From db9d151fd4b24a720b4a13260207e775c788eeb1 Mon Sep 17 00:00:00 2001 From: linkhp <15203472+linkhp@users.noreply.github.com> Date: Tue, 6 May 2025 13:51:34 -0700 Subject: [PATCH 1/4] Added bicepconfig, main, metadata, and README --- .../remove-serviceprincipal-credentials/README.md | 11 +++++++++++ .../bicepconfig.json | 9 +++++++++ .../remove-serviceprincipal-credentials/main.bicep | 10 ++++++++++ .../metadata.json | 12 ++++++++++++ 4 files changed, 42 insertions(+) create mode 100644 quickstart-templates/remove-serviceprincipal-credentials/README.md create mode 100644 quickstart-templates/remove-serviceprincipal-credentials/bicepconfig.json create mode 100644 quickstart-templates/remove-serviceprincipal-credentials/main.bicep create mode 100644 quickstart-templates/remove-serviceprincipal-credentials/metadata.json diff --git a/quickstart-templates/remove-serviceprincipal-credentials/README.md b/quickstart-templates/remove-serviceprincipal-credentials/README.md new file mode 100644 index 0000000..29d9f53 --- /dev/null +++ b/quickstart-templates/remove-serviceprincipal-credentials/README.md @@ -0,0 +1,11 @@ +# Remove key and certificate credentials on a service principal + +> **Note**: Minimum Bicep version required to deploy this quickstart template is [v0.32.4](https://github.com/Azure/bicep/releases/tag/v0.32.4). + +This template allows you to remove credentials on a service principal. + +You can deploy the template with the following Azure CLI command (replace `` and `` with the necessary values for your deployment): + +```sh +az deployment group create --resource-group --template-file main.bicep --parameters applicationId= +``` diff --git a/quickstart-templates/remove-serviceprincipal-credentials/bicepconfig.json b/quickstart-templates/remove-serviceprincipal-credentials/bicepconfig.json new file mode 100644 index 0000000..36370e0 --- /dev/null +++ b/quickstart-templates/remove-serviceprincipal-credentials/bicepconfig.json @@ -0,0 +1,9 @@ +{ + "experimentalFeaturesEnabled": { + "extensibility": true + }, + // specify an alias for the version of the v1.0 dynamic types package you want to use + "extensions": { + "microsoftGraphV1": "br:mcr.microsoft.com/bicep/extensions/microsoftgraph/v1.0:0.2.0-preview" + } +} \ No newline at end of file diff --git a/quickstart-templates/remove-serviceprincipal-credentials/main.bicep b/quickstart-templates/remove-serviceprincipal-credentials/main.bicep new file mode 100644 index 0000000..b77c928 --- /dev/null +++ b/quickstart-templates/remove-serviceprincipal-credentials/main.bicep @@ -0,0 +1,10 @@ +extension microsoftGraphV1 + +@description('Application Id of the service principal') +param applicationId string + +resource removeSPCreds 'Microsoft.Graph/servicePrincipals@v1.0' = { + appId: applicationId + keyCredentials: [] + passwordCredentials: [] +} diff --git a/quickstart-templates/remove-serviceprincipal-credentials/metadata.json b/quickstart-templates/remove-serviceprincipal-credentials/metadata.json new file mode 100644 index 0000000..acbbc57 --- /dev/null +++ b/quickstart-templates/remove-serviceprincipal-credentials/metadata.json @@ -0,0 +1,12 @@ +{ + "$schema": "https://aka.ms/azure-quickstart-templates-metadata-schema#", + "type": "QuickStart", + "itemDisplayName": "Remove key and certificate credentials on a service principal", + "description": "This template removes credentials (password and certificates) on a service principal", + "summary": "This template removes credentials (password and certificates) on a service principal", + "githubUsername": "linkhp", + "docOwner": "dkershaw10", + "dateUpdated": "2025-05-06", + "validationType": "Manual", + "languages": ["bicep"] + } \ No newline at end of file From 799326d3656670cb86da4efe7d7cb53f4abecbc4 Mon Sep 17 00:00:00 2001 From: linkhp <15203472+linkhp@users.noreply.github.com> Date: Sun, 22 Jun 2025 17:22:53 -0700 Subject: [PATCH 2/4] Commit dkershaw10's suggested changes Co-authored-by: Dan Kershaw [MSFT] --- .../remove-serviceprincipal-credentials/metadata.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/quickstart-templates/remove-serviceprincipal-credentials/metadata.json b/quickstart-templates/remove-serviceprincipal-credentials/metadata.json index acbbc57..8e13ca1 100644 --- a/quickstart-templates/remove-serviceprincipal-credentials/metadata.json +++ b/quickstart-templates/remove-serviceprincipal-credentials/metadata.json @@ -1,9 +1,9 @@ { "$schema": "https://aka.ms/azure-quickstart-templates-metadata-schema#", "type": "QuickStart", - "itemDisplayName": "Remove key and certificate credentials on a service principal", - "description": "This template removes credentials (password and certificates) on a service principal", - "summary": "This template removes credentials (password and certificates) on a service principal", + "itemDisplayName": "Remove all password and certificate credentials on a service principal", + "description": "This template removes all credentials (password and certificates) on a service principal", + "summary": "This template removes all credentials (password and certificates) on a service principal", "githubUsername": "linkhp", "docOwner": "dkershaw10", "dateUpdated": "2025-05-06", From f903dce55444580a80c942e9a883580a071815eb Mon Sep 17 00:00:00 2001 From: linkhp <15203472+linkhp@users.noreply.github.com> Date: Sun, 22 Jun 2025 17:35:36 -0700 Subject: [PATCH 3/4] updated readme based on comments --- .../README.md | 27 +++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/quickstart-templates/remove-serviceprincipal-credentials/README.md b/quickstart-templates/remove-serviceprincipal-credentials/README.md index 29d9f53..cbe8f57 100644 --- a/quickstart-templates/remove-serviceprincipal-credentials/README.md +++ b/quickstart-templates/remove-serviceprincipal-credentials/README.md @@ -1,9 +1,32 @@ -# Remove key and certificate credentials on a service principal +# Remove all password and certificate credentials on a service principal > **Note**: Minimum Bicep version required to deploy this quickstart template is [v0.32.4](https://github.com/Azure/bicep/releases/tag/v0.32.4). -This template allows you to remove credentials on a service principal. +This Bicep template enables Infrastructure-as-Code (IaC) removal of Microsoft Entra ID service principal credentials (certificates and passwords) in alignment with secure automation practices. +## Scenario: Removing Credentials from a Service Principal +There are several reasons you might want to remove credentials from a service principal. +- Credential Rotation: As part of regular security hygiene, credentials (certificates or secrets) should be rotated. Removing the old credential ensures it cannot be reused. +- Decommissioning or Role Change: If a service principal is no longer in use or its role has changed, removing unused credentials reduces the attack surface. +- Security Incident Response: If a credential is suspected to be compromised, it should be removed immediately to prevent unauthorized access. + +## What it Means to Remove a Credential +Removing a credential (certificate or password) from a service principal means deleting the associated authentication method from the service principal object in Microsoft Entra ID. This renders the credential unusable for future authentication attempts. + +## How Service Principals Authenticate +After removing credential(s) and if no credentials remain, it will be unable to authenticate until a new one is provisioned. + +**Recommended authentication methods include:** +- Certificates stored in Azure Key Vault: Use Key Vault references in deployment pipelines to inject certificates securely. +- Managed Identity (MSI): For services running in Azure, MSI provides a secure, secretless authentication mechanism. +- Federated Identity Credentials (FIC): FIC enables secure, passwordless authentication. + +## Best Practices +- Avoid hardcoding secrets or certificates in templates. +- Use Key Vault references in automation pipelines to inject secrets securely. +- Validate that at least one valid credential remains before removing others to avoid service disruption. + +## How to Deploy You can deploy the template with the following Azure CLI command (replace `` and `` with the necessary values for your deployment): ```sh From 16cbb81cb527e45010178645b1483d85b0721fa7 Mon Sep 17 00:00:00 2001 From: linkhp <15203472+linkhp@users.noreply.github.com> Date: Sun, 22 Jun 2025 17:40:15 -0700 Subject: [PATCH 4/4] refined readme --- .../README.md | 21 ++++++++----------- 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/quickstart-templates/remove-serviceprincipal-credentials/README.md b/quickstart-templates/remove-serviceprincipal-credentials/README.md index cbe8f57..890f130 100644 --- a/quickstart-templates/remove-serviceprincipal-credentials/README.md +++ b/quickstart-templates/remove-serviceprincipal-credentials/README.md @@ -4,27 +4,24 @@ This Bicep template enables Infrastructure-as-Code (IaC) removal of Microsoft Entra ID service principal credentials (certificates and passwords) in alignment with secure automation practices. -## Scenario: Removing Credentials from a Service Principal -There are several reasons you might want to remove credentials from a service principal. -- Credential Rotation: As part of regular security hygiene, credentials (certificates or secrets) should be rotated. Removing the old credential ensures it cannot be reused. +## Scenario: Why Remove Credentials? +There are several reasons to remove credentials from a service principal. +- Credential Rotation: As part of regular security hygiene, credentials should be rotated. Removing the old credential ensures it cannot be reused. - Decommissioning or Role Change: If a service principal is no longer in use or its role has changed, removing unused credentials reduces the attack surface. - Security Incident Response: If a credential is suspected to be compromised, it should be removed immediately to prevent unauthorized access. -## What it Means to Remove a Credential -Removing a credential (certificate or password) from a service principal means deleting the associated authentication method from the service principal object in Microsoft Entra ID. This renders the credential unusable for future authentication attempts. +## What Happens When You Remove a Credential? +Removing a credential deletes the associated authentication method from the service principal object in Microsoft Entra ID. This renders the credential unusable for future authentication attempts. If no credentials remain, the service principal will be unable to authenticate until a new one is provisioned. -## How Service Principals Authenticate -After removing credential(s) and if no credentials remain, it will be unable to authenticate until a new one is provisioned. - -**Recommended authentication methods include:** +## Recommended Authentication Alternatives - Certificates stored in Azure Key Vault: Use Key Vault references in deployment pipelines to inject certificates securely. -- Managed Identity (MSI): For services running in Azure, MSI provides a secure, secretless authentication mechanism. -- Federated Identity Credentials (FIC): FIC enables secure, passwordless authentication. +- Managed Identity (MSI): For services running in Azure, MSI provides a secure, secretless authentication. +- Federated Identity Credentials (FIC): Enables secure, passwordless authentication for CI/CD systems. ## Best Practices - Avoid hardcoding secrets or certificates in templates. - Use Key Vault references in automation pipelines to inject secrets securely. -- Validate that at least one valid credential remains before removing others to avoid service disruption. +- Ensure at least one valid credential remains before removing others to avoid service disruption. ## How to Deploy You can deploy the template with the following Azure CLI command (replace `` and `` with the necessary values for your deployment):