How to proactively rotate or automate the secrets rotation for the Enterprise Application and Application Registration ?

Question

How to proactively rotate or automate the secrets rotation for the Enterprise Application and Application Registration ?

EnterpriseArchitect 6,061

We have a few thousand 3000+ Azure Enterprise Applications and Application Registrations that are still using Client secrets.

These are the steps that my SysAdmin must do regularly, one day before or when certain Applications are broken / not running (reactive):

In Azure Portal, open the Certificates & secrets (https://portal.azure.com/#blade/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/Credentials/appId/085843e2-a223-44d4-b6f6-dddb56493cab) page of app registration nwo_deploy

Click Client secrets, and then click New client secret

Enter secret details, making sure that the expiration time meets policy requirements. When finished, click Add

Copy the secret value and update your application with the new credentials

Before deleting the old secret, update and verify that your software is properly running with the new secret

Delete the old secret

What is the best practice to avoid performing these manual steps every 180 days or so for thousands of Azure App Registrations in my Azure tenant?

Because most applications do not support SSL Certificates.

https://learn.microsoft.com/en-us/azure/key-vault/secrets/tutorial-rotation-dual?tabs=azurepowershell#use-existing-rotation-function-for-multiple-storage-accounts

Thank you.

Accepted answer

0 additional answers

Your answer

Answer 1

Swaroop Kolli 240 Microsoft External Staff Moderator

Hello @EnterpriseArchitect,

Thank you for posting your query on Microsoft Q & A Forum.

As per my understanding, you wanted to know the best practice to avoid performing manual rotation of the client secret values.

Unfortunately, we cannot automatically renew a client secret for an app registration and admin should manually create a secret before expiration and update it in the application server.

The document you are referring to rotate the secret is for internal function apps and storage accounts which can be directly linked to a key vault. This would rotate the client secrets, but these are for internal resources like VM's, function apps etc.

We can link the app registration with Key Vault which would automatically renew the secret but updating this in the application server would be again a manual work.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query, please do let us know by commenting on this.

EnterpriseArchitect 6,061 Reputation points

2025-07-09T11:43:46.3466667+00:00

Thank you for the clarification @Swaroop Kolli ,
So for the security best practice, there is no other way to automatically rotate the client secret as it depends on the Application itself, which is beyond any scripting capabilities.
Swaroop Kolli 240 Reputation points Microsoft External Staff Moderator

2025-07-10T02:00:37.24+00:00

Hello @EnterpriseArchitect,

Yes, the client secret must be updated at the application level for a successful connection which would be a third-party service for Microsoft and unfortunately, this cannot be done programmatically from Azure end as it involves third party services.

If this answers your query, do click Accept Answer for the above given answer and Yes for was this answer helpful. And, if you have any further query, please do let us know by commenting on this.
EnterpriseArchitect 6,061 Reputation points

2025-07-10T12:51:31.1633333+00:00

Thank you, @Swaroop Kolli

Share via

How to proactively rotate or automate the secrets rotation for the Enterprise Application and Application Registration ?

0 additional answers

Your answer