \___/|_|

version 1.0.0

Global Options

Available for all commands:

Option	Description
`--help`	Display help
`--version`	Display version
`--verbose`	Enable verbose output
`--no-color`	Disable colored output

Exit Codes

Code	Meaning
`0`	Success
`1`	General error
`2`	Invalid arguments
`3`	Authentication failed
`4`	Profile not found
`5`	Token expired
`6`	Network error

Environment Variables

Variable	Description	Example
`AZURE_CLIENT_ID`	Default client ID	`12345678-...`
`AZURE_TENANT_ID`	Default tenant ID	`87654321-...`
`AZURE_CLIENT_SECRET`	Client secret	`abc123...`
`ENTRATOOL_CONFIG_PATH`	Config directory	`~/.entratool`

Configuration Files

Profile Configuration

Location: ~/.entratool/profiles.json

Format:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
{
  "profiles": [
    {
      "name": "my-profile",
      "clientId": "12345678-1234-1234-1234-123456789abc",
      "tenantId": "87654321-4321-4321-4321-cba987654321",
      "scope": "https://graph.microsoft.com/.default",
      "flow": "ClientCredentials",
      "useClientSecret": true
    }
  ]
}

Secure Storage

Secrets location:

Windows: DPAPI-encrypted store
macOS: Keychain (~/Library/Keychains/login.keychain-db)
Linux: ~/.entratool/secrets.dat (⚠️ XOR obfuscated)

Common Command Patterns

Script Integration

1
2
3
4
5
6
7
8
9
#!/bin/bash
set -euo pipefail

# Get token
TOKEN=$(entratool get-token -p automation --silent)

# Use token
curl -H "Authorization: Bearer $TOKEN" \
     https://graph.microsoft.com/v1.0/me

Token Caching

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
TOKEN_FILE="/tmp/cached-token.txt"

# Check if token is valid
if ! entratool discover -f "$TOKEN_FILE" &>/dev/null; then
  # Get fresh token
  entratool get-token -p my-profile --silent > "$TOKEN_FILE"
  chmod 600 "$TOKEN_FILE"
fi

TOKEN=$(cat "$TOKEN_FILE")

Multi-Environment

1
2
3
4
5
6
7
8
# Development
entratool get-token -p dev-profile -f ClientCredentials

# Staging
entratool get-token -p staging-profile -f ClientCredentials

# Production
entratool get-token -p prod-profile -f ClientCredentials

Error Handling

1
2
3
4
5
6
7
8
if ! TOKEN=$(entratool get-token -p my-profile --silent 2>&1); then
  echo "Error: Failed to get token"
  echo "$TOKEN"
  exit 1
fi

# Use token
curl -H "Authorization: Bearer $TOKEN" ...

Next Steps

Certificate Authentication

Platform Guides

Command Reference

Command Reference link

Command Overview link

get-token link

Synopsis link

Options link

OAuth2 Flows link

Examples link

refresh link

Synopsis link

Options link

Examples link

Notes link

inspect link

Synopsis link

Options link

Examples link

discover link

Synopsis link

Options link

Exit Codes link

Examples link

config link

Synopsis link

Subcommands link

config create link

config list link

config edit link

config delete link

config export link

config import link

--help link

Synopsis link

Examples link

--version link

Synopsis link

Global Options link

Exit Codes link

Environment Variables link

Configuration Files link

Profile Configuration link

Secure Storage link

Common Command Patterns link

Script Integration link

Token Caching link

Multi-Environment link

Error Handling link

Next Steps link

Command Reference

Command Overview

`get-token`

Synopsis

Options

OAuth2 Flows

Examples

`refresh`

Synopsis

Options

Examples

Notes

`inspect`

Synopsis

Options

Examples

`discover`

Synopsis

Options

Exit Codes

Examples

`config`

Synopsis

Subcommands

`config create`

`config list`

`config edit`

`config delete`

`config export`

`config import`

`--help`

Synopsis

Examples

`--version`

Synopsis

Global Options

Exit Codes

Environment Variables

Configuration Files

Profile Configuration

Secure Storage

Common Command Patterns

Script Integration

Token Caching

Multi-Environment

Error Handling

Next Steps