Advisory Case: Impact of Deleting Expired Secrets on Azure App Proxy Application

Thangaraj Lakshmanan 185 Reputation points
2024-08-22T11:53:06.68+00:00

Hi Team,

Good day!

I hope this message finds you well.

I am writing to seek your guidance regarding the management of secrets for our Azure App Proxy applications on Entra ID.

Issue Statement: We would like to understand if there is any impact on deleting expired secrets associated with our Azure App Proxy applications.

Insights:

  • We have published one or more OnPrem applications via Azure App Proxy.
  • As per Microsoft documentation, App Proxy application secrets should not be deleted.
  • Additionally, the App Proxy secret (CWAP_AuthSecret) is automatically created before expiration.

Now ASK Here Is:

  • In our existing App Proxy applications, we have observed that some applications have multiple secrets (CWAP_AuthSecret), such as 2 expired and 1 active, or 2 active and 1 expired. When we fetch App Proxy secrets details via a PowerShell script, the report includes expired secrets.
  • Will deleting the expired secrets (CWAP_AuthSecret) impact authentication or cause service disruption to the business? If yes, could you please explain the rationale behind retaining expired secrets?
  • For applications with more than 2 valid secrets (CWAP_AuthSecret), which secret is used for authentication, and how can we confirm this?

We appreciate your assistance in clarifying these points to ensure the smooth operation of our applications.

Thank you for your support.

Regards,

Lakshmanan

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,431 questions
0 comments No comments
{count} votes

Accepted answer
  1. Raja Pothuraju 5,345 Reputation points Microsoft Vendor
    2024-08-26T05:50:24.7466667+00:00

    Hello @Thangaraj Lakshmanan,

    Thank you for posting your query on Microsoft Q&A.

    Based on your description, I understand that you want to know about the impact of deleting expired secrets on an Azure App Proxy Application. Please find the answers to your questions below:

    In our existing App Proxy applications, we have observed that some applications have multiple secrets (CWAP_AuthSecret), such as 2 expired and 1 active, or 2 active and 1 expired. When we fetch App Proxy secrets details via a PowerShell script, the report includes expired secrets.

    Having multiple secrets for an existing Azure App Proxy is expected. The CWAP_AuthSecret is required for AAD pre-authentication to function properly.

    Will deleting the expired secrets (CWAP_AuthSecret) impact authentication or cause service disruption to the business? If yes, could you please explain the rationale behind retaining expired secrets?

    The CWAP_AuthSecret is valid for one year, and a new client secret is automatically created before the current one expires (approximately 90 days prior). You cannot manually enforce client secret rotation.

    Only the last three created CWAP_AuthSecrets (valid and expired) are kept in the configuration.

    If a CWAP_AuthSecret is deleted, pre-authentication will break, and users will encounter the following error page:

    InternalServerError "This corporate app can't be accessed right now. Please try again later. Client request encountered an internal server error."

    For applications with more than 2 valid secrets (CWAP_AuthSecret), which secret is used for authentication, and how can we confirm this?

    When a CWAP_AuthSecret is set to expire within 90 days, a new client secret is automatically created and marked as active. This is why you may see two valid client secrets. The system will use the first client secret until it expires, after which it will automatically switch to the newly created client secret.

    Please refer the below FAQ document for more information:User's image

    What happens if I delete CWAP_AuthSecret (the client secret) in the app registration?

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". Thanks,
    Raja Pothuraju.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.