Automating Entra ID App Registration Secret Renewal with Azure Runbook

Subhash Kumar Mahato 225 Reputation points
2024-08-27T16:57:51.41+00:00

I have a scenario where I want to renew the Entra ID App registration secret value every 365 days and store it in Azure Key Vault. To achieve this, I have deployed a Key Vault to store the Entra ID App registration details as a secret. Additionally, I have developed a PowerShell script that renews the Entra ID App registration secret value and updates it in Azure Key Vault. In this process, I am using one app registration to authenticate to Entra ID and Azure Key Vault and update the secret value in both Entra App registration and Azure Key Vault.

The script works fine when executed manually from any device. However, I want to automate the script using an Azure Runbook.

I need some assistance with Azure Runbook, and I have the following queries:

  1. How can I securely store and pass the Entra ID App registration Client ID and Client Secret values into the script for authentication in an Azure Runbook?
  2. How can I allow the Runbook's IP address in the Key Vault so that only that Runbook can access the Key Vault?

Your suggestions would be greatly appreciated.

Thank you in advance.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,313 questions
Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,255 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,084 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Thangaraj Lakshmanan 185 Reputation points
    2024-08-28T14:37:00.9333333+00:00

    Hello, Good day !

    To automate your PowerShell script using an Azure Runbook and securely store and pass the Azure App registration Client ID and Client Secret values, follow these steps:

     

    1. Securely Storing and Passing Client ID and Client Secret

    a. Store Secrets in Azure Key Vault:

    Store your Client ID and Client Secret in Azure Key Vault as secrets.

    You can do this via the Azure portal, PowerShell, or CLI.

     

    b. Configure Azure Automation to Access Key Vault:

    Create a System-Assigned Managed Identity for your Azure Automation account.

    Go to your Azure Automation account in the Azure portal.

    Under "Account Settings," select "Identity."

    Enable the "System assigned" managed identity.

    Grant Access to the Managed Identity:

    In the Azure Key Vault where your secrets are stored, go to "Access policies."

    Add an access policy that grants "Get" permission to the managed identity of your Azure Automation account.

     

    Retrieve Secrets in Runbook:

    In your PowerShell script within the Runbook, retrieve the secrets from the Key Vault using the managed identity.

    # Authenticate using Managed Identity
    Connect-AzAccount -Identity
    # Call the function to retrieve the secret
    $vaultName = "your-key-vault-name"
    $secretName = "your-secret-name"
    # Define the function to get the client secret from Key Vault
    Function Get-ClientSecretFromKeyVault 
    {
        param (
    	    [Parameter(Mandatory = $true)]
    		[string]$VaultName,
            [Parameter(Mandatory = $true)]
    		[string]$SecretName
        )
    	try 
        {
    	    $secret = Get-AzKeyVaultSecret -VaultName $VaultName -Name $SecretName -AsPlainText -WarningAction SilentlyContinue
    		return $secret
        }
    	catch 
        {
    	    Write-Error "Failed to retrieve the client secret from Key Vault. Details: $_"
    		return $null
        }
    }
    $clientSecret = Get-ClientSecretFromKeyVault -VaultName $vaultName -SecretName $secretName
    # Use the retrieved client secret in your script
    Write-Host "The retrieved client secret is: " -NoNewline -ForegroundColor Yellow
    Write-Host "$clientSecret" -ForegroundColor Green
    
    
    1. Restrict Key Vault Access to the Runbook’s IP Address

    Azure Runbooks run in a dynamic IP environment where IP addresses can change, so it’s not recommended to restrict access to a single IP address. However, you can restrict access to the Azure Virtual Network if your Runbook is running in a virtual network.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.