App secret (application secret) Azure AD - Azure AD App Secrets

Copper Contributor

Hello everyone,


Please , I want to know what is a "Secret App", by default what is the secret app lifetime ?

What is the lifespan of App Secret ? is it recommended to use short-lived app secrets or use certificate authentication ???


How do you find secret apps? commentscanner to find Secret App?


9 Replies
best response confirmed by ayoub92635 (Copper Contributor)

There are two types of authentication available for service principals: password-based authentication (application secret) and certificate-based authentication. We recommend using a certificate, but you can also create an application secret.


Option 2: Create a new application secret

If you choose not to use a certificate, you can create a new application secret.

  1. Search for and select Azure Active Directory.
  2. Select App registrations and select your application from the list.
  3. Select Certificates & secrets.
  4. Select Client secrets, and then Select New client secret.
  5. Provide a description of the secret, and a duration.
  6. Select Add.

Once you've saved the client secret, the value of the client secret is displayed. Copy this value because you won't be able to retrieve the key later. You'll provide the key value with the application ID to sign in as the application. Store the key value where your application can retrieve it.



Please click Mark as Best Response & Like if my post helped you to solve your issue. This will help others to find the correct solution easily.

Many thanks for your reply ! Is there a specific recommendation for The secret app lifetime (duration : 1 month ...example)??

what is the benefit of using manger identity azure for the secret app ?


How do you scan for secret apps? how to find secret apps by scan?

Why it is recommend using a certificate, (authentication with certificate) ? and non app secret
A "Secret App" or "App Secret" usually refers to a confidential piece of information used to authenticate an application in a system like Azure Active Directory. When you register an application in Azure AD, you can create a secret for the app, which is used as a shared secret between the application and the authentication service. The application uses the secret to request access tokens and authenticate itself.
By default, the lifetime of an App Secret in Azure AD is 2 years for multi-tenant apps and 1 year for single-tenant apps. However, you can configure the expiration period when you create the secret, with options for 6 months, 1 year, or 2 years.

The lifespan of an App Secret in Azure AD depends on the configuration you choose when creating the secret. You have the option to set the expiration period for 6 months, 1 year, or 2 years. Once the secret reaches its expiration date, it becomes invalid, and you must create a new secret to continue using the application.
When deciding between using short-lived App Secrets and certificate authentication, it's generally recommended to use certificate-based authentication for the following reasons:
1- Certificate-based authentication is considered more secure since private keys are usually stored more securely and are harder to compromise.
2- Certificates have a built-in expiration mechanism, which enforces a rotation policy and reduces the risk of long-lived secrets.
However, in some cases, using App Secrets might be easier to implement, especially for smaller projects or when certificate-based authentication is not supported. If you choose to use App Secrets, it's a good practice to use shorter lifespans and rotate them regularly to minimize the risk of compromise.

To find app secrets in Azure Active Directory, you can use the Azure Portal or PowerShell. However, please note that for security reasons, you cannot retrieve the value of an existing app secret. You can only view the secret when it is created, after which you need to store it securely. If you lose the app secret value, you will have to create a new one.
Azure Portal:
- Navigate to the Azure portal (
- Sign in with your credentials
- Click on "Azure Active Directory" in the left-hand menu
- Click on "App registrations"
- Select the application for which you want to view the app secrets
- Click on "Certificates & secrets" in the left-hand menu
- Under "Client secrets," you can see the existing secrets, their expiration dates, and descriptions,
but not the secret values
If you are looking for potential secrets or sensitive information in code repositories or comments, you can use tools like "truffleHog" or "git-secrets" to scan the git history for sensitive data. These tools can help identify hard-coded credentials or secrets accidentally committed to the repository. However, they will not directly find app secrets within Azure Active Directory.
Thank you for your feedback, how can we put an alert when someone can install a secret app ?
Hi @ayoub92635, yes, an alert can be configured in Azure Monitor to notify you when a new application secret is created in Azure Active Directory. Monitor allows you to create custom alerts based on activity logs, which include events related to the creation of new application secrets.
See how to do it:
1- Click on Monitor in the left-hand menu
2- In the Monitor pane, click on Alerts
3- Click on the + New alert rule button
4- In the Scope section, click on Select resource and choose your desired subscription and Azure Active Directory tenant
5- In the Condition section, click on Add to define a new condition
6- In the Signal type dropdown, choose Activity Log
7- In the Activity Log - Event search box, type Add service principal credentials and select it
8- Set the Threshold value to 1 (to trigger an alert for every instance of the event)
9- Click on Done to add the condition
10- In the Actions section, click on Create a new action group or select an existing action group to specify the alert's recipients and notification methods (email, SMS, or push notification)
11- Set the Alert rule details by providing a name, description, and severity for the alert
12- Click on Create alert rule to save the new alert.

Once the alert is set up, you'll be notified when a new App Secret is created in your Azure Active Directory tenant based on the notification methods defined in your action group.
Many thanks ! For the "Unsecure Account" you sent me recommendations to apply, I want to know how to be notified to receive alerts when an "unsecure account" is created, knowing that I only have Microsoft Defender to view the alerts. 
An alert created when "unsecure account " is created please