Managing Profiles link

Authentication profiles store your configuration for connecting to Microsoft Entra ID. Learn how to create, view, edit, and delete profiles.

Quick Reference link

Creating Profiles link

Interactive Creation link

The easiest way to create a profile:

1

entratool config create

Prompts:

1. Profile name: Unique identifier
2. Client ID: From app registration
3. Tenant ID: Your Azure AD tenant
4. Authentication method: Secret or Certificate
5. Scope: API permissions
6. OAuth2 flow: (Optional) Default flow

Example session:

Profile name: my-graph-app
Client ID: 12345678-1234-1234-1234-123456789abc
Tenant ID: 87654321-4321-4321-4321-cba987654321
Authentication method:
  1. Client Secret
  2. Certificate
Select: 1
Client secret: ********************************
Scope: https://graph.microsoft.com/.default
Set default OAuth2 flow? (y/n): y
OAuth2 flow:
  1. ClientCredentials
  2. AuthorizationCode
  3. DeviceCode
  4. InteractiveBrowser
Select: 1

✓ Profile 'my-graph-app' created successfully

Detailed guide →

Listing Profiles link

View All Profiles link

1

entratool config list

Output:

Available profiles:

1. my-graph-app
   Client ID: 12345678-1234-1234-1234-123456789abc
   Tenant ID: 87654321-4321-4321-4321-cba987654321
   Scope: https://graph.microsoft.com/.default
   Flow: ClientCredentials

2. personal-graph
   Client ID: abcdef12-3456-7890-abcd-ef1234567890
   Tenant ID: common
   Scope: https://graph.microsoft.com/User.Read
   Flow: InteractiveBrowser

JSON Output link

1

entratool config list --json

Output:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

{
  "profiles": [
    {
      "name": "my-graph-app",
      "clientId": "12345678-1234-1234-1234-123456789abc",
      "tenantId": "87654321-4321-4321-4321-cba987654321",
      "scope": "https://graph.microsoft.com/.default",
      "flow": "ClientCredentials",
      "useClientSecret": true
    }
  ]
}

Detailed guide →

Editing Profiles link

Interactive Edit link

1

entratool config edit -p my-graph-app

Select what to edit:

What would you like to edit?
  1. Client ID
  2. Tenant ID
  3. Client Secret
  4. Scope
  5. OAuth2 Flow
  6. Authority URL
  q. Done

Select: 4
Current scope: https://graph.microsoft.com/.default
New scope: https://graph.microsoft.com/User.Read Mail.Read

✓ Profile 'my-graph-app' updated

Common Edits link

Rotate client secret:

1
2
3

entratool config edit -p my-graph-app
# Select: Client Secret
# Enter new secret

Change scope:

1
2
3

entratool config edit -p my-graph-app
# Select: Scope
# Enter: new-scope

Switch authentication method:

1
2
3
4

entratool config edit -p my-graph-app
# Select: Authentication Method
# Choose: Certificate
# Enter certificate path and password

Detailed guide →

Deleting Profiles link

Delete Single Profile link

1

entratool config delete -p my-graph-app

Confirmation prompt:

Are you sure you want to delete profile 'my-graph-app'? (y/n): y
✓ Profile deleted successfully

What gets deleted:

• Profile configuration from profiles.json
• Associated secrets from secure storage

Delete with Force link

Skip confirmation:

1

entratool config delete -p my-graph-app --force

⚠️ Warning: This is permanent. Secrets cannot be recovered.

Detailed guide →

Exporting Profiles link

Export for Backup link

Export profile configuration (without secrets):

1

entratool config export -p my-graph-app -o my-profile.json

Output file:

1
2
3
4
5
6
7
8
9

{
  "name": "my-graph-app",
  "clientId": "12345678-1234-1234-1234-123456789abc",
  "tenantId": "87654321-4321-4321-4321-cba987654321",
  "scope": "https://graph.microsoft.com/.default",
  "flow": "ClientCredentials",
  "useClientSecret": true
  // Note: clientSecret is NOT included
}

Export All Profiles link

1

entratool config export -o all-profiles.json

Security Note link

Detailed guide →

Importing Profiles link

Import Single Profile link

1

entratool config import -f my-profile.json

Post-import:

✓ Profile 'my-graph-app' imported successfully
⚠ You must set the client secret:
  entratool config edit -p my-graph-app

Import with Merge link

If a profile with the same name exists:

Profile 'my-graph-app' already exists.
  1. Skip
  2. Overwrite
  3. Rename (import as 'my-graph-app-2')
Select:

Batch Import link

Import multiple profiles:

