How can I tell when a Azure AD client secret expires?

Question

I have many applications registered in Azure AD Tenant and many of these are having client secret keys issued for 1 or 2 years. Is there a way to get an alert before the expiry as expired keys will cause an outage.

Answer 1

I created a "simple" one-line Azure Powershell command to show all principals that have or will expire in the next 30 days. Using that as a data feed for an email (like Send-MailMessage) or other alerting tool may be fairly straight forward.

Get-AzureADApplication -All:$true | Select-Object AppId, displayName -ExpandProperty PasswordCredentials | Where-Object EndDate -lt (Get-Date).AddDays(30) | Sort-Object EndDate | Format-Table AppId, DisplayName, EndDate

Note: If you have multiple secrets on a principal, each one shows up as its own line in the output. If you want to see all your principals and their secret expirations, just remove the Where-Object clause in the middle.

Answer 2

You can use Logic App to automate the process. I found this useful:

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/use-azure-logic-apps-to-notify-of-pending-aad-application-client/ba-p/3014603?fbclid=IwAR3ECopMRsitagEStKLC_yvAmFX4a1Ispn_a8ZFitapPquq9OZcZvQgKVOQ

Answer 3

At this time, there is no out of the box mechanism for alerting when client secrets are expiring.

You can vote for this ask in the Azure AD Feedback Entry: Need email alert option when keys are about to expire

Alternatively, you can build your own alerting mechanism by polling the Graph (currently the Azure AD Graph and eventually the Microsoft Graph once /servicePrincipals is in /v1.0/ in there).

Query /servicePrincipals and filter on PasswordCredentials.EndDate and KeyCredentials.EndDate.

You'll need to do your filtering client side since Graph doesn't support filtering on these values yet.

2021-12-07 Update

Azure AD Graph has been deprecated.

Query Microsoft Graph's /servicePrincipals and filter on the EndDate property of the PasswordCredentials object.

Answer 4

We can also query the application to get the end-date of secret key. Here is a code sample using client credentials flow via the Azure Graph client for your reference. And please ensure that you have grant the app with Directory.Read.All permission to this API for using client credentials flow.

var graphResourceId = "https://graph.windows.net";
var appId= "";
var appObjectId = "";
var secret = "";
var clientCredential = new ClientCredential(appId,secret);
var tenantId = "xxx.onmicrosoft.com";
AuthenticationContext authContext = new AuthenticationContext($"https://login.microsoftonline.com/{tenantId}");
var accessToken = authContext.AcquireTokenAsync(graphResourceId, clientCredential).Result.AccessToken;

Uri servicePointUri = new Uri(graphResourceId);
Uri serviceRoot = new Uri(servicePointUri, tenantId);

ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(serviceRoot, async () => await Task.FromResult(accessToken));

var app = activeDirectoryClient.Applications.GetByObjectId(appObjectId).ExecuteAsync().Result;

foreach (var passwordCredential in app.PasswordCredentials)
{
    Console.WriteLine($"KeyID:{passwordCredential.KeyId}\r\nEndDate:{passwordCredential.EndDate}\r\n");
}