Secret sprawl is an organization’s worse nightmare. The same password stored at different places is (potentially) a huge security risk that should be prevented at all costs. Service principals are authenticated using a password or certificate. Usually, passwords are secured safely in a secret manager and only accessible by a few users. Azure allows us to store secrets in KeyVault. Preferably, we would like to use Privileged Identity Management (PIM) to control who has access and for how long. Even though PIM is great for access control, it doesn’t prevent secret sprawl. Rotating the service principal password is crucial for keeping your infrastructure safe.
In this article, I explain how you can rotate your service principals password by using PIM and Azure automation.