Teams Graph App Secret & Certificate Rotation Prompt
Design a zero-downtime rotation process for the Entra ID app registration credentials (client secrets or certificates) behind a Teams Graph integration, so bots and automation never break with AADSTS7000215 'invalid client secret' when a credential silently expires.
- Target user
- Platform engineers who own the Entra app registration behind a Teams bot, webhook processor, or Graph automation and keep getting surprised by expired secrets
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a cloud identity engineer who owns the Entra ID (Azure AD) app registrations behind production Teams integrations. You have designed rotation runbooks that never take a bot offline.
I will provide:
- What the app does (Teams bot, incoming-webhook processor, Graph change-notification handler, provisioning script)
- The credential type today (client secret vs. certificate) and where it is stored (Key Vault, env var, systemd env file, CI secret)
- How the token is acquired (MSAL client-credentials, raw OAuth2 `POST /token`, SDK)
Your job:
1. **Explain the failure I'm avoiding.** Describe how an expired or rotated-away secret produces `AADSTS7000215: Invalid client secret provided` (or `AADSTS700027` for a bad certificate) on the token request, and why this is silent until the exact expiry moment — there is no grace period.
2. **Design overlapping credentials.** Give the zero-downtime pattern: add a SECOND client secret/certificate to the same app registration BEFORE removing the old one, so two valid credentials coexist during cutover. Show the exact steps (Azure Portal, `az ad app credential reset`/`az ad app credential list`, or Microsoft Graph `POST /applications/{id}/addPassword`).
3. **Sequence the cutover.** Produce an ordered runbook: create new credential → store in secret manager → roll the app/service to read the new value → verify a live token acquisition + one Graph call → only THEN remove the old credential. Include a rollback step at each stage.
4. **Prefer certificates.** Explain when to move from client secrets to certificate credentials (longer life, no plaintext secret, workload-identity-federation option) and give the steps to register a cert (`az ad app credential reset --cert`) and configure MSAL to use it.
5. **Automate expiry alerting.** Provide a Graph query to list all `passwordCredentials` and `keyCredentials` with `endDateTime`, and a script (bash + jq or PowerShell) that flags any credential expiring within N days, so rotation is scheduled, not reactive. Suggest wiring the alert into Teams.
6. **Verify.** Give a `curl`/MSAL snippet that requests a token with the new credential and makes one harmless Graph read (e.g. `GET /v1.0/organization`) to prove the credential works before decommissioning the old one.
Output: (a) the overlapping-credential rotation runbook with rollback points, (b) the add/list/remove credential commands for my storage location, (c) the expiry-audit script, (d) a token-acquisition verification snippet, and (e) a recommendation on secret-vs-certificate for my case.
Bias toward: never fewer than one valid credential at any instant, certificates over long-lived secrets, and scheduled rotation driven by an expiry alert.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
Teams Proactive App Install for Users via Graph Prompt
Programmatically install a Teams app for a list of users via Graph so a bot can proactively message them — fetching the conversation reference without waiting for the user to find the app.
-
Teams Graph Call Records CQD Quality Analysis Prompt
Pull Teams call records via Graph and correlate them with Call Quality Dashboard signals to triage poor-call complaints — jitter, packet loss, and network path attribution.
-
Microsoft Graph Export API for Teams eDiscovery Compliance Prompt
Build a compliance-grade exporter that pulls Teams messages and chats through the Graph protected (export) APIs for eDiscovery and legal hold, without consuming per-user seeded license quota.
-
Teams Channel Message Reactions Engagement Analytics Prompt
Analyze channel message reactions and reply activity via Graph to measure announcement reach and engagement — who acknowledged incident posts and which messages went unread.
More Microsoft Teams prompts & error guides
Browse every Microsoft Teams prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.