diff --git a/internal/services/containerapps/container_app_resource.go b/internal/services/containerapps/container_app_resource.go
index 66985fbaa3ce..8159e489b447 100644
--- a/internal/services/containerapps/container_app_resource.go
+++ b/internal/services/containerapps/container_app_resource.go
@@ -497,6 +497,15 @@ func (r ContainerAppResource) CustomizeDiff() sdk.ResourceFunc {
 					}
 				}
 			}
+
+			for _, s := range app.Secrets {
+				if s.KeyVaultSecretId != "" && s.Identity == "" {
+					return fmt.Errorf("secret %s must supply identity for key vault secret id", s.Name)
+				}
+				if s.KeyVaultSecretId == "" && s.Identity != "" {
+					return fmt.Errorf("secret %s must supply key vault secret id when specifying identity", s.Name)
+				}
+			}
 			return nil
 		},
 	}
diff --git a/internal/services/containerapps/helpers/container_apps.go b/internal/services/containerapps/helpers/container_apps.go
index 810b661bf89e..07ea4c97d88a 100644
--- a/internal/services/containerapps/helpers/container_apps.go
+++ b/internal/services/containerapps/helpers/container_apps.go
@@ -2631,16 +2631,6 @@ func SecretsDataSourceSchema() *pluginsdk.Schema {
 	}
 }
 
-func validateContainerSecret(s Secret) error {
-	if s.KeyVaultSecretId != "" && s.Identity == "" {
-		return fmt.Errorf("must supply identity for key vault secret id")
-	}
-	if s.KeyVaultSecretId == "" && s.Identity != "" {
-		return fmt.Errorf("must supply key vault secret id when specifying identity")
-	}
-	return nil
-}
-
 func ExpandContainerSecrets(input []Secret) (*[]containerapps.Secret, error) {
 	if len(input) == 0 {
 		return nil, nil
@@ -2649,9 +2639,6 @@ func ExpandContainerSecrets(input []Secret) (*[]containerapps.Secret, error) {
 	result := make([]containerapps.Secret, 0)
 
 	for _, v := range input {
-		if err := validateContainerSecret(v); err != nil {
-			return nil, err
-		}
 		result = append(result, containerapps.Secret{
 			Identity:    pointer.To(v.Identity),
 			KeyVaultUrl: pointer.To(v.KeyVaultSecretId),