Remove Service Principal Secret
Go to Automation: (Add Job Template URL here)
Description
Removes (revokes) a client secret from an Entra ID Application / Service Principal by specifying its SecretID (Key ID). Useful for credential rotation workflows where an old secret must be explicitly deleted.
Credentials
Retrieved from PasswordState depending on tenant: - Production: Sys_Azure_AppRegs_PR - Onderwijs: Sys_Azure_OND_Admin
Inputs
| Variable | Description |
|---|---|
AppDisplayName |
Display name of the App Registration (used to resolve AppId). |
AppID |
Explicit AppId (optional; play still resolves application by display name first). |
SecretID |
The key/secret identifier (GUID) to remove. |
SecretType |
Informational; not directly used in removal logic (expected 'Secret'). |
onderwijs |
'yes' to switch to onderwijs tenant/sub. |
task |
External task reference (unused directly). |
Operation Flow
- Switches tenant/subscription if
onderwijs == 'yes'. - Retrieves operational credentials from PasswordState.
- Looks up App Registration by
AppDisplayName. - Resolves Service Principal.
- Executes
azure_rm_adpasswordwithstate: absentusingkey_id: SecretID.
Outputs
| Output | Description |
|---|---|
remove_sp_secret |
Result dict from removal module (changed flag, etc.). |
Preconditions
SecretIDmust be valid for the application; otherwise module returns failure.- Provide non-empty
AppIDandSecretIDfor the final removal task to run (current condition checks both defined and non-empty).
Dependencies / Modules
| Component | Purpose |
|---|---|
azure.azcollection.azure_rm_adapplication_info |
Resolve application. |
azure.azcollection.azure_rm_adserviceprincipal_info |
Validate SP existence. |
azure.azcollection.azure_rm_adpassword |
Remove the credential. |
d09.passwordstate.passwordstate_password_fact |
Retrieve credentials. |
Example Invocation
AppDisplayName: Sys_Azure_MyBusinessAPI_PR
AppID: 11111111-2222-3333-4444-555555555555
SecretID: aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
onderwijs: 'no'
Notes
- The play currently does not update or remove PasswordState entries referencing the deleted secret; consider a follow-up cleanup procedure if needed.
- Confirm secret GUID via Azure Portal, Graph, or prior module output before removal.