Override single map value from terraform apply command line

In our provisioning we sometimes need Azure AD app registration values.
One of those values is the client secret.
Obviously we don’t want this value to be in the tfvars file, so we inject it during our ci/cd process.
So far we have been using a single variable to contain this client secret, because it can easily be overridden during terraform apply.
However, this results in Azure AD configuration being spread across two variables, the map (with tenant-id, application-id) and the single variable (client secret).

So it would be cleaner to have all of that in the same map variable, so I’ve defined:

variable "azure_ad_config" {
  type = map(string)

and in my env tfvar I have:

azure_ad_config = {
  application_id     = "xxxxxxx"
  application_secret = "replaced-by-ci-cd"

This means however, we need to override this single map value, containing the client secret, during terraform apply.
I was thinking about this, but that doesn’t work:

terraform apply -var-file=env.tfvars -var=azure_ad_config={"application_secret":"abc"}

How do I do that?

Terraform v1.2.3
azurerm v3.10.0