𝗣𝗿𝗼𝘁𝗲𝗰𝘁 𝗔𝘇𝘂𝗿𝗲 𝗦𝗲𝗰𝗿𝗲𝘁𝘀

“One leaked secret can cost you millions. Are your Azure PowerShell scripts silently exposing them?”

When you use Azure PowerShell, you may see secrets like passwords, tokens, or keys in command outputs or logs.

These can show up by mistake—especially during automation in GitHub Actions or Azure DevOps.

This is risky. Exposed secrets can let attackers in. It’s important to keep secrets safe.

Recent versions of Azure PowerShell (v12.0.0 and later) show you a warning if they spot a secret in output.

This helps you catch risks early. You can turn this warning off using:

Update-AzConfig -DisplaySecretsWarning $false

Or set an environment variable:

Set-Item -Path Env:\AZURE_CLIENTS_SHOW_SECRETS_WARNING -Value $false

Also, Azure has changed how it returns access tokens.

It now uses a SecureString instead of a plain String. This makes your tokens less likely to be exposed.

You can still convert a SecureString to plain text if you must—but that is not recommended.

How are you protecting secrets in your Azure PowerShell scripts? Do you rely on built-in warnings, SecureString, or integrate services like Azure Key Vault?