Kata 3: Review Entra Service Principal credentials

This kata shows how to review your Entra Service Principal credentials. You will learn how to determine which credentials exist and may need rotation.

You can reduce the impact compromised credentials have on a system by rotating credentials frequently. You can also avoid operational incidents by identifying which credentials are nearing expiration and rotate them proactively.

Open the latest k9 resource access audit spreadsheet from the S3 bucket containing your reports (kata 0).

Go to the Credentials worksheet.

Review OAuth2 Client Secrets

Now let’s review Service Principal OAuth2 Client Secrets (sometimes called app passwords):

Figure 1. Review Service Principal Client Secrets

The Credentials worksheet reports what OAuth2 client secret credentials each service principal has. A service principal can have zero to many (hundreds!) of client secrets. k9 reports important details about each secret:

  • Credential Name – the name given to the credential (not unique)
  • Client Secret ID – the credential’s unique identifier generated by Entra
  • Client Secret Starts – the time when the credential becomes valid
  • Client Secret Expires – the time when the credential expires
  • Client Secret Expires In (Days) – the number of days until the credential expires, calculated at the time when the report was generated. Will be less than or equal to zero when the credential expires.

To find OAuth2 client secrets that are about to expire, you can filter by the Client Secret Expires In (Days) column, e.g. less than or equal to 14 days:

Figure 2. Identify expiring OAuth2 client secrets

We can see that the sp-azure-poc‘s client-secret-4 credential is expiring in 7 days and needs to be rotated and/or deleted.

Review Certificate Keys

Now let’s review Service Principal Certificate Keys. Scroll the Certificate Key columns into view:

  • Certificate Key ID – the credential’s unique identifier generated by Entra
  • Certificate Key Starts – the time when the credential becomes valid
  • Certificate Key Expires – the time when the credential expires
  • Certificate Key Expires In (Days) – the number of days until the credential expires, calculated at the time when the report was generated. Will be less than or equal to zero when the credential expires.

Now filter the Certificate Key Expires In (Days) to less than or equal to 14 to see the keys expiring within the next two weeks:

Figure 3. Identify expiring certificate key secrets

We can see that sp-azure-poc has a key named ‘this is my cert.pem‘ that is expiring in 12 days and needs to be rotated and/or deleted.

Review Questions

Ask these questions during your review:

Q. Does this principal need multiple credentials?

A redundant credential needs to be secured just the same as a primary credential. Generally applications only need a second active credential during the rotation process.

Summary

Once you have completed this kata, you should be able to review Entra service principal credentials and identify:

  • All long-lived service principal credentials in the tenant
  • OAuth2 client secrets and certificate keys that should be rotated

Contact k9 Support ([email protected]) if you have questions, feedback, or would like assistance.