Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,453 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
This process generally involves updating the credentials (like secrets or certificates) used by applications to authenticate with Azure AD. Here's a guide on how to proceed and what to consider, especially given that you have a global Azure production environment running 24x7:
Procedure for Rotating KeyCredentials
1. Identify Affected Applications
- Determine which applications use the keyCredentials that need to be rotated. This could include applications that authenticate using Azure AD for various services.
2. Generate New Credentials
- Go to the Azure portal and navigate to the Azure Active Directory section.
- Find the application registration(s) affected.
- Under the "Certificates & secrets" tab, generate new client secrets or upload new certificates, as applicable.
- Note down the new credentials securely.
3. Update Applications with New Credentials
- Update the applications with the new credentials. This step will vary depending on how each application is configured.
- If possible, test the updated credentials in a staging or development environment before deploying them to production.
4. Monitor Applications Post-Update
- After updating the credentials in the applications, monitor them closely for any sign of issues or authentication failures.
Impact and Considerations
1. Minimizing Downtime
- Plan the update during a maintenance window or low-traffic period if possible, to minimize impact.
- Some modern applications can refresh their credentials without needing a restart, but this depends on how the application is designed.
2. Backup Old Credentials
- Keep the old credentials active while you make the transition to the new ones. This will allow for a fallback in case of any issues with the new credentials.
3. Communication
- Inform relevant stakeholders and teams about the planned changes and potential impacts.
4. Testing
- Ensure thorough testing in a non-production environment to validate that applications work correctly with the new credentials.
5. Rollback Plan
- Have a rollback plan in case you encounter unexpected issues during or after the update.
6. Documentation
- Update any documentation to reflect the changes made.
7. Compliance and Auditing
- Record the change for compliance and auditing purposes.
8. Removing Old Credentials
- Once you are confident that the new credentials are working as expected, remove the old credentials from Azure AD to maintain security.
References
- Manage certificates for federated single sign-on in Azure AD
- How to use client secrets and certificates in Azure AD apps
By carefully planning and executing this process, you can rotate the keyCredentials with minimal impact on your production environment.
Accept the answer if the information helped you. This will help us and others in the community as well.
