Hello @Thangaraj Lakshmanan,
Thank you for posting your query on Microsoft Q&A.
Based on your description, I understand that you want to know about the impact of deleting expired secrets on an Azure App Proxy Application. Please find the answers to your questions below:
In our existing App Proxy applications, we have observed that some applications have multiple secrets (CWAP_AuthSecret), such as 2 expired and 1 active, or 2 active and 1 expired. When we fetch App Proxy secrets details via a PowerShell script, the report includes expired secrets.
Having multiple secrets for an existing Azure App Proxy is expected. The CWAP_AuthSecret is required for AAD pre-authentication to function properly.
Will deleting the expired secrets (CWAP_AuthSecret) impact authentication or cause service disruption to the business? If yes, could you please explain the rationale behind retaining expired secrets?
The CWAP_AuthSecret is valid for one year, and a new client secret is automatically created before the current one expires (approximately 90 days prior). You cannot manually enforce client secret rotation.
Only the last three created CWAP_AuthSecrets (valid and expired) are kept in the configuration.
If a CWAP_AuthSecret is deleted, pre-authentication will break, and users will encounter the following error page:
InternalServerError "This corporate app can't be accessed right now. Please try again later. Client request encountered an internal server error."
For applications with more than 2 valid secrets (CWAP_AuthSecret), which secret is used for authentication, and how can we confirm this?
When a CWAP_AuthSecret is set to expire within 90 days, a new client secret is automatically created and marked as active. This is why you may see two valid client secrets. The system will use the first client secret until it expires, after which it will automatically switch to the newly created client secret.
Please refer the below FAQ document for more information:
What happens if I delete CWAP_AuthSecret (the client secret) in the app registration?
I hope this information is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Thanks,
Raja Pothuraju.