This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 6%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDD%3C/text%3E%3C/svg%3E)
I think this is a topic i have already seen a few times, but due to some changes i hope its appropriate to ask again.
In our Azure we have applications / app registrations which have a client secret which will expire.
As far as i know, there is no standard functionality from Azure to get notified about this. I only find out a secret is expired if:
Looking around the web i found multiple scripts which can be executed either in powershell or a automation runbook. Examples include:
https://github.com/demiliani/PowershellCloudScripts/blob/master/AzureADCheckSecretsToExpire.ps1
While personally i couldnt get these to run due to permissions issues, i stumbled upon this announcement:
If i understand correctly, even if i get the scripts to work, some modules used will be deprecated in a while.
My question is: Is there any new way to get notified here or a best practice? Or do we still need to write / run a script ourselves, though not with Azure AD powershell comands but with MS Graph powershell?
If someone has a working script, feel free to share it!
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Hello James,
i wasnt able to check Vasils script yet or change it to my specific needs, though it looks promising. To avoid having an open question: Shall i just close the question?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 76%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOK%3C/text%3E%3C/svg%3E)
you may consider creating an account automation on Azure with a PowerShell script and scheduling it to receive email notifications
Here is the step-by-step guide
https://wiseservices.co.uk/post/a3a10db6-02b5-4162-9773-cc3e2c618a47
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 87%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Take a look at this: Recommendation to renew expiring application credentials - Microsoft Entra ID | Microsoft Learn
I had an email a few weeks ago telling me that I had an application credential expiring. When you click the link in the email it takes you to a page on the Azure portal which lists the resource name and ID.
For info I've got E5 licences.
Hi Robin,
while i was using a custom logic app that mails me expiring secrets etc (though i dont know where i have it from, cant find the source anymore) i think that is the "most native" solution there is, even if its in preview.
I did not get a mail but this might be due to a setup from our side. Thanks a lot!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 28.999999999999996%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAD%3C/text%3E%3C/svg%3E)
If your organization is using Privileged Identity Management (PIM), the recipients must be elevated to the role indicated in order to receive the email notification. If no one is actively assigned to the role, no emails are sent. For this reason, we recommend checking the recommendations regularly to ensure that you are aware of any new recommendations.
Anyone have way around this? We use PIM.
There is no built-in alerting feature for this, though it's a common ask and Microsoft will likely offer something in the future. For the time being, you will have to create your own solution based on either the Graph API or the Graph SDK for PowerShell. There is no going around permissions though, all such solutions will need Application.Read.All at the minimum.
Here's a sample script you can use for the reporting part: https://www.michev.info/blog/post/5940/reporting-on-entra-id-application-registrations
Feel free to modify it to best suit your needs, i.e. add the alerting part.
Hello Vasil,
didnt have time to get the script running / modify it to my needs yet but it looksl ike exactly what i need. Thanks a lot!