microsoftgraph · linkhp · May 6, 2025 · Jun 23, 2025 · Jun 23, 2025 · Jun 23, 2025
@@ -0,0 +1,31 @@
+# Remove all password and certificate credentials on a service principal
+
+> **Note**: Minimum Bicep version required to deploy this quickstart template is [v0.32.4](https://github.com/Azure/bicep/releases/tag/v0.32.4).
+
+This Bicep template enables Infrastructure-as-Code (IaC) removal of Microsoft Entra ID service principal credentials (certificates and passwords) in alignment with secure automation practices.
+
+## Scenario: Why Remove Credentials?
+There are several reasons to remove credentials from a service principal.
+- Credential Rotation: As part of regular security hygiene, credentials should be rotated. Removing the old credential ensures it cannot be reused.
+- Decommissioning or Role Change: If a service principal is no longer in use or its role has changed, removing unused credentials reduces the attack surface.
+- Security Incident Response: If a credential is suspected to be compromised, it should be removed immediately to prevent unauthorized access.
+
+## What Happens When You Remove a Credential?
+Removing a credential deletes the associated authentication method from the service principal object in Microsoft Entra ID. This renders the credential unusable for future authentication attempts. If no credentials remain, the service principal will be unable to authenticate until a new one is provisioned.
+
+## Recommended Authentication Alternatives
+- Certificates stored in Azure Key Vault: Use Key Vault references in deployment pipelines to inject certificates securely.
+- Managed Identity (MSI): For services running in Azure, MSI provides a secure, secretless authentication.
+- Federated Identity Credentials (FIC): Enables secure, passwordless authentication for CI/CD systems.
+
+## Best Practices
+- Avoid hardcoding secrets or certificates in templates.
+- Use Key Vault references in automation pipelines to inject secrets securely.
+- Ensure at least one valid credential remains before removing others to avoid service disruption.
+
+## How to Deploy
+You can deploy the template with the following Azure CLI command (replace `<resource-group>` and `<app-id-of-service-principal>` with the necessary values for your deployment):
+
+```sh
+az deployment group create --resource-group <resource-group> --template-file main.bicep --parameters applicationId=<app-id-of-service-principal>
+```
@@ -0,0 +1,9 @@
+{
+    "experimentalFeaturesEnabled": {
+        "extensibility": true
+    },
+    // specify an alias for the version of the v1.0 dynamic types package you want to use
+    "extensions": {
+      "microsoftGraphV1": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:0.2.0-preview"
+    }
+}
@@ -0,0 +1,10 @@
+extension microsoftGraphV1
+
+@description('Application Id of the service principal')
+param applicationId string
+
+resource removeSPCreds 'Microsoft.Graph/servicePrincipals@v1.0' = {
+  appId: applicationId
+  keyCredentials: []
+  passwordCredentials: []
+}
@@ -0,0 +1,12 @@
+{
+    "$schema": "https://aka.ms/azure-quickstart-templates-metadata-schema#",
+    "type": "QuickStart",
+    "itemDisplayName": "Remove all password and certificate credentials on a service principal",
+    "description": "This template removes all credentials (password and certificates) on a service principal",
+    "summary": "This template removes all credentials (password and certificates) on a service principal",
+    "githubUsername": "linkhp",
+    "docOwner": "dkershaw10",
+    "dateUpdated": "2025-05-06",
+    "validationType": "Manual",
+    "languages": ["bicep"]
+  }