diff --git a/.changeset/itchy-words-crash.md b/.changeset/itchy-words-crash.md
new file mode 100644
index 0000000000..a37ea74477
--- /dev/null
+++ b/.changeset/itchy-words-crash.md
@@ -0,0 +1,5 @@
+---
+'@backstage/integration': patch
+---
+
+Fixed Azure integration config schema visibility annotations to use per-field `@visibility secret` instead of `@deepVisibility secret` on parent objects, so that non-secret fields like `clientId`, `tenantId`, `organizations`, and `managedIdentityClientId` are no longer incorrectly marked as secret.
diff --git a/packages/integration/config.d.ts b/packages/integration/config.d.ts
index add237a6b9..0ebcd54dc6 100644
--- a/packages/integration/config.d.ts
+++ b/packages/integration/config.d.ts
@@ -54,13 +54,14 @@ export interface Config {
        * If no organization matches the first credential without an organization is used.
        *
        * If no credentials are specified at all, either a default credential (for Azure DevOps) or anonymous access (for Azure DevOps Server) is used.
-       * @deepVisibility secret
        */
       credentials?: {
         organizations?: string[];
         clientId?: string;
+        /** @visibility secret */
         clientSecret?: string;
         tenantId?: string;
+        /** @visibility secret */
         personalAccessToken?: string;
         managedIdentityClientId?: string;
       }[];
@@ -111,7 +112,6 @@ export interface Config {
       endpoint?: string;
       /**
        * Optional credential to use for Azure Active Directory authentication.
-       * @deepVisibility secret
        */
       aadCredential?: {
         /**
@@ -126,6 +126,7 @@ export interface Config {
 
         /**
          * The client secret for the Azure AD application.
+         * @visibility secret
          */
         clientSecret: string;
       };