# Creating an Azure Client Secret Creating a **client secret** for your Azure App Registration is a key step when setting up an application to authenticate using **OAuth 2.0** or for service-to-service communication. Here’s a step-by-step guide on how to **explicitly create a client secret** in Azure: #### **Step-by-Step Guide to Create a Client Secret in Azure** 1. **Go to the Azure Portal** * Open the [Azure Portal](https://portal.azure.com/). * Sign in with your administrator or developer account. 2. **Navigate to Azure Active Directory** * In the left-hand menu, select **Azure Active Directory**. 3. **Select App Registrations** * Click on **App registrations** in the Azure Active Directory menu. * From the list, select the **app registration** for which you want to create a client secret. * Alternatively, if you haven’t created an app registration yet, click on **New registration** to create one. See also [Prerequisites](https://docs.alemba.com/asm/asm-hermes/setup-and-configure-asm/setting-up-your-system/setup-email/setting-up-incoming-and-outgoing-email/configuring-exchange-web-services-ews/prerequisites) 4. **Open the Certificates & Secrets Section** * On the left-hand menu of your selected app registration, click on **Certificates & secrets**. 5. **Create a New Client Secret** * Under the **Client secrets** section, click the **+ New client secret** button. 6. **Add a Description and Expiration Period** * **Description**: Provide a meaningful description for the client secret (e.g., `Service Client Secret` or `ASM EWS API Secret`). * **Expires**: Choose the expiration period for the secret: * **6 months** * **12 months** * **24 months** * **Never** Select an expiration period based on your security policies and the application’s requirements. Note that you’ll need to update the secret before it expires to ensure continuity of service. 7. **Click the Add Button** * After filling in the description and expiration period, click **Add** to create the client secret. 8. **Copy the Value of the Client Secret** * **Immediately after creation**, you’ll see the client secret listed in the **Value** column. * **Important**: **Copy the value** of the client secret **immediately**, as it will be hidden once you leave the page. This value will serve as your `client_secret` in your application code or configuration. * The copied secret value should look something like: ``` kzklxypV3ExL~yz9kU3EXAMPLEjE6TQ30 ``` 9. **Store the Client Secret Securely** * Store the client secret securely, as you would with any sensitive information. Consider using a **Key Vault**, **secure environment variables**, or **configuration management tools** to keep the secret safe. * You will need this `client_secret` along with the **Application (client) ID** and **Tenant ID** to authenticate your app. #### **Where Is the Client Secret Used?** The `client_secret` is used in conjunction with the **Client ID** (`Application ID`) and **Tenant ID** to obtain an **access token** from Azure AD for authenticating your application. It is typically used in scenarios like: 1. **Service-to-service authentication** for APIs. 2. **Daemon applications** that access APIs in the background. 3. **Authorization Code Flow** in web applications that need to authenticate with Azure AD. #### **Managing and Rotating Client Secrets** * **Regular Rotation**: For security, periodically rotate client secrets and update them in your application to reduce the risk of credential leaks. * **Monitoring Expiration**: Keep track of the secret’s expiration date and ensure a new secret is created before the current one expires to avoid service interruptions. #### **Deleting or Replacing an Existing Client Secret** If you need to remove or replace a client secret: 1. Go to the **Certificates & secrets** section of your app registration. 2. Under **Client secrets**, find the secret you want to delete. 3. Click on the **Delete (trash can icon)** next to the secret value. 4. Add a new client secret if needed by following the same steps.