Hot to get alert for expiration of client secrets?

Dvorak, David 70 Reputation points
2024-02-22T11:45:11.2833333+00:00

I think this is a topic i have already seen a few times, but due to some changes i hope its appropriate to ask again.

In our Azure we have applications / app registrations which have a client secret which will expire.

User's image

As far as i know, there is no standard functionality from Azure to get notified about this. I only find out a secret is expired if:

  1. The application doesnt work anymore and users complain
  2. I manually and regularly check what will expire next, create myself reminders etc.

Looking around the web i found multiple scripts which can be executed either in powershell or a automation runbook. Examples include:

https://github.com/kevinferretti/misc-scripts/blob/1433c4086fce47c8410bb221cefe38826587974d/CheckForExpiredClientSecrets.ps1

https://github.com/demiliani/PowershellCloudScripts/blob/master/AzureADCheckSecretsToExpire.ps1

While personally i couldnt get these to run due to permissions issues, i stumbled upon this announcement:

https://techcommunity.microsoft.com/t5/microsoft-entra-blog/important-azure-ad-graph-retirement-and-powershell-module/ba-p/3848270

If i understand correctly, even if i get the scripts to work, some modules used will be deprecated in a while.

My question is: Is there any new way to get notified here or a best practice? Or do we still need to write / run a script ourselves, though not with Azure AD powershell comands but with MS Graph powershell?

If someone has a working script, feel free to share it!

Microsoft Security | Microsoft Graph
Microsoft Security | Microsoft Entra | Other
{count} votes

Accepted answer
  1. RobinCM 91 Reputation points
    2024-10-25T17:32:57.8433333+00:00

    Take a look at this: Recommendation to renew expiring application credentials - Microsoft Entra ID | Microsoft Learn

    I had an email a few weeks ago telling me that I had an application credential expiring. When you click the link in the email it takes you to a page on the Azure portal which lists the resource name and ID.

    For info I've got E5 licences.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Vasil Michev 119.7K Reputation points MVP Volunteer Moderator
    2024-02-22T17:18:39.6966667+00:00

    There is no built-in alerting feature for this, though it's a common ask and Microsoft will likely offer something in the future. For the time being, you will have to create your own solution based on either the Graph API or the Graph SDK for PowerShell. There is no going around permissions though, all such solutions will need Application.Read.All at the minimum.

    Here's a sample script you can use for the reporting part: https://www.michev.info/blog/post/5940/reporting-on-entra-id-application-registrations

    Feel free to modify it to best suit your needs, i.e. add the alerting part.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.