Angel Wong announces an important change to how Azure DevOps handles OAuth client secrets, introducing a ‘show-once’ system to improve security and retiring the existing secret retrieval API.

Azure DevOps Improves OAuth Client Secret Security: Secrets Now Shown Only Once

Author: Angel Wong

Azure DevOps is updating its OAuth client secret management to strengthen security and align with industry best practices. Beginning September 2, 2025, any newly generated OAuth client secrets will be displayed only once—at the time of creation. After that moment, client secrets cannot be retrieved again through the UI or API.

Key Changes

  • Client Secrets Visibility:
    • New client secrets will be shown only once at creation.
    • Secrets will not be accessible later through either the UI or API.
  • API Retirement:
  • Secret Rotation and Storage:
    • If access to a secret is lost, rotation must be performed with the new secret rotation APIs, which support overlapping secrets to minimize downtime.
    • Use secure storage solutions like Azure Key Vault or other secrets management vaults to safely store secrets at time of creation.

Action Items for Developers and DevOps Teams

  • Review all usage of client secrets and ensure that the new ‘show-once’ policy is understood by your team.
  • Remove use of the retired Get Registration Secret API from secret rotation scripts or workflows this month.
  • Refactor authentication or integration flows to use the new overlapping secret rotation APIs.
  • Store secrets in a secure and compliant manner immediately upon creation.

Security Impact

  • Aligns Azure DevOps with industry standards and Microsoft’s Secure First Initiative.
  • Reduces accidental exposure and misuse of secrets.
  • Encourages robust secret management and secure development practices.

Resources

If you need assistance updating workflows or have questions, reach out to the Azure DevOps Identity team.

This post appeared first on “Microsoft DevBlog”. Read the entire article here