Overview
The Client Credentials authentication method is recommended for organizations that prefer non-interactive, service-based authentication. This method allows the Lucidity Assessment App to securely analyse metadata using an App Registration in Microsoft Entra ID (formerly Azure AD), without requiring any user sign-in.
During setup, the customer registers the Lucidity Assessment App in their Azure AD tenant and provides the Client ID, Tenant ID, and Client Secret generated during registration. The app then uses these details to obtain a short-lived access token directly from Microsoft Entra ID, enabling it to query Azure APIs securely under the permissions defined in the associated RBAC role.
This approach ensures fully automated, credentialless operation at runtime — ideal for environments where user-based authentication is restricted or where assessments permissions need to be modified.
Step 1: Creating App Registration
To use the Client Credentials authentication method, an App Registration must be created in your Azure AD (Microsoft Entra ID) tenant along with Custom Roles and Role Assignment.
Note
You must have the Application Administrator or Application Developer role in Microsoft Entra ID to create an App Registration and Owner of Subscription to Create Custom Role and Role Assignments.
There are 2 ways to create App Registration:
Automated App Registration Creation
Lucidity Provided Client Credential Generation Script that Automates manual steps defined using Azure Portal. Just run the command to create Client Credentials, Custom Role and Role Assignments. Please replace the <app_name> and <space separated subscription list>:
curl -O https://lucidity-assessment-public-scripts.s3.ap-south-1.amazonaws.com/azure/client-credential-generation.zip && \
unzip client-credential-generation.zip && \
chmod +x client-credentials-generation.sh && \
./client-credentials-generation.sh <app_name> <space separated subscription list>Alternatively, run the following for Essential Permissions mode[pass parameter -m]:
curl -O https://lucidity-assessment-public-scripts.s3.ap-south-1.amazonaws.com/azure/client-credential-generation.zip && \
unzip client-credential-generation.zip && \
chmod +x client-credentials-generation.sh && \
./client-credentials-generation.sh -m <app_name> <space separated subscription list>Lastly, you may choose to create role assignments at Management Group scope, for such cases you run a command like below[pass parameter -mg]:
curl -O https://lucidity-assessment-public-scripts.s3.ap-south-1.amazonaws.com/azure/client-credential-generation.zip && \
unzip client-credential-generation.zip && \
chmod +x client-credentials-generation.sh && \
./client-credentials-generation.sh [-m] <app_name> -mg <space separated management group list>Once above executes successfully, copy the Output and Proceed to “Step 2” later in this guide.
Azure Portal Based Manual Steps
To create App Registration using Azure Portal, there are 4 major steps:
Step A: App Registration Creation
Search for Azure Active Directory in the search box and click on it
.png?sv=2022-11-02&spr=https&st=2026-04-01T20%3A46%3A31Z&se=2026-04-01T21%3A01%3A31Z&sr=c&sp=r&sig=tLEWapqZzRt1NWm2gqLyPsp0rNIPhUcnbz0iINE%2FP%2B0%3D)
On the left panel click on App Registrations
.png?sv=2022-11-02&spr=https&st=2026-04-01T20%3A46%3A31Z&se=2026-04-01T21%3A01%3A31Z&sr=c&sp=r&sig=tLEWapqZzRt1NWm2gqLyPsp0rNIPhUcnbz0iINE%2FP%2B0%3D)
On the App Registration page, click on “New Registration” on top
.png?sv=2022-11-02&spr=https&st=2026-04-01T20%3A46%3A31Z&se=2026-04-01T21%3A01%3A31Z&sr=c&sp=r&sig=tLEWapqZzRt1NWm2gqLyPsp0rNIPhUcnbz0iINE%2FP%2B0%3D)
Add Registration name, select account type as Any Organizational directory and click on Register
.png?sv=2022-11-02&spr=https&st=2026-04-01T20%3A46%3A31Z&se=2026-04-01T21%3A01%3A31Z&sr=c&sp=r&sig=tLEWapqZzRt1NWm2gqLyPsp0rNIPhUcnbz0iINE%2FP%2B0%3D)
Step B: Client Secret Creation for App Registration
After registration of the application name, click on certificates and secrets under Manage section on the left panel.
.png?sv=2022-11-02&spr=https&st=2026-04-01T20%3A46%3A31Z&se=2026-04-01T21%3A01%3A31Z&sr=c&sp=r&sig=tLEWapqZzRt1NWm2gqLyPsp0rNIPhUcnbz0iINE%2FP%2B0%3D)
Click on New client Secret, add the secret name and choose the expiration date example a few days. Once done, click on the add button.
.png?sv=2022-11-02&spr=https&st=2026-04-01T20%3A46%3A31Z&se=2026-04-01T21%3A01%3A31Z&sr=c&sp=r&sig=tLEWapqZzRt1NWm2gqLyPsp0rNIPhUcnbz0iINE%2FP%2B0%3D)
Once the Client Secret Value is created, copy and save the “Secret value” and App Registration Name safely for later usage.
