I've noticed this issue becoming more common lately regarding managing expiring app secrets and certificates within Azure/Entra. We have many old app registrations or enterprise apps running for various purposes, such as vendor integrations, automation scripts, internal tools, and SAML SSO integrations. The problem arises when these secrets or certificates expire without anyone realizing it, leading to service interruptions. It's a challenge to track these within larger tenants since secrets are often spread out across different app registrations and service principals. I'm curious about how other teams are handling this situation operationally. Are folks scripting against the Graph API to monitor expiration dates, using alerting or monitoring tools, keeping documentation of integrations, rotating secrets upon failure, or perhaps using an asset inventory or CMDB for tracking? What seems to be the most common practice?
5 Answers
I run a script that collects expiration dates and I put those dates into a calendar to keep on top of them. Even though Microsoft does alert about impending expirations, having my own calendar reminders helps us be proactive and manage change effectively.
One effective method I've found is using the Microsoft Graph API to feed expiration data into a monitoring board. For smaller teams, simply tracking the expiration dates can be enough; if a secret or cert is within three months of expiring, we put it on our board. Most of our ownership goes to service accounts, so I don’t track those as closely.
That sounds practical! For smaller setups, monitoring those dates seems like a good balance.
I have a PowerShell script that I run via a scheduled task every week. It compiles a list of all apps along with their secret or cert expiry dates and emails that to our team. We also have some similar setups using Azure Automation, which is neat.
Could you possibly share your script? I'm always looking for ways to improve my own processes!
I set up an Azure Runbook that checks all subscriptions for any expiring secrets and certs within 30 days. It even pulls in those that expired recently and emails our IT team for follow-up. This runs weekly, and I find it very effective.
That sounds efficient! How many apps are you managing with that runbook? Do you face issues with apps lacking a clear owner?
I created a custom PowerShell script that automatically emails the owner of a secret or certificate if it's about to expire within 30 days. If no owner is designated, the Entra Admins get notified instead. It's surprising that there are no built-in alerts for this from Microsoft, though turns out they do send notifications around 60 days prior, which I hadn't realized before!
Wait, there are built-in alerts? That's good to know! I'll keep an eye out for those emails.
That sounds like a solid plan! How many apps are you tracking this way? Just curious if it gets overwhelming.