Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,687 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 22%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Hello EnterpriseArchitect
If the client secret is stored insecurely (e.g., in code repositories, config files without encryption), it can be leaked:
Developers or attackers with access to the code or storage medium can extract the secret.
Once leaked, it can be used to impersonate the application and access resources (APIs, data) as the app.
If the same client secret is used across environments (e.g., dev/prod/other tenants), it increases the blast radius:
Compromise in one environment can affect others.
Moving code to another Azure tenant with the same secret could enable unauthorized access if permissions are misconfigured.
-Developers with access to the client secret can use it
-To authenticate as the application.
-To access any resource the app has permission to, including sensitive APIs and data.
-Client secrets that are weak (short, predictable) can be brute-forced.
-Long-lived or never-rotated secrets are dangerous if compromised
and to address your concern No, not directly a Client Secret is scoped to a specific App Registration in a specific Azure tenant.
If a developer moves the application code to a different tenant, the original Client ID and Secret won’t work there. unless they:
Recreate the App Registration in the new tenant with the same Client ID and secret (manually or via scripts).
Or, worse, if the secret is reused intentionally across tenants, it becomes a security anti-pattern.
If a developer has the secret and code, they could register the same app in their own tenant and use the secret to impersonate the app especially in poorly configured APIs or services that don’t verify the tenant ID (issuer).
go through below articles:
Configure Microsoft Entra for increased security
What does Microsoft recommend for Client Secrets?
Microsoft identity platform best practices and recommendations
Public client and confidential client applications
Public vs. confidential clients and how to avoid common security pitfalls in identity
I hope this clarifies things.
If you feel this clarified your question Please remember to "Accept Answer", so that others in the community facing similar issues can easily find this post.