Edit IAM Shop Settings for a Client Secret

As an application owner or delegated administrator, you can configure how a Microsoft Entra client secret appears in the IAM Shop, EmpowerID’s self-service interface. You can set the credential’s display name, visibility, category, and description using the Manage Credential Wizard.

This article walks you through the process for editing IAM Shop settings for a client secret.

What You’ll Need

Requirement	Description
Access to Resource Admin	You must be signed in to the EmpowerID Resource Admin portal.
Ownership or Delegation	You must be the owner or delegated administrator of the application that contains the client secret.

Steps to Edit IAM Shop Settings for a Client Secret

Step 1: Open the Application Overview Page

1. Log in to the Resource Admin portal.
2. In the Resource Type menu, select Applications and search for the Microsoft Entra application containing the client secret.
3. Click the Details button for the application.
   
   This opens the Overview page for the selected Azure application.
   

Step 2: Launch the Manage Credential Wizard

1. In the left application menu, click Client Secrets.
2. Locate the client secret you want to configure.
3. Click the gear icon on the secret and select Manage Credential Wizard.
   

Step 3: Select the Edit IAM Shop Settings Action

1. Under Select Options, choose Edit IAM Shop Settings.
   
2. Click Next.
   The wizard opens the Edit IAM Shop Settings for This Credential form.
   

Step 4: Configure IAM Shop Settings

This form allows you to manage IAM Shop access governance settings for the selected client secret, including how access is requested, who can request it, and who is pre-approved.

Access Request Policy

The Access Request Policy determines how access requests for this client secret are processed and approved.

To update the request policy:

1. Click the X next to the existing policy to remove it (if present).
2. Search for and select the appropriate policy that defines the access workflow for this secret.

Eligible Assignees

Eligible assignees can see and request the client secret in the IAM Shop. When they request access, their request is routed through the selected Access Request Policy.

To add eligible assignees:

1. Under Eligible Assignees, choose an assignee type from the Choose Type dropdown.
2. Search for and select the appropriate person, group, or role.
3. Click Add.
4. Repeat as needed.

To remove eligible assignees:

1. In the list of added assignees, locate the one you want to remove.
2. Toggle the Keep switch to Remove.

Eligible assignee types include:

• Person
• Group
• Set Group
• Management Role
• Management Role Definition
• Business Role and Location

Pre-Approved Assignees

Pre-approved assignees can access the secret without going through approval—they are automatically granted access upon request.

To add pre-approved assignees:

1. Under Pre-Approved Assignees, choose an assignee type from the Choose Type dropdown.
2. Search for and select the appropriate assignee.
3. Click Add.
4. Repeat to add additional users or roles as needed.

To remove pre-approved assignees:

1. Locate the assignee you want to remove in the table.
2. Toggle the Keep switch to Remove.

Pre-approved assignee types are the same as eligible assignees.

Suggested Assignees

Suggested assignees will see this secret highlighted as a recommended option in the IAM Shop. If they request access, it still follows the defined access request policy.

To add suggested assignees:

1. Under Suggested Assignees, choose an assignee type from the Choose Type dropdown.
2. Search for and select the desired user, group, or role.
3. Click Add.
4. Repeat to add others.

To remove suggested assignees:

1. Locate the record in the assignee table.
2. Toggle Keep to Remove.

Suggested assignee types match those used for eligible and pre-approved assignees.

Step 5: Review the Summary and Finish

1. Review the Operation Execution Summary confirming the changes.
2. Click Submit to continue.
3. On the Finish or Start Over Workflow screen, choose one of the following:
   • Manage the same credential(s)
   • Manage different credential(s)
   • Finish the workflow
     
4. Click Submit to complete your selection.

What Happens Next

• IAM Shop access governance settings for the client secret are updated.
• Eligible users can now see and request access to the secret.
• If any pre-approved or suggested assignees were added, those are now reflected in the IAM Shop.
• All updates are logged for audit purposes.