Migrating a MS Teams tenant from authenticating with a Client Secret to a Certificate

Created by Tim Kefford, Modified on Tue, 21 Jan at 3:29 PM by Tim Kefford

Note: This guide is assuming that the App set up in Entra for morbit studio is uniquely for its usage only, and not shared with other solutions.

In order to migrate from a client secret authentication, to a certificate authentication you will need access to the following portals:

Microsoft Entra Admin Center: https://entra.microsoft.com/
Morbit Studio: https://studio.morbit.co.uk

Additionally, you will need to download the required authentication certificate from here: certificate

During this migration, we will also remove the requirement for a service account to be needed for running the solution.

Reconfiguring the existing App in Microsoft Entra

(1) For further information on why we need certain API permissions, please read this document.

(2) These instructions will leave the previous permissions in place until the completion and validation of the migration.

As appropriate, you may use:

The tenant admin account.
A tenant user account with the Users can register applications setting enabled.

Select Identity > Applications > App registrations
Now select the App currently in use for Morbit Studio.
Select API permissions.
From the API permissions pane, choose Add a permission > Microsoft APIs > Microsoft Graph.

Assign the additional rights for Type: Application

API / Permission Name	Type	Description	Admin Consent Required?
Presence.Read.All	Application	Read presence information of all users in your organization	Yes
TeamworkDevice.ReadWrite.All	Application	Read and write Teams devices	Yes

When finished, choose Add permissions to save your changes.
Click the Grant admin consent for <your tenant name> button and confirm.
Select Certificates & secrets from the left pane.
Select the Certificates tab, then download the public certificate from the link above (if not done already).
Click the Upload Certificate button, and select the certificate referenced in the last step.
Load up morbit studio (https://studio.morbit.co.uk) and go to the Configuration page (via System).
Navigate to your Organisation and click the relevant MS Teams tenant in the Microsoft Teams Tenants section.
Update the General page with these settings:
- Authentication Type: Certificate
- Certificate: select the certificate MS Teams Graph Certificate 2025
Click Save.
If everything is done correctly, the listed tenant in Microsoft Teams Tenant will remain with a green icon status.

Removing the Client Secret & Delegated Permissions settings

Please only proceed with this section once you have successfully completed the previous instructions above.

As appropriate, you may use:

The tenant admin account.
A tenant user account with the Users can register applications setting enabled.

Select Identity > Applications > App registrations
Now select the App currently in use for Morbit Studio.
Select API permissions.
Remove all the Type: Delegated API permissions.
- First click the triple dots option on each and select Remove Permission,
- Once all permissions are removed, in the section Other permissions granted... click the option to Revoke admin consent.
The list of permissions to be removed and revoked should be:

API / Permission Name	Type	Description
Presence.Read.All	Delegated	Read presence information of all users in your organization
Reports.Read.All	Delegated	Read usage detail reports
Subscription.Read.All	Delegated	Read all webhook subscriptions
TeamworkDevice.ReadWrite.All	Delegated	Read and write Teams devices

The final list of allowed and consented permissions should look like this:
Select the Certificates & Secrets menu, then click the Client secrets tab. Delete the listed secret(s).

Removing the Service Account assigned to the solution

Note: This section is optional as the service account might be used for other company requirements, only delete it if you know it is unique to morbit studio.

Within your Microsoft Entra (or on-premise Active Directory) solution, navigate to your User management section and delete (or disable) the Service Account as it is no longer needed.