Questions around key credentials

[slavizh]

I have several questions around key credentials.

• in the example here https://github.com/microsoftgraph/msgraph-bicep-types/blob/main/quickstart-templates/application-serviceprincipal-create-client-resource/main.bicep the cert key is passed as secure value. If I understand correctly we are passing public key and later this public key is visible in plain text in the manifest of the app. If that is the case why it is needed to be passed as secret when everything later is visible in plain text?
• What are the available values for usage property? When you enter wrong value the API returns that Verify and Sign are acceptable values but in some of the Learn docs (https://docs.azure.cn/en-us/entra/identity/enterprise-apps/howto-saml-token-encryption?tabs=azure-portal) I have saw that there are other values that are acceptable Encrypt. Where we can get information on all acceptable values for this property. Additionally the doc here https://learn.microsoft.com/en-us/powershell/module/microsoft.entra/new-entraapplicationkeycredential?view=entra-powershell mentions that "for AsymmetricX509Cert the usage must be Verify and for X509CertAndPassword the usage must be Sign". Are there certain values that are acceptable for one type and others for another type.
• What are the available values for type property. The schema mentions Symmetric and AsymmetricX509Cert but doc https://learn.microsoft.com/en-us/powershell/module/microsoft.entra/new-entraapplicationkeycredential?view=entra-powershell mentions also X509CertAndPassword but it does not mention Symmetric. Can we get all acceptable values and their different purposes?
• Is it possible to get the value of Key Vault certificate without using PS script in deployment script. In this example here https://github.com/microsoftgraph/msgraph-bicep-types/blob/main/quickstart-templates/create-client-app-sp-with-kv-cert/main.bicep deployment script is used to get the value needed for key property. I would assume that we do not have the right Bicep functions to be able to get the correct format of the value. In such case shouldn't we have such functions available or may be in addition of the certificate object in the Key Vault we should have a secret object where we have extracted the correct value (with PS for example) from the certificate and we have stored it in it. That way we can use .getSecret() function instead of having to use deployment script? Note that the output of the deployment script is in plain text which connects to the first question.

May be some of my questions are dumb but that is due to my limited knowledge in Entra

[dkershaw10]

I don't think any of these questions are dumb. Will follow up on the first one.
For the 2nd and 3rd questions, I agree that the documentation leaves a lot to be desired. We'll need to follow up with a subject matter expert in this space.
For the 4th, AFAIK there is no KV data-plane Bicep. I think there was some talk of creating a KV Bicep extension, but I don't know the status. @shenglol, @anthony-c-martin and @alex-frankel - any info on that or @slavizh's other suggestions?

[alex-frankel]

Adding @stephaniezyen and @gary-x-li

There is a 1P-specific KV Data Plane extension that we plan to make available to 3P at some point. Gary/Stephanie/Anthony - can we confirm if this can be used to accomplish Stan's scenario?

[dkershaw10]

@alex-frankel - can you follow up with Stephanie and Gary on the KV Data Plane extension please?

[dkershaw10]

@alex-frankel @stephaniezyen @gary-x-li are we planning a 3P KV Data Plane extension that would help Stan's scenario?