Azure Credential & Secret Detection

Azure credentials come in many formats — client secrets, storage account keys, SAS tokens, and connection strings. Azure's enterprise adoption means leaked Azure credentials often grant access to Active Directory, enabling lateral movement across the entire organization.

Verified by Precogs Threat Research

azureactive-directorycloud-keyscredentialsUpdated: 2026-03-22

Azure Credential Landscape

Azure uses multiple credential types: Azure AD client secrets (app registration passwords), storage account access keys (base64-encoded 88-char strings), SAS tokens (query string parameters with sig= parameter), connection strings for Azure SQL, Cosmos DB, Service Bus, and Event Hubs, and managed identity tokens. Each requires specific detection patterns.

Enterprise Impact

Unlike AWS/GCP where leaked keys typically grant limited service access, leaked Azure AD credentials can provide access to the organization's entire directory — user accounts, groups, applications, and inter-tenant relationships. A compromised Azure AD app registration with Mail.Read permissions exposes every user's email.

Precogs AI Azure Detection

Precogs AI detects Azure credentials in all formats: client secrets (40-char alphanumeric), storage keys (base64 with == suffix), SAS tokens (sv= and sig= parameters), connection strings for all Azure services, managed identity endpoints, and certificate-based authentication credentials embedded in code and config files.

Attack Scenario: The Enterprise Graph Takeover

An enterprise creates an internal HR application that needs to sync employee calendars. They create an Azure App Registration granting it `Calendars.ReadWrite.All` across the Tenant.

The backend API stores the Client Secret in a transparent `.env` file.

A junior developer accidentally copies the `.env` file into a Docker container during the build process instead of injecting variables at runtime.

The Docker container is pushed to a public DockerHub registry.

An attacker downloads the container image, extracts the `.env` file, and retrieves the Azure Client Secret.

The attacker bypasses the application entirely, requesting a Microsoft Graph token directly from `login.microsoftonline.com`.

The attacker now possesses total access to the calendars, meetings, and descriptions of every single employee in the Fortune 500 company.

Real-World Code Examples

Hardcoded Azure App Registration Secrets (CWE-798)

Azure AD (Entra ID) relies heavily on App Registrations and Service Principals for service-to-service authentication. These utilize a Tenant ID, Client ID, and a Client Secret (a password) to acquire OAuth tokens. Developers frequently hardcode the Client Secret directly into the codebase or `.env` files. Since Azure App Registrations often hold broad Microsoft Graph API permissions (like reading all underlying corporate emails or SharePoint drives), a leaked secret leads to massive enterprise data exfiltration.

VULNERABLE PATTERN

// VULNERABLE: Client Secret hardcoded into the application logic
// Frequently found in backend integration services
public async Task<string> GetGraphTokenAsync() {
    var tenantId = "b9bf8...EXPOSED...a4a";
    var clientId = "834c9...EXPOSED...7f9";
    // This secret password grants API access on behalf of the application
    var clientSecret = "-c_8Q~tGZ...EXPOSED...rX5H"; 

    var app = ConfidentialClientApplicationBuilder.Create(clientId)
        .WithClientSecret(clientSecret)
        .WithAuthority(new Uri($"https://login.microsoftonline.com/{tenantId}"))
        .Build();
        
    var result = await app.AcquireTokenForClient(new[] { "https://graph.microsoft.com/.default" }).ExecuteAsync();
    return result.AccessToken;
}

SECURE FIX

// SAFE: Utilizing Azure Managed Identities + KeyVault
public async Task<string> GetGraphTokenAsync() {
    // The application uses its implicit Azure Managed Identity
    // to securely fetch the actual secret from Azure Key Vault at runtime
    var credential = new DefaultAzureCredential();
    var client = new SecretClient(new Uri("https://my-vault.vault.azure.net/"), credential);
    
    KeyVaultSecret secret = await client.GetSecretAsync("GraphAppSecret");
    var clientSecret = secret.Value;
    
    // Proceed with authentication...
}

Detection & Prevention Checklist

✓Transition all Azure-hosted resources (App Services, VMs, Functions) to System-Assigned or User-Assigned Managed Identities
✓Scan repositories for the modern Azure Client Secret format (e.g., strings matching standard entropy and starting with `-c_` or similar known prefixes)
✓Enforce Azure conditional access policies (IP whitelisting) restricting Service Principal authentication strictly to known corporate or Azure datacenter subnets
✓Regularly review Entra ID App Registrations specifically scanning for overly permissive Microsoft Graph Application scopes (e.g., `Mail.Read.All`, `Files.ReadWrite.All`)
✓Set aggressive expiration dates (e.g., 3 months max) on all manually generated App Registration client secrets

🛡️

How Precogs AI Protects You

Precogs AI detects all Azure credential types — AD client secrets, storage keys, SAS tokens, connection strings, and certificate credentials — across source code, configs, Docker, and CI/CD pipelines.

Start Free Scan

How do you detect Azure credentials in code?

Precogs AI detects Azure AD client secrets, storage account keys, SAS tokens, and connection strings across source code, config files, Docker images, and CI/CD pipelines using format-specific pattern matching.

Scan for Azure Credential & Secret Detection Issues

Precogs AI automatically detects azure credential & secret detection vulnerabilities and generates AutoFix PRs.