.png?sv=2022-11-02&spr=https&st=2026-04-01T20%3A46%3A31Z&se=2026-04-01T21%3A01%3A31Z&sr=c&sp=r&sig=tLEWapqZzRt1NWm2gqLyPsp0rNIPhUcnbz0iINE%2FP%2B0%3D)
Client secret values cannot be viewed, except for immediately after creation. Be sure to save the secret when created before leaving the page.
Step C: Custom Role Creation on each Subscription
Go to the home page, search for “Subscriptions” and click on it
.png?sv=2022-11-02&spr=https&st=2026-04-01T20%3A46%3A31Z&se=2026-04-01T21%3A01%3A31Z&sr=c&sp=r&sig=tLEWapqZzRt1NWm2gqLyPsp0rNIPhUcnbz0iINE%2FP%2B0%3D)
Click the subscriptions name in your account. If there are multiple subscriptions follow the same steps from here onward for each subscription.
Click Access control (IAM). Click on “Add” on top. From the drop-down menu under “Add”, choose “Add custom role”.
.png?sv=2022-11-02&spr=https&st=2026-04-01T20%3A46%3A31Z&se=2026-04-01T21%3A01%3A31Z&sr=c&sp=r&sig=tLEWapqZzRt1NWm2gqLyPsp0rNIPhUcnbz0iINE%2FP%2B0%3D)
On the “Basics” tab, write “Custom role name”, “Description”, “Baseline permissions” set to “Start from scratch” radio button and hit “Next”.
.png?sv=2022-11-02&spr=https&st=2026-04-01T20%3A46%3A31Z&se=2026-04-01T21%3A01%3A31Z&sr=c&sp=r&sig=tLEWapqZzRt1NWm2gqLyPsp0rNIPhUcnbz0iINE%2FP%2B0%3D)
Select the Assignable scopes tab and select the current subscription as scope.
.png?sv=2022-11-02&spr=https&st=2026-04-01T20%3A46%3A31Z&se=2026-04-01T21%3A01%3A31Z&sr=c&sp=r&sig=tLEWapqZzRt1NWm2gqLyPsp0rNIPhUcnbz0iINE%2FP%2B0%3D)
Select the JSON tab and click edit.
.png?sv=2022-11-02&spr=https&st=2026-04-01T20%3A46%3A31Z&se=2026-04-01T21%3A01%3A31Z&sr=c&sp=r&sig=tLEWapqZzRt1NWm2gqLyPsp0rNIPhUcnbz0iINE%2FP%2B0%3D)
Replace the permissions block with Lucidity-provided permissions and save it.
.png?sv=2022-11-02&spr=https&st=2026-04-01T20%3A46%3A31Z&se=2026-04-01T21%3A01%3A31Z&sr=c&sp=r&sig=tLEWapqZzRt1NWm2gqLyPsp0rNIPhUcnbz0iINE%2FP%2B0%3D)
Select the Review + Create tab. Click on Create.
Step D: Role Assignment on each Subscription
On the “Access control (IAM)” home page, click on the “Role assignments” tab on top of this window. Under “Role assignments”, click the “Add” button icon and select “Add role assignment”
.png?sv=2022-11-02&spr=https&st=2026-04-01T20%3A46%3A31Z&se=2026-04-01T21%3A01%3A31Z&sr=c&sp=r&sig=tLEWapqZzRt1NWm2gqLyPsp0rNIPhUcnbz0iINE%2FP%2B0%3D)
Select the created role. Search for the role created in the previous steps and click on it. It’ll be selected. Click on “Next”.
.png?sv=2022-11-02&spr=https&st=2026-04-01T20%3A46%3A31Z&se=2026-04-01T21%3A01%3A31Z&sr=c&sp=r&sig=tLEWapqZzRt1NWm2gqLyPsp0rNIPhUcnbz0iINE%2FP%2B0%3D)
On the Members tab, click on “+ Select members”. On the “Select Members” page in the right-hand corner, type and search with the app name that you have given during app registration, select the app and select “Next”.
.png?sv=2022-11-02&spr=https&st=2026-04-01T20%3A46%3A31Z&se=2026-04-01T21%3A01%3A31Z&sr=c&sp=r&sig=tLEWapqZzRt1NWm2gqLyPsp0rNIPhUcnbz0iINE%2FP%2B0%3D)
Once done, click on the review + assign button.
.png?sv=2022-11-02&spr=https&st=2026-04-01T20%3A46%3A31Z&se=2026-04-01T21%3A01%3A31Z&sr=c&sp=r&sig=tLEWapqZzRt1NWm2gqLyPsp0rNIPhUcnbz0iINE%2FP%2B0%3D)
Step 2: Choose Authentication Method
Once App Registration has been created, Choose the authentication method as Client Credentials as described in image below.
