APP-09: Enforce Certificate Credentials for Applications

APP-09 is a security control that client secrets are frequently compromised through accidental commits to source code, exposure in application logs, phishing attacks targeting developers, or insecure sharing via email and chat. certificate credentials eliminate these risks by using cryptographic key pairs where the private key remains secured on your infrastructure and never needs to be transmitted or shared. microsoft's baseline security mode now blocks password-based credentials on applications. It requires that applications use certificate credentials instead of client secrets and client secrets are only used during certificate migration periods, no applications rely solely on client secrets for authentication.

Client secrets are frequently compromised through accidental commits to source code, exposure in application logs, phishing attacks targeting developers, or insecure sharing via email and chat. Certificate credentials eliminate these risks by using cryptographic key pairs where the private key remains secured on your infrastructure and never needs to be transmitted or shared. Microsoft's Baseline Security Mode now blocks password-based credentials on applications.

APP-09 requires manual implementation. Review applications using client secrets and migrate to certificate-based authentication. Cannot be auto-remediated as removing active secrets would break applications.

This control can be implemented with any Microsoft 365 subscription, including free Azure AD.

APP-09 is included in the TrueConfig Recommended Secure baseline (Level 1). This is the foundation level suitable for most organizations.