A recent cybersecurity investigation revealed a critical vulnerability tied to Azure Active Directory (Azure AD), highlighting once again the dangers of cloud misconfigurations.

Exposed Secrets in appsettings.json

Resecurity’s HUNTER Team identified that sensitive application credentials — specifically the ClientId and ClientSecret — were mistakenly left inside a publicly accessible appsettings.json file.

These secrets provide direct authentication access to Microsoft’s OAuth 2.0 endpoints, meaning attackers could impersonate the compromised application and gain entry to valuable Microsoft 365 resources.

Depending on the level of permissions granted, adversaries could:

• Access files, emails, and data from SharePoint, OneDrive, or Exchange Online
• Enumerate users, groups, and roles in Azure AD
• Exploit the Microsoft Graph API to escalate privileges or maintain persistence
• Deploy malicious applications within the organization’s tenant

Because the file was publicly exposed, both automated scanners and advanced threat actors could easily harvest these credentials.

How Misconfigurations Lead to Leaks

The root cause, according to researchers, lies in poor cloud security practices. Developers often hardcode sensitive information directly into configuration files such as appsettings.json. The risk arises when these files are mistakenly deployed to production environments without proper restrictions.

Common contributing factors include:

• Misconfigured servers that expose static files
• Weak deployment pipelines lacking security safeguards
• Absence of secrets management tools like Azure Key Vault
• Minimal code review and insufficient security testing
• Relying on obscurity instead of real protection mechanisms

In ASP.NET Core applications, appsettings.json is a key configuration file that usually stores database connections, API keys, and service credentials. When Azure AD values like ClientId, TenantId, and ClientSecret are included, the file becomes not only a roadmap for how the app runs but also a potential blueprint for attackers.

Lessons and Mitigation

Resecurity emphasized that leaving Azure AD secrets exposed is far from a simple mistake — it represents a direct attack vector.

“Exposing appsettings.json with Azure AD secrets is not just a misconfiguration; it’s handing adversaries the keys to the cloud,” the HUNTER Team explained.

To mitigate risks, organizations should immediately:

• Restrict public access to configuration files
• Eliminate hardcoded secrets and migrate to secure key vaults
• Rotate any compromised credentials
• Apply least-privilege principles when granting permissions
• Continuously monitor for abnormal use of credentials

This incident serves as a reminder that in cloud environments, security is only as strong as the weakest exposed file.

Source: https://www.infosecurity-magazine.com/news/azure-ad-credentials-exposed