Share via

Azure App registration Client secret expiration

Jorge Lopez 51 Reputation points
2024-01-09T13:11:00.91+00:00

I'm using Azure AD B2C to handle the authentication in some Azure Functions. I've been using the client secret approach (as explain in the documentation) to configure the Azure App.

However the client secret has a expiration date (maximum of 2 years, even if is recommended to refresh them more frequently), after which the app will stop working if you have not renewed it. So you have to be aware that before they expire you have to renew them manually.

There is any "permanent" solution that don't involve this manual process? I didn't find any reference on how to use certificates, or automate the rotation of the client secrets

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2024-01-09T23:48:23.09+00:00

    Hi @Jorge Lopez ,

    You are correct that currently the out-of-box process requires some manual work and there isn't an automatic rotation feature available yet in the platform itself, but there are several options available for automating the rotation of client secrets.

    One option is to use Power Automate to notify of upcoming client secret expiration, as detailed in this article with accompanying Github samples:

    https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/use-power-automate-to-notify-of-upcoming-azure-ad-app-client/ba-p/2406145

    Alternatively, you can use a PowerShell script or logic app that runs daily. When it catches a secret expiring within x number of days it will remove the old one and create a new one and push it to the vault. Here is a Logic Apps example: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/use-azure-logic-apps-to-notify-of-pending-aad-application-client/ba-p/3014603?fbclid=IwAR3ECopMRsitagEStKLC_yvAmFX4a1Ispn_a8ZFitapPquq9OZcZvQgKVOQ

    Another option would be to use an Azure Automation account to send logs to a Log Analytics workspace. Then you could set up Azure Monitor alerts to run queries for expiration warnings and errors.

    To request an ability rotate secrets from the platform itself, you can leave feedback in the feedback portal. I have shared this feedback as well with the product team. https://feedback.azure.com/

    If the information helped you, please Accept the answer. This will help us and improve searchability for others in the community who may be researching the same question.

    4 people found this answer helpful.
  2. lakshminarayana pothina 5 Reputation points
    2024-04-19T17:27:58.39+00:00

    How ever there is no direct way to get it rotate secrect, here is the script to get app registration about to expires within 15 days (you can change the time limit).
    you can add this script in the pipeline or any automation runbook to send a mail communication.

    it will prompt the application name and expiry date.

    $application = Get-AzureADApplication
$application | Export-Csv -Path "C:/AzureADApplications.csv" -NoTypeInformation
$applications = Import-Csv -Path "C:/AzureADApplications.csv"
foreach ($app in $applications) {
    $appId = $app.AppId
    $appDetails = Get-AzureADApplication -Filter "AppId eq '$appId'"
    if ($appDetails) {
        $expiryDate = $appDetails.PasswordCredentials.EndDate
        $app | Add-Member -MemberType NoteProperty -Name "AppIdExpiryDate" -Value $expiryDate
    } else {
        Write-Warning "Application with AppId '$appId' not found."
    }
}
$applications | Export-Csv -Path "C:/AzureADApplications1.csv" -NoTypeInformation
$csvData = Import-Csv -Path "C:/AzureADApplications1.csv"
foreach ($row in $csvData) {
    if ($null -eq $row."AppIdExpiryDate") {
        continue
    }
    $expiryDate = $row."AppIdExpiryDate"
    try {
        $expiryDateTime = [datetime]::Parse($expiryDate)
    } catch {
        continue
    }
    $daysUntilExpiry = ($expiryDateTime - (Get-Date)).Days
    if ($daysUntilExpiry -le 15 -and $daysUntilExpiry -gt 0) {
        Write-Host "Application Name: $($row.DisplayName)"
        Write-Host "Expiry Date: $($row.'AppIdExpiryDate')"
    }
}
    1 person found this answer helpful.
    0 comments
  3. Oguz Kaan Akyalcin 1 Reputation point
    2025-04-03T09:20:46.8566667+00:00

    https://wiseservices.co.uk/post/a3a10db6-02b5-4162-9773-cc3e2c618a47

    you can find a way in the article with automation account in azure

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.