Refreshing the App Secrets for Automation Scripts

This article walks through refreshing the Application Secrets used by the Soteria automation accounts to access various tenants to run reports/etc. These certs are set to expire once a year at the end of May, and a Help Desk ticket is scheduled to be sent out at the beginning of May as a reminder.

The applications registered in each tenant are given a set list of permissions and, anyone/thing with the secret may use it to gain access to the environment. It's imperative that we keep these rotating on a regular basis so as to remain secure.

Verifying the Secrets to Update

Login to portal.azure.com for Soteria.
Search for/navigate to Automation Accounts.
Find the aa-reports-* Automation Account(s)
- At the time of writing this, there is only a single account, aa-reports-accounts, but we expect more to be created later on.
Click into each Automation Account and navigate to Variables
Under Variables, you'll see various tenant names and their corresponding App Secret variable.
For each of the tenant names, you'll have to Update the App Secret - See that section for next steps.

Updating the App Secret

These steps should be followed for each/every tenant noted from above.

Login to portal.azure.com for the given tenant.
Ensure you have Global Administrator OR Application Administrator permissions active.
Navigate to Azure Active Directory then App Registrations
Ensure All Applications is selected, then search for and find Soteria - Automation Accounts
Select the Application and navigate to Certificates & Secrets
Take note of when the secrets are expiring.
Select New Client Secret to begin making a new secret.
Enter a description/name for the secret, set the expiration to 12 months, and press Add at the bottom.
This will generate a new secret for the application with a new Value
IMPORTANT! Make sure you record this Value in Bitwarden! Once you leave this page, you'll never be able to see the value again.
- Please add the Value to Bitwarden as a Secure Note and ensure you've checked the box for Master password re-prompt.
With the value saved, you may now proceed with updating the variables.

Updating the Variables

Each script is written in such a way that these variables are all you need to update in order for the new secrets to work properly.

Login to portal.azure.com for Soteria.
Search for/navigate to Automation Accounts.
Find the aa-reports-* Automation Account(s)
- At the time of writing this, there is only a single account, aa-reports-accounts, but we expect more to be created later on.
Click into each Automation Account and navigate to Variables
Under Variables, you'll see various tenant names and their corresponding App Secret variable.
For each App Secret variable, select it and choose Edit Value and ensure Encrytpted remains YES
Save your changes and move to the next tenant/secret.