Client secrets are blocked by a tenant-wide policy. Contact your tenant administrator for more information.

Question

Client secrets are blocked by a tenant-wide policy. Contact your tenant administrator for more information.

Oliver Geissler 5

We are unable to create a client secret for an app registration.

Error: Client secrets are blocked by a tenant-wide policy. Contact your tenant administrator for more information.
Where can it be configured?

Thx for help
Oliver

VEMULA SRISAI 9,265 Reputation points Microsoft External Staff Moderator

2026-03-03T19:15:16.9866667+00:00
Hello Oliver Geissler,

This error is expected behavior when client secrets are disabled by a tenant‑wide security policy in Microsoft Entra ID.

Where this is configured

The setting is controlled at the tenant level here:

Microsoft Entra admin center Microsoft Entra ID → Security → Authentication methods → Policies → App management

There you’ll find the option:

“Block client secrets” (or similar wording)

If this is enabled, no app registration in the tenant can create new client secrets (existing secrets may also be impacted depending on policy state).

Microsoft recommends blocking client secrets to:

Reduce credential leakage risk

Enforce stronger authentication (certificates or managed identities)

Align with Zero Trust and secure app modernization practices

Ask a Global Administrator / Security Administrator to review or change this policy, or

Switch the app to a certificate-based credential (recommended), or

Use Managed Identity if the app runs in Azure.

https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-app-management-policies?tabs=portal

https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/tutorial-enforce-secret-standards?pivots=ms-powershell#confirm-the-policy-is-applied
VEMULA SRISAI 9,265 Reputation points Microsoft External Staff Moderator

2026-03-05T11:34:02.49+00:00

Oliver Geissler I’m following up on my previous comment as I haven’t received a response. Please let me know if you need any additional information or assistance from my side.

1 answer

Your answer

VEMULA SRISAI 9,265 Reputation points Microsoft External Staff Moderator

2026-03-03T19:15:16.9866667+00:00

Hello Oliver Geissler,

This error is expected behavior when client secrets are disabled by a tenant‑wide security policy in Microsoft Entra ID.

Where this is configured

The setting is controlled at the tenant level here:

Microsoft Entra admin center Microsoft Entra ID → Security → Authentication methods → Policies → App management

There you’ll find the option:

“Block client secrets” (or similar wording)

If this is enabled, no app registration in the tenant can create new client secrets (existing secrets may also be impacted depending on policy state).

Microsoft recommends blocking client secrets to:

Reduce credential leakage risk

Enforce stronger authentication (certificates or managed identities)

Align with Zero Trust and secure app modernization practices

Ask a Global Administrator / Security Administrator to review or change this policy, or

Switch the app to a certificate-based credential (recommended), or

Use Managed Identity if the app runs in Azure.

https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-app-management-policies?tabs=portal

https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/tutorial-enforce-secret-standards?pivots=ms-powershell#confirm-the-policy-is-applied
VEMULA SRISAI 9,265 Reputation points Microsoft External Staff Moderator

2026-03-05T11:34:02.49+00:00

Oliver Geissler I’m following up on my previous comment as I haven’t received a response. Please let me know if you need any additional information or assistance from my side.

Answer 1

The error is caused by a tenant-wide application management policy in Microsoft Entra ID that blocks adding client secrets (password credentials) to applications.

This setting is configured in the Microsoft Entra admin center under app management policies, or via Microsoft Graph:

An admin with one of these roles must make the change:
- Security Administrator and Cloud App Administrator or Application Administrator, or
- Global Administrator.
The relevant restriction is passwordAddition (and typically also symmetricKeyAddition) in the tenant-wide default app management policy. When configured to block, the portal shows “Client secrets are blocked by a tenant-wide policy”.
To adjust this, the admin can either:
- Use the Microsoft Entra admin center (App management policy UX) to change the Block password addition setting, which controls passwordAddition and symmetricKeyAddition, or
- Use Microsoft Graph (beta) to update the defaultAppManagementPolicy so that passwordAddition (and, if desired, symmetricKeyAddition) no longer block new secrets.
After updating the policy, confirm it is applied by:
- Reading the default app management policy again and verifying the updated restrictions, and/or
- Trying to create a new application secret; the operation should now succeed if the restriction has been relaxed.

If the policy must remain strict tenant-wide, a custom app management policy can be created and assigned to specific applications to exempt them from the restriction.

References:

Share via

Client secrets are blocked by a tenant-wide policy. Contact your tenant administrator for more information.

1 answer

Your answer