Edit IAM Shop Settings for a Client Certificate
As an application owner or delegated administrator, you can configure how a Microsoft Entra client certificate appears in the IAM Shop, EmpowerID’s self-service interface. You can set the credential’s display name, visibility, category, and access governance using the Manage Credential Wizard.
This article walks you through the process for editing IAM Shop settings for a client certificate.
What You’ll Need
| Requirement | Description |
|---|---|
| Access to Resource Admin | You must be signed in to the EmpowerID Resource Admin portal. |
| Ownership or Delegation | You must be the owner or delegated administrator of the application that contains the client certificate. |
Steps to Edit IAM Shop Settings for a Client Certificate
Step 1: Open the Application Overview Page
- Log in to the Resource Admin portal.
- In the Resource Type menu, select Applications and search for the Microsoft Entra application containing the client certificate.
- Click the Details button for the application. This opens the Overview page for the selected Azure application.
Step 2: Launch the Manage Credential Wizard
- In the left application menu, click Client Certificates.
- Locate the client certificate you want to configure.
- Click the gear icon on the certificate and select Manage Credential Wizard.
📸 (Update screenshot here to reflect certificates context if needed)
Step 3: Select the Edit IAM Shop Settings Action
- Under Select Options, choose Edit IAM Shop Settings.
- Click Next.
The wizard opens the Edit IAM Shop Settings for This Credential form.
Step 4: Configure IAM Shop Settings
This form allows you to manage IAM Shop access governance settings for the selected client certificate, including how access is requested, who can request it, and who is pre-approved.
Access Request Policy
The Access Request Policy determines how access requests for this client certificate are processed and approved.
To update the request policy:
- Click the X next to the existing policy to remove it (if present).
- Search for and select the appropriate policy that defines the access workflow for this certificate.
Eligible Assignees
Eligible assignees can see and request the client certificate in the IAM Shop. When they request access, their request is routed through the selected Access Request Policy.
To add eligible assignees:
- Under Eligible Assignees, choose an assignee type from the Choose Type dropdown.
- Search for and select the appropriate person, group, or role.
- Click Add.
- Repeat as needed.
To remove eligible assignees:
- In the list of added assignees, locate the one you want to remove.
- Toggle the Keep switch to Remove.
Eligible assignee types include:
- Person
- Group
- Set Group
- Management Role
- Management Role Definition
- Business Role and Location
Pre-Approved Assignees
Pre-approved assignees can access the certificate without going through approval—they are automatically granted access upon request.
To add pre-approved assignees:
- Under Pre-Approved Assignees, choose an assignee type from the Choose Type dropdown.
- Search for and select the appropriate assignee.
- Click Add.
- Repeat to add additional users or roles as needed.
To remove pre-approved assignees:
- Locate the assignee you want to remove in the table.
- Toggle the Keep switch to Remove.
Pre-approved assignee types are the same as eligible assignees.
Suggested Assignees
Suggested assignees will see this certificate highlighted as a recommended option in the IAM Shop. If they request access, it still follows the defined access request policy.
To add suggested assignees:
- Under Suggested Assignees, choose an assignee type from the Choose Type dropdown.
- Search for and select the desired user, group, or role.
- Click Add.
- Repeat to add others.
To remove suggested assignees:
- Locate the record in the assignee table.
- Toggle Keep to Remove.
Suggested assignee types match those used for eligible and pre-approved assignees.