Share via

Hot to get alert for expiration of client secrets?

Dvorak, David 5 Reputation points
2024-02-22T11:45:11.2833333+00:00

I think this is a topic i have already seen a few times, but due to some changes i hope its appropriate to ask again.

In our Azure we have applications / app registrations which have a client secret which will expire.

User's image

As far as i know, there is no standard functionality from Azure to get notified about this. I only find out a secret is expired if:

  1. The application doesnt work anymore and users complain
  2. I manually and regularly check what will expire next, create myself reminders etc.

Looking around the web i found multiple scripts which can be executed either in powershell or a automation runbook. Examples include:

https://github.com/kevinferretti/misc-scripts/blob/1433c4086fce47c8410bb221cefe38826587974d/CheckForExpiredClientSecrets.ps1

https://github.com/demiliani/PowershellCloudScripts/blob/master/AzureADCheckSecretsToExpire.ps1

While personally i couldnt get these to run due to permissions issues, i stumbled upon this announcement:

https://techcommunity.microsoft.com/t5/microsoft-entra-blog/important-azure-ad-graph-retirement-and-powershell-module/ba-p/3848270

If i understand correctly, even if i get the scripts to work, some modules used will be deprecated in a while.

My question is: Is there any new way to get notified here or a best practice? Or do we still need to write / run a script ourselves, though not with Azure AD powershell comands but with MS Graph powershell?

If someone has a working script, feel free to share it!

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,913 questions
Microsoft Entra

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 97,386 Reputation points MVP
    2024-02-22T17:18:39.6966667+00:00

    There is no built-in alerting feature for this, though it's a common ask and Microsoft will likely offer something in the future. For the time being, you will have to create your own solution based on either the Graph API or the Graph SDK for PowerShell. There is no going around permissions though, all such solutions will need Application.Read.All at the minimum.

    Here's a sample script you can use for the reporting part: https://www.michev.info/blog/post/5940/reporting-on-entra-id-application-registrations

    Feel free to modify it to best suit your needs, i.e. add the alerting part.