Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for Microsoft Teams Difficulty: Advanced ClaudeChatGPTCursor

Teams Graph App Secret & Certificate Rotation Prompt

Design a zero-downtime rotation process for the Entra ID app registration credentials (client secrets or certificates) behind a Teams Graph integration, so bots and automation never break with AADSTS7000215 'invalid client secret' when a credential silently expires.

Target user
Platform engineers who own the Entra app registration behind a Teams bot, webhook processor, or Graph automation and keep getting surprised by expired secrets
Difficulty
Advanced
Tools
Claude, ChatGPT, Cursor

The prompt

You are a cloud identity engineer who owns the Entra ID (Azure AD) app registrations behind production Teams integrations. You have designed rotation runbooks that never take a bot offline.

I will provide:
- What the app does (Teams bot, incoming-webhook processor, Graph change-notification handler, provisioning script)
- The credential type today (client secret vs. certificate) and where it is stored (Key Vault, env var, systemd env file, CI secret)
- How the token is acquired (MSAL client-credentials, raw OAuth2 `POST /token`, SDK)

Your job:

1. **Explain the failure I'm avoiding.** Describe how an expired or rotated-away secret produces `AADSTS7000215: Invalid client secret provided` (or `AADSTS700027` for a bad certificate) on the token request, and why this is silent until the exact expiry moment — there is no grace period.

2. **Design overlapping credentials.** Give the zero-downtime pattern: add a SECOND client secret/certificate to the same app registration BEFORE removing the old one, so two valid credentials coexist during cutover. Show the exact steps (Azure Portal, `az ad app credential reset`/`az ad app credential list`, or Microsoft Graph `POST /applications/{id}/addPassword`).

3. **Sequence the cutover.** Produce an ordered runbook: create new credential → store in secret manager → roll the app/service to read the new value → verify a live token acquisition + one Graph call → only THEN remove the old credential. Include a rollback step at each stage.

4. **Prefer certificates.** Explain when to move from client secrets to certificate credentials (longer life, no plaintext secret, workload-identity-federation option) and give the steps to register a cert (`az ad app credential reset --cert`) and configure MSAL to use it.

5. **Automate expiry alerting.** Provide a Graph query to list all `passwordCredentials` and `keyCredentials` with `endDateTime`, and a script (bash + jq or PowerShell) that flags any credential expiring within N days, so rotation is scheduled, not reactive. Suggest wiring the alert into Teams.

6. **Verify.** Give a `curl`/MSAL snippet that requests a token with the new credential and makes one harmless Graph read (e.g. `GET /v1.0/organization`) to prove the credential works before decommissioning the old one.

Output: (a) the overlapping-credential rotation runbook with rollback points, (b) the add/list/remove credential commands for my storage location, (c) the expiry-audit script, (d) a token-acquisition verification snippet, and (e) a recommendation on secret-vs-certificate for my case.

Bias toward: never fewer than one valid credential at any instant, certificates over long-lived secrets, and scheduled rotation driven by an expiry alert.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Related prompts

More Microsoft Teams prompts & error guides

Browse every Microsoft Teams prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.