Azure Directory Application Secret
ID |
azure_ad_app_secret |
Severity |
high |
Vendor |
Microsoft Azure |
Family |
Generic Secret |
Description
Azure application secrets are confidential keys used to authenticate applications when requesting access to Azure resources or services, in this case for the Active Directory service.
Security
Application secrets are similar to passwords that are generated randomly, and could be generated in the Azure portal, Azure APIs, PowerShell scripts or the Azure CLI (az).
Application secrets expire (at most in one year) and can be deleted when needed.
Microsoft recommends to use certificates instead of secrets for authentication.
Examples
TENANT_ID=cade2532-fe0c-45e1-b350-40dcfa59dc17 AD_APP_SECRET=lW78Q~Eew2Chae0ozaiT_iNgap8Phoh5Eeshu7oo
Mitigation / Fix
-
Follow your policy for handling leaked secrets, which typically require revoking or renewing the secret in the target system(s). Go to your Azure [App Registrations](https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade), click the application entry, then click "Certificates & secrets" in the left menu. Click the "Client secrets" tab, then click "Delete" (trash-bin icon at the right).
-
Remove the Active Directory application secret from the source code or committed configuration file. Environment variables, local files or secret vaults could be used for passing the secret, instead of hardcoding the value, as documented in How to Prevent Hard-Coded Secrets.
-
Check access logs to ensure that the secret was not used by unintended actors during the compromised period.
|
You should consider any sensitive data in commits with secrets as compromised. Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories. |