Security at Certy
To monitor your Azure tenant, you hand Certy a credential from your production environment. That deserves a straight answer about exactly what we can access, what we store, and how you stay in control. This page is that answer — no badges, no buzzwords, just specifics.
Least-privilege access
Certy authenticates to your tenant with an app registration you create yourself, in your own directory. Certy never has an identity in your Azure AD — you see and consent to the exact permission in the Azure portal before anything is shared.
The one permission
-
Application.Read.All— a Microsoft Graph application permission that is read-only. It can list app registrations and enterprise apps and read their credential metadata. It cannot create, modify, or delete anything in your tenant.
This is the narrowest access Microsoft offers for this job.
Key Vault (optional)
If you connect Key Vaults, the same app registration needs the
Key Vault Certificate User role (or a legacy access policy with certificate
List and Get) — read-only access to certificate metadata,
and only in the vaults you assign it to.
Setting up? The step-by-step walkthrough is in the docs.
What we see — and what we never see
We see (metadata only)
- Application and enterprise-app display names
- Credential IDs and their display names
- Start and expiry dates
- Certificate thumbprints
- Key Vault certificate names and expiry dates
We never see
- Client secret values — the Graph API never returns them, to anyone
- Private keys or certificate contents
- Key Vault secret or key values
- Your users, groups, mail, files, or sign-in data
Application.Read.All simply has no access to those things, and Graph has
no endpoint that returns a secret's value after creation.
Encryption & credential handling
- The one credential you do give Certy — your app registration's client secret — is encrypted with AES-256-GCM before it touches the database.
- The encryption key lives only in the server environment, never in the database — so database backups contain only the encrypted form.
- The secret is decrypted only in memory, at check time, solely to request a Microsoft Graph access token.
- Also encrypted at rest: your SMTP password (if you configure email alerts) and two-factor authentication secrets.
- All traffic runs over HTTPS.
Revoke access any time
You own the app registration, so cutting Certy off never involves asking us. The 30-second version:
- Azure portal → App registrations → select the app you created for Certy.
- Certificates & secrets → delete the client secret (or delete the whole app registration).
- Done. Certy's access ends immediately.
Deleting a tenant inside Certy also deletes the stored, encrypted credential along with it.
Your account
- Two-factor authentication (TOTP) is mandatory for every password account — it cannot be turned off.
- Passwords are hashed with bcrypt; we never store them.
- Changing or resetting your password immediately invalidates every existing session.
- Login and signup endpoints are rate-limited.
Why this page exists
I built Certy after watching a production integration go down because a client secret expired silently — no warning from Azure, just an outage and a very long afternoon. The whole product is designed around reading the minimum possible and storing less.
Questions about anything on this page? Email [email protected] — you'll get an answer from the person who wrote the code.