1

entratool config import -f team-profiles.json

team-profiles.json:

1
2
3
4
5
6

{
  "profiles": [
    { "name": "profile1", "clientId": "...", ... },
    { "name": "profile2", "clientId": "...", ... }
  ]
}

Detailed guide →

Profile Storage link

Storage Location link

File: ~/.entratool/profiles.json

Platforms:

• Windows: %USERPROFILE%\.entratool\profiles.json
• macOS/Linux: ~/.entratool/profiles.json

What’s Stored link

In profiles.json (plaintext):

• Profile name
• Client ID
• Tenant ID
• Scope
• OAuth2 flow preference
• Authority URL
• Certificate path

In secure storage (encrypted):

• Client secrets
• Certificate passwords

Manual Editing link

You can manually edit profiles.json:

1
2
3
4
5

# macOS/Linux
nano ~/.entratool/profiles.json

# Windows
notepad %USERPROFILE%\.entratool\profiles.json

Example:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

{
  "profiles": [
    {
      "name": "my-profile",
      "clientId": "12345678-1234-1234-1234-123456789abc",
      "tenantId": "87654321-4321-4321-4321-cba987654321",
      "scope": "https://graph.microsoft.com/.default",
      "flow": "ClientCredentials",
      "useClientSecret": true
    }
  ]
}

⚠️ Be careful: Invalid JSON will break profile loading.

Common Workflows link

Scenario: Team Onboarding link

Share profiles with new team members:

1. Export profiles (without secrets):

   1	entratool config export -o team-profiles.json

2. Share team-profiles.json via secure channel

3. Team member imports:

   1	entratool config import -f team-profiles.json

4. Securely share secrets (use Azure Key Vault or password manager)

5. Team member adds secrets:

   1 2	entratool config edit -p profile1 # Add client secret

Scenario: Environment Migration link

Move profiles from dev to prod machine:

1. Export from dev:

   1	entratool config export -p prod-profile -o prod.json

2. Transfer file securely (SCP, encrypted USB, etc.)

3. Import on prod:

   1	entratool config import -f prod.json

4. Add production secret:

   1	entratool config edit -p prod-profile

Scenario: Secret Rotation link

Rotate client secret after compromise:

1. Generate new secret in Azure Portal
2. Update profile:

   1 2 3

   entratool config edit -p compromised-profile # Select: Client Secret # Enter: new-secret

3. Test:

   1	entratool get-token -p compromised-profile

4. Delete old secret from Azure Portal

Best Practices link

✅ Naming Conventions link

Use descriptive, hierarchical names:

1
2
3
4
5
6
7
8
9

# Good
company-graph-prod
company-graph-dev
project-api-staging

# Avoid
profile1
test
myprofile

✅ Organize by Environment link

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# Production
prod-graph-api
prod-azure-management

# Staging
staging-graph-api
staging-azure-management

# Development
dev-graph-api
dev-azure-management

✅ Separate Concerns link

Create profiles for different purposes:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# Read-only operations
readonly-graph-profile

# Write operations
admin-graph-profile

# Different APIs
profile-graph
profile-azure
profile-custom-api

✅ Regular Maintenance link

• Review profiles monthly
• Delete unused profiles
• Rotate secrets quarterly
• Update scopes as needed

❌ Avoid link

• ❌ Sharing profiles via email
• ❌ Committing profiles to git
• ❌ Using the same profile for dev and prod
• ❌ Storing secrets in plaintext
• ❌ Reusing secrets across profiles

Troubleshooting link

“Profile not found” link

Cause: Profile name doesn’t exist

Fix:

1
2
3
4
5

# List available profiles
entratool config list

# Use correct name
entratool get-token -p correct-profile-name

“Profile already exists” link

Cause: Creating profile with duplicate name

Fix:

1
2
3
4
5
6

# Option 1: Delete existing
entratool config delete -p duplicate-name

# Option 2: Use different name
entratool config create
# Enter: duplicate-name-2

“Invalid profile configuration” link

Cause: Corrupted profiles.json

Fix:

1
2
3
4
5
6
7

# Backup current file
cp ~/.entratool/profiles.json ~/.entratool/profiles.json.bak

# Validate JSON
cat ~/.entratool/profiles.json | jq

# Fix syntax errors or restore from backup

“Cannot access secure storage” link

Cause: Platform secure storage unavailable

Fix:

• Windows: Ensure user profile is not corrupted
• macOS: Unlock Keychain
• Linux: Check file permissions on ~/.entratool/

Next Steps link

• Creating Profiles (Detailed)
• Generating Tokens
• Certificate Authentication
• Security Best Practices