Automate Azure App registration client secret rotation

Rafael Valente 26 Reputation points
2021-10-08T16:06:05.427+00:00

Hello.
I'm integrating Azure Key Vault with Outsystems to automate secret rotation with two set of authentication credentials.
While i was doing the configuration in Azure portal, i needed to create an App in the App registration screen and then generate a client secret to use its value.
The client secret needs a description and a duration. Therefore, all of the automation is kind of invalidated because someone will need to maintain the client secret per application.
My question is, like Key Vault secrets, is there a way to automate application client secrets rotation?

138981-image.png

Thank you.
Best regards,
Rafael Valente

Microsoft Entra
{count} vote

7 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 36,246 Reputation points Microsoft Employee
    2021-10-08T16:57:52.407+00:00

    While I don't believe we have an out-of-the-box solution to rotate these, one approach would be to use a Managed Service Identity and add the app service's service principal to your Key Vault. Since the applications authenticate directly to Azure AD Protected APIs, you don't need to store a client ID or client secret anymore.

    References:
    How to secure Azure client Id and Secret without using App Settings of App Service
    How to store and rotate Azure AD Application secret using AKV

    Let me know if this helps at all.

    0 comments No comments

  2. Rafael Valente 26 Reputation points
    2021-10-11T14:57:48.46+00:00

    Hello @Marilee Turscak-MSFT .

    The first link refers to a solution that i cannot follow since it is suggested to use Managed Identities instead of maintaining the Client Secret.
    In the OutSystems implementation, the Client Secret is mandatory to request an access token to then fetch whatever data we need.
    The second link shows a rather complex implementation (in my opinion) using Azure DevOps which makes this potential solution a no go for me.
    Do you know if the Azure Key Vault API has some some methos that returns the valid client secret for a given application?

    0 comments No comments

  3. Vishal Gupta 1 Reputation point
    2022-09-08T13:48:03.533+00:00

    Hi @Rafael Valente ,

    Any progress you made on this subject, looking to learn from your solution/approach.

    Regards
    Vishal Gupta

    0 comments No comments

  4. Rafael Valente 26 Reputation points
    2022-09-12T09:20:06.417+00:00

    Hello @Vishal Gupta !

    After speaking with some people, the solution was indeed to manage the application secret manually.
    Therefore, there is an expiration date for each application secret and then it is manually updated in Azure and then changed in the OutSystems side.

    Regards,
    Rafael

    0 comments No comments

  5. Riaz Ansary 16 Reputation points
    2023-09-23T06:27:31.7933333+00:00

    You can Fully Automate this via PowerShell Scripts and/or logic app that runs daily and when it catches a secret expiring within x number of days it will remove the old one and create a new one and push it to the vault.

    I just did that in our organization.