.png?sv=2022-11-02&spr=https&st=2026-04-01T20%3A46%3A31Z&se=2026-04-01T21%3A01%3A31Z&sr=c&sp=r&sig=tLEWapqZzRt1NWm2gqLyPsp0rNIPhUcnbz0iINE%2FP%2B0%3D)
Step 3: Provide Tenant ID
Enter the Azure Tenant Id on which you wish to run the Assessment. You can retrieve the Tenant ID directly from the Azure Portal:
Sign in to the Azure Portal.
In the left-hand navigation menu, click Microsoft Entra ID (or search for “Microsoft Entra ID” in the search bar).
On the Overview page, you’ll see your Tenant ID (Directory ID) displayed under Basic Information.
.png?sv=2022-11-02&spr=https&st=2026-04-01T20%3A46%3A31Z&se=2026-04-01T21%3A01%3A31Z&sr=c&sp=r&sig=tLEWapqZzRt1NWm2gqLyPsp0rNIPhUcnbz0iINE%2FP%2B0%3D)
Click the copy icon next to the Tenant ID to copy it to your clipboard and input to Lucidity Assessment App
.png?sv=2022-11-02&spr=https&st=2026-04-01T20%3A46%3A31Z&se=2026-04-01T21%3A01%3A31Z&sr=c&sp=r&sig=tLEWapqZzRt1NWm2gqLyPsp0rNIPhUcnbz0iINE%2FP%2B0%3D)
Step 3: Enter Client ID and Secret Key
Enter Client ID aka Application ID and Secret Key aka Client Secret Value for the App Registration Created Earlier.
.png?sv=2022-11-02&spr=https&st=2026-04-01T20%3A46%3A31Z&se=2026-04-01T21%3A01%3A31Z&sr=c&sp=r&sig=tLEWapqZzRt1NWm2gqLyPsp0rNIPhUcnbz0iINE%2FP%2B0%3D)
Step 4: Input Company Name or Workload Identifier [on Desktop App Only]
Enter your Company Name or a meaningful Identifier representing the workload or environment under assessment (for example: Finance-Prod, ECommerce-West). This helps Lucidity organize and tag your assessment data for reporting.
.png?sv=2022-11-02&spr=https&st=2026-04-01T20%3A46%3A31Z&se=2026-04-01T21%3A01%3A31Z&sr=c&sp=r&sig=tLEWapqZzRt1NWm2gqLyPsp0rNIPhUcnbz0iINE%2FP%2B0%3D)
Step 5: Select Subscriptions to Run Assessment
You may choose to run the Assessment on either all the available subscriptions under this tenant(recommended) or you can manually enter a few select subscriptions.
Note
Include your at least top 5 highest-spend subscriptions, or those contributing to ~80% of your cloud costs, for a comprehensive optimization view.
.png?sv=2022-11-02&spr=https&st=2026-04-01T20%3A46%3A31Z&se=2026-04-01T21%3A01%3A31Z&sr=c&sp=r&sig=tLEWapqZzRt1NWm2gqLyPsp0rNIPhUcnbz0iINE%2FP%2B0%3D)
Step 6: Optionally Modify Assessment Scope
Optionally, modify the Assessment Scope to choose between Comprehensive Permission Mode or Essential Permission Mode.
.png?sv=2022-11-02&spr=https&st=2026-04-01T20%3A46%3A31Z&se=2026-04-01T21%3A01%3A31Z&sr=c&sp=r&sig=tLEWapqZzRt1NWm2gqLyPsp0rNIPhUcnbz0iINE%2FP%2B0%3D)
Step 7: Initiate Assessment and Authenticate
Keep checkboxes as default to allow auto-upload of assessment reports. Click Initiate Assessment. For Dashboard App, these are checked by default.
Once permission verification completes, assessment initiates.
.png?sv=2022-11-02&spr=https&st=2026-04-01T20%3A46%3A31Z&se=2026-04-01T21%3A01%3A31Z&sr=c&sp=r&sig=tLEWapqZzRt1NWm2gqLyPsp0rNIPhUcnbz0iINE%2FP%2B0%3D)
Once all the VMs have been processed, the Assessment report will be uploaded to Lucidity. The insights from the Assessment will be made available on the Lucidity Assessment Dashboard once the report has been processed.
Step 6: Upload Assessment Results to Lucidity [Optional]
For Desktop Application Based Assessment, you might choose not to share Metadata at time of initiating assessment. If so, you can Zip the content of folder Lucidity_Assessment where Assessment App was initiated and shared with Lucidity over mail or through Lucidity Dashboard by Clicking Upload Assessment on Lucidity Assessment Dashboard.
.png?sv=2022-11-02&spr=https&st=2026-04-01T20%3A46%3A31Z&se=2026-04-01T21%3A01%3A31Z&sr=c&sp=r&sig=tLEWapqZzRt1NWm2gqLyPsp0rNIPhUcnbz0iINE%2FP%2B0%3D)
Note
Currently, the max file size that can be uploaded automatically via the app is 1000 MB. If the size of the zip file that has been generated is greater than 1000 MB, please reach out to us and we will share a secure S3 location where the file can be uploaded.