I chose the Workload Identity in the Authentication Type dropdown. Then, the new service principal was automatically created with federated credential instead of client secret. It worked well for me.