Azure Enterprise App/App Registration tracking

Question

I am looking for an efficient way of tracking Enterprise Apps and App Registrations. More specifically, tracking when App certificates or secrets expire. What ways does your organization use to track their Azure Applications?

Answer 1

Hello Pawlak, Owen - (BOS),

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you are looking for an efficient way of tracking Enterprise Apps and App Registrations. Specifically, tracking when App certificates or secrets expire.

Keeping track of the expiration dates for app certificates and secrets in Azure is an important aspect when it comes to ensuring your enterprise applications stay secure and running, but you cannot really achieve this either inside or outside of the portal. Many different ways and tools you can employ to manage your Azure App Registrations as well as how to track certificates, and secrets associated with them:

• Azure AD Access Reviews and Conditional Access.
• Certificates and Secrets Management in the Azure portal.
• Azure CLI and PowerShell is my favorite tool by using Azure AD PowerShell modules to automate the tracking process, like this example:

         $apps = Get-AzureADApplication
         foreach ($app in $apps) {
             $secrets = Get-AzureADApplicationPasswordCredential -ObjectId $app.ObjectId
             foreach ($secret in $secrets) {
                 if ($secret.EndDate -lt (Get-Date).AddDays(30)) {
                     Write-Output "$($app.DisplayName) secret expires on $($secret.EndDate)"
                 }
             }
         }
  

• Set up alerts in Azure Monitor to notify you when a certificate or secret is nearing its expiration.
• Using custom Azure Policies to audit the expiration dates of certificates and secrets.
• You can create a custom solution using Azure Functions or Logic Apps to periodically check the expiration dates of certificates and secrets and send notifications or create tickets for remediation like other enterprises.
• I have seen a friend using third-party tools like CloudBolt, AppDynamics, or CloudHealth.

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

Best Regards,

Sina Salam

Answer 2

Hi @Pawlak, Owen - (BOS)

Thank you for posting this in Microsoft Q&A.

I understand that you are looking for an effective method to monitor Enterprise Apps and App Registrations, particularly to track the expiration of App certificates and secrets.

You can utilize PowerShell or Power Automate to set up notifications for expiring secrets or certificates.

1.Export all of your app registrations or Enterprise applications with secrets and certificates via PowerShell script.

2.You can use Power Automate to notify of upcoming client secret expiration, as detailed in this article

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/use-power-automate-to-notify-of-upcoming-azure-ad-app-client/ba-p/2406145

3.Alternatively, you can use a logic app that runs daily. Here is a Logic Apps example: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/use-azure-logic-apps-to-notify-of-pending-aad-application-client/ba-p/3014603?fbclid=IwAR3ECopMRsitagEStKLC_yvAmFX4a1Ispn_a8ZFitapPquq9OZcZvQgKVOQ

4.Another option would be to use an Azure Automation account to send logs to a Log Analytics workspace. Then you could set up Azure Monitor alerts to run queries for expiration warnings and errors.

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.