Angel Wong details an upcoming Azure DevOps security update requiring OAuth client secrets to be saved securely at creation, since they will no longer be retrievable after that point. This move highlights major changes to secret handling and API workflows for developers and DevOps professionals.

Azure DevOps OAuth Client Secrets Displayed Only Once for Improved Security

Azure DevOps is introducing an important security enhancement for OAuth client secrets to align with industry best practices and strengthen the platform’s overall security.

Key Change Summary

  • Starting September 2, 2025, OAuth client secrets generated in Azure DevOps will be displayed only once at the moment of creation.
  • After initial creation, secrets will not be retrievable via the web UI or API.
  • DevOps teams must securely store secrets upon creation using trusted solutions like Azure Key Vault.

API Deprecation and Secret Rotation Workflow

  • The Get Registration Secret API is being deprecated and removed. Retrieval of existing secrets will no longer be possible.
  • Workflows relying on this API for secret rotation must be updated before the change takes effect.
  • Developers are advised to use the new secret rotation APIs, which support overlapping secrets to ensure continuity and avoid downtime during secret updates.
  • Remove usage of the Get Registration Secret API in all workflows as soon as possible.
  • Adopt a secure secret storage practice (e.g., Azure Key Vault) if not already in place.
  • Update secret rotation processes to use official APIs supporting overlapping secrets.
  • Review the Azure DevOps OAuth documentation for the latest best practices.

Security Impact

  • This change reduces the risk of accidental exposure of sensitive credentials.
  • Emphasizes a ‘Secure First’ approach to identity protection across the Azure DevOps ecosystem.
  • Developers and administrators are encouraged to update their systems and reach out to the Azure DevOps Identity team if questions or challenges arise.

References

For any further queries or needed assistance, DevOps professionals are advised to contact the Azure DevOps Identity team.

This post appeared first on “Microsoft DevBlog”. Read the entire article here