Share via

Azure Service principal

Glenn Maxwell 13,721 Reputation points
2026-05-02T07:36:50.6866667+00:00

Hi All,

I have been given a few service principals and was informed that they are using password credentials (client secrets). To review them, I logged in to Microsoft Graph Explorer and ran the following request:

GET https://graph.microsoft.com/v1.0/servicePrincipals/9f2c7a41-3d5e-4b71-a8f4-2d91e6c5b123

(Where 9f2c7a41-3d5e-4b71-a8f4-2d91e6c5b123 is the Service Principal Object ID.)

In the output, I can see the passwordCredentials section with multiple entries containing:

  • Display names
  • Start and end dates
  • Key IDs 
      "passwordCredentials": [
  {
  "displayName": "AppSecret01",
  "endDateTime": "2027-07-16T00:18:40Z",
  "keyId": "b1d4c2f8-6e39-4c12-a7a2-5f83d2e4c901"
  },
  {
  "displayName": "AppSecret02",
  "endDateTime": "2026-07-16T00:10:08Z",
  "keyId": "d4f7a921-8b55-4c7f-b1e6-2a90cd14ef77"
  },
  {
  "displayName": null,
  "endDateTime": "2020-06-10T17:16:52Z",
  "keyId": "7a52d910-c8b4-4d77-93ef-1bc90a65de34"
  }
  ]
  1. Does the presence of passwordCredentials confirm that this service principal is authenticating with client secrets? is there a security concern on this as i dont see client secret in text format.
  2. Is there any concern with seeing multiple secrets listed, including one expired secrets?
  3. If I remove one of these secrets, could it impact any applications currently using it?
  4. Is the correct method to remove a secret:

POST https://graph.microsoft.com/v1.0/servicePrincipals/{id}/removePassword

With request body:

{
"keyId": "b1d4c2f8-6e39-4c12-a7a2-5f83d2e4c901"
}
  1. If three keyId values are listed, do I need to run the removePassword request separately for each key I want to delete?
  2. Are any special request headers required in Microsoft Graph Explorer, or are default headers sufficient?
Microsoft Security | Microsoft Graph
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-05-02T07:37:05.51+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more
    1. The presence of passwordCredentials on a service principal confirms that password-based credentials (client secrets) are configured for that service principal. The actual secret values are never exposed via Microsoft Graph; only metadata such as displayName, keyId, and validity period is returned. The security concern is not that the secret is visible in clear text (it is not), but that any valid, unexpired client secret can be used to authenticate as this service principal wherever it is configured (code, scripts, pipelines, etc.).
    2. Multiple entries in passwordCredentials are normal. Common reasons:
      • Credential rollover (old and new secrets co-exist for a period).
      • Different apps/scripts using different secrets.
      Expired secrets remaining in the list are not an immediate security risk because they can no longer be used to authenticate. However, leaving unused or expired credentials in place is not recommended; Entra recommendations explicitly advise removing unused credentials from apps and service principals.
    3. Removing a secret will immediately break any application, script, or automation that still uses that specific client secret. Before removing a credential:
      • Identify where that keyId/secret is used.
      • Add and deploy a replacement credential (new secret or certificate) to all dependent workloads.
      • After confirming they work with the new credential, remove the old one.
    4. Yes, the documented method to remove a password credential from a service principal is: 
         POST https://graph.microsoft.com/v1.0/servicePrincipals/{id}/removePassword
      with a body containing the keyId of the password credential to remove, for example: 
         {
     "keyId": "b1d4c2f8-6e39-4c12-a7a2-5f83d2e4c901"
   }
      The API supports addressing the service principal by id or by appId.
    5. Yes. removePassword removes a single password credential per call. If three keyId values are listed and all three should be deleted, call removePassword once for each keyId to be removed.
    6. In Graph Explorer, the key requirements are:
      • HTTP method: POST.
      • URL: /v1.0/servicePrincipals/{id}/removePassword (or by appId).
      • Headers:
        • Authorization: Bearer {token} – Graph Explorer sets this automatically after sign-in.
        • Content-Type: application/json.
      The calling identity must have one of the required permissions, such as Application.ReadWrite.All, Directory.ReadWrite.All, or Application.ReadWrite.OwnedBy, and an appropriate Entra role (for example, Application Administrator, Cloud Application Administrator, or owner of the application). No additional custom headers are required beyond standard Graph auth and content-type headers.

    For better security, consider migrating from client secrets to certificate-based authentication and storing credentials in Azure Key Vault.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.