Azure App registration Client secret expiration

Question

I'm using Azure AD B2C to handle the authentication in some Azure Functions. I've been using the client secret approach (as explain in the documentation) to configure the Azure App.

However the client secret has a expiration date (maximum of 2 years, even if is recommended to refresh them more frequently), after which the app will stop working if you have not renewed it. So you have to be aware that before they expire you have to renew them manually.

There is any "permanent" solution that don't involve this manual process? I didn't find any reference on how to use certificates, or automate the rotation of the client secrets

Answer 1

How ever there is no direct way to get it rotate secrect, here is the script to get app registration about to expires within 15 days (you can change the time limit).
you can add this script in the pipeline or any automation runbook to send a mail communication.

it will prompt the application name and expiry date.

$application = Get-AzureADApplication
$application | Export-Csv -Path "C:/AzureADApplications.csv" -NoTypeInformation
$applications = Import-Csv -Path "C:/AzureADApplications.csv"
foreach ($app in $applications) {
    $appId = $app.AppId
    $appDetails = Get-AzureADApplication -Filter "AppId eq '$appId'"
    if ($appDetails) {
        $expiryDate = $appDetails.PasswordCredentials.EndDate
        $app | Add-Member -MemberType NoteProperty -Name "AppIdExpiryDate" -Value $expiryDate
    } else {
        Write-Warning "Application with AppId '$appId' not found."
    }
}
$applications | Export-Csv -Path "C:/AzureADApplications1.csv" -NoTypeInformation
$csvData = Import-Csv -Path "C:/AzureADApplications1.csv"
foreach ($row in $csvData) {
    if ($null -eq $row."AppIdExpiryDate") {
        continue
    }
    $expiryDate = $row."AppIdExpiryDate"
    try {
        $expiryDateTime = [datetime]::Parse($expiryDate)
    } catch {
        continue
    }
    $daysUntilExpiry = ($expiryDateTime - (Get-Date)).Days
    if ($daysUntilExpiry -le 15 -and $daysUntilExpiry -gt 0) {
        Write-Host "Application Name: $($row.DisplayName)"
        Write-Host "Expiry Date: $($row.'AppIdExpiryDate')"
    }
}

Answer 2

Hi @Jorge Lopez ,

You are correct that currently the out-of-box process requires some manual work and there isn't an automatic rotation feature available yet in the platform itself, but there are several options available for automating the rotation of client secrets.

One option is to use Power Automate to notify of upcoming client secret expiration, as detailed in this article with accompanying Github samples:

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/use-power-automate-to-notify-of-upcoming-azure-ad-app-client/ba-p/2406145

Alternatively, you can use a PowerShell script or logic app that runs daily. When it catches a secret expiring within x number of days it will remove the old one and create a new one and push it to the vault. Here is a Logic Apps example: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/use-azure-logic-apps-to-notify-of-pending-aad-application-client/ba-p/3014603?fbclid=IwAR3ECopMRsitagEStKLC_yvAmFX4a1Ispn_a8ZFitapPquq9OZcZvQgKVOQ

Another option would be to use an Azure Automation account to send logs to a Log Analytics workspace. Then you could set up Azure Monitor alerts to run queries for expiration warnings and errors.

To request an ability rotate secrets from the platform itself, you can leave feedback in the feedback portal. I have shared this feedback as well with the product team. https://feedback.azure.com/

If the information helped you, please Accept the answer. This will help us and improve searchability for others in the community who may be researching the same question.