The maximum expiration time of client secret in azure ad application registration is modified to 2 years

When our application is used as a confidential client , Credentials are an important part of application registration . We can add certificates and / Or client key ( character string , Also known as passwordCredentials) Credentials registered as confidential client applications .OAuth Client Authenticate the authorization server using application credentials . This key has only OAuth The client and the authorization server know .

Why remove the never expire option for keys ？

In fact, Microsoft has long been 2021 year 4 The month was removed Azure AD Application registration never expires (Never Expire) This option , This decision is mainly based on the following reasons ：

• Long life-cycle client keys pose security risks . Although they provide the convenience of credentials that never expire , But this exposure of unmonitored credentials may not be discovered , And may be abused by malicious participants .
• Selecting a client key that never expires is actually from the date of creation , Valid for 99 year . Although it gives the impression that the certificate has a long life , But its validity period is set to 99 year .
• The user experience of the client key is also inconsistent , because Expires The date shown in the list is marked with Never label .
• Mixed representations can lead to API Response and UI atypism . adopt API The returned data has an expiration date of the customer key , And expressed by date value 99 Expiration date of year .
• Multiple applications use the same long-standing key , If the client key is compromised , Then all applications will face risks . Unless actively monitored , Otherwise, the developer may never realize him / Another application in her tenant was hacked , Because their application will never be interrupted .
• Microsoft strongly recommends , All client keys rotate every six months , To ensure the security of applications and processes . There are too many cases where keys are stored in insecure storage locations .
  

Why is the existing permanent key no longer in Never As the expiration date ？

For existing long-term keys ,UI The exact expiration date can now be displayed ( Format :MM/DD/YYYY) instead of Never, To increase transparency . Although the portal provides a choice Never The option to , But those keys that never expire are set from the date of creation 99 Year term . The previously created value is Never The client key of is set as of the creation date 99 Expires in years .UI Now show the exact date ( Such as 2119/01/02) Not keywords Never, To increase transparency . It also brings data from Microsoft Graph The response of the application is consistent . however , Before the expected expiration date , This will not affect the use of these client keys . As best practice , Microsoft strongly recommends that customers avoid using client keys with long expiration time stamps in production environments .

What is Microsoft's recommendation for client keys ？

Microsoft strongly recommends that you use a certificate issued by a trusted certification authority x509 The certificate is the only credential type for your application to obtain tokens . Monitor your production pipeline , To ensure that no type of credentials are submitted to the code repository . If you are using Azure, Microsoft strongly recommends using managed authentication (Managed Identity), In this way, the credentials of the application will be automatically managed . For more details , see also Hosting authentication documents .

If you have to use a client key , Microsoft recommends that you set the secret expiration time to 6 Months . When processing application documents , Please consider these other Suggest . Microsoft also offers Credential Scanner, This is a static analysis tool , You can use it to detect credentials in the source code ( And other sensitive content ) And build the output .

The plan and vision of the client key is to make API Consistent with the portal experience , That is, the maximum service life is allowed to be two years . Microsoft will announce these changes through various channels , Such as Azure AD Breakthrough changes and Azure Monthly Roadmap . Now? , If you want a long-term key , You can use Microsoft Graph API or PowerShell cmdlet To set a key that is valid for more than two years . We will delete this option later , To better protect Azure AD All applications in . When the , All new keys will be limited to a maximum period of two years .

The resources

application: addPassword – Microsoft Graph beta | Microsoft Docs
New-AzureADApplicationPasswordCredential (AzureAD) | Microsoft Docs