Security at Certy

To monitor your Azure tenant, you hand Certy a credential from your production environment. That deserves a straight answer about exactly what we can access, what we store, and how you stay in control. This page is that answer — no badges, no buzzwords, just specifics.

Least-privilege access

Certy authenticates to your tenant with an app registration you create yourself, in your own directory. Certy never has an identity in your Azure AD — you see and consent to the exact permission in the Azure portal before anything is shared.

The one permission

This is the narrowest access Microsoft offers for this job.

Key Vault (optional)

If you connect Key Vaults, the same app registration needs the Key Vault Certificate User role (or a legacy access policy with certificate List and Get) — read-only access to certificate metadata, and only in the vaults you assign it to.

Setting up? The step-by-step walkthrough is in the docs.

What we see — and what we never see

We see (metadata only)

  • Application and enterprise-app display names
  • Credential IDs and their display names
  • Start and expiry dates
  • Certificate thumbprints
  • Key Vault certificate names and expiry dates

We never see

  • Client secret values — the Graph API never returns them, to anyone
  • Private keys or certificate contents
  • Key Vault secret or key values
  • Your users, groups, mail, files, or sign-in data
ℹ️ The right column isn't a promise about our behavior — it's enforced by Microsoft's permission model. Application.Read.All simply has no access to those things, and Graph has no endpoint that returns a secret's value after creation.

Encryption & credential handling

Revoke access any time

You own the app registration, so cutting Certy off never involves asking us. The 30-second version:

  1. Azure portal → App registrations → select the app you created for Certy.
  2. Certificates & secrets → delete the client secret (or delete the whole app registration).
  3. Done. Certy's access ends immediately.

Deleting a tenant inside Certy also deletes the stored, encrypted credential along with it.

Your account

Why this page exists

I built Certy after watching a production integration go down because a client secret expired silently — no warning from Azure, just an outage and a very long afternoon. The whole product is designed around reading the minimum possible and storing less.

Questions about anything on this page? Email [email protected] — you'll get an answer from the person who wrote the code.