I'm looking for insights on how to effectively manage Entra app registrations and the lifecycle of secret or certificate credentials across multiple tenants. As our number of tenants and integrations continues to grow, I've encountered a bunch of challenges:
- App registrations have been created for various vendor integrations or projects.
- Service principals are linked to automation scripts or legacy systems.
- Secrets and certificates seem to expire unexpectedly, causing issues.
- There's often no clear owner when something breaks down.
- Some integrations are in place, but we're not sure if they're still being used.
Managing this in a single tenant is one thing, but when we're dealing with multiple tenants, it gets complicated.
Currently, I've seen a few approaches:
- Utilizing PowerShell or Graph scripts to keep an eye on expiration dates.
- Setting up scheduled reports or email alerts.
- Pushing data into monitoring tools like PRTG or NOC boards.
- Keeping documentation or a configuration management database (CMDB).
- Reacting to problems only after they occur.
It seems like each team ends up developing their own version of solutions, and I'm keen to learn how others are tackling this on a larger scale, particularly in a Managed Service Provider (MSP) context.
So, I'm curious about a few specific points:
- Are you tracking app registrations and service principals in a centralized manner across tenants?
- How do you manage ownership when the original creator leaves the team?
- Do you proactively rotate credentials, or do you mostly respond to expiration notifications?
- Have you discovered any methods that go beyond just scripts and monitoring?
I want to figure out what can be sustainably managed over the long haul versus what's just passable.
1 Answer
As a Platform Engineer, we set up an automation that runs daily checks and notifies a Slack channel when a secret or certificate is about to expire in less than 7 days. This helps us quickly renew the cert or secret in Azure Key Vault. It's a good start, but I've found ownership to be a tricky issue. Sometimes, the person who owns the integration isn't around anymore, so the alerts can get ignored until something breaks. How do you deal with ownership when that happens?
That's a solid setup honestly. Alerts and automation are great, but if the original owner is absent, those notifications can just linger. Finding solutions for keeping track of who’s responsible is key. Have you encountered this often?