Why are there multiple client secrets for each azure client id?

Question

As I understand it, the idea is that azure allows the registration of multiple applications (client ids) each with multiple secrets.

I (think that I) get the part of multiple applications registrations, since each app would get fine-grained access control.

The question then is why would it be possible to create multiple (client) secrets for the same application (client) id?

Don't all the secrets provide the exact same access (since they are all bound to the same application/client id)?

Why would someone need even a second (client) secret?

Answer 1

Correct, all secrets have the same access as they are similar to passwords for a user.

The point is that secrets expire, and having more than one allows you to rotate them.

1. Before secret 1 expires, create new secret 2
2. Update application with secret 2
3. Remove secret 1