Azure : Using Logic Apps to Monitor Azure App Registration Expiration

When we switched to use OAuth2 authentication, we now need to create Azure AD App Registration with expiration date. The client secret expiration date can only be set to maximum of 24 months. We cannot set a client secret that will never expire due to security reason. Unfortunately, Azure currently does not natively provide a way to notify expired client secret. An expired secret can cause a lot of damage on the business process.

There are ways to get the reminder, such as using the Power Shell script by Stefano Demiliani. However, I prefer to use the Logic App solution by Russ Rimmerman.

I made a slight modification to the Logic App solution and here is the link to the my GitHub repository. This logic app will run once everyday, check the expiry date on App Registrations listed on storage account, and send a reminder email.

Besides the logic app, we also need to use three other resources:
– Key Vault with Managed Identity to store the App Registration Client Id, Client Secret, and Client TenantId.
– Storage Account to store Azure AD App Registration that we want to monitor.
– Office365 connection to send reminder email.

I will not going to talk about much about these three resources, but the ARM Template will need the three resources and its API Connection. Make sure to have these three connections before running the script.

To use the Logic App, we first need to use App Registration that has permission to Microsoft Graph – Application.Read.All. This will be used to read secret expiration date. Here I am using a different App Registration than the one for Business Cental OAuth.

We will put the App Registration Client Id, Client Secret, and Client TenantId inside the Key Vault.

Inside the Storage Account, create a table called AppRegistrationMonitoring.

Fill in all the Azure AD App Registration that we want to monitor. The PartitionKey is the Application Client Id. We can use the RowKey as additional information.

Let’s deploy the template. Go to Azure and create using “Template deployment (deploy using custom templates)” in the Marketplace.

Click “Build your own template in the editor”, paste the armTemplate.json content in it, and process to create and deploy the logic app. Make sure to change the email address.

Because we are using Managed Identity, don’t forget to add new logic app under the Key Vault access policy. We can then test run the logic app.


We will get the email only if there is any client secret expired within 30 days. Any client secret expired within 5 days will be in red. We can configure this in the Logic App parameters.

The logic app works for both Secret and Certificates.

thatnavguy

Experienced NZ-based NAV Developer and Consultant with 15+ years of experience leading multiple IT projects, performing business analyst, developing, implementing, and upgrading Dynamics NAV and Business Central. Passionate to deliver solution that focuses on user-friendly interface while keeping high standard of compliance with the needs.

You may also like...

6 Responses

  1. Lovely Joy Orola says:

    Hi @TheNavGuy,

    Can you help me to send the expired application secrets to its application owner only? And can we separate the expired and nearly-expired secrets?

  2. Omar Amer says:

    I can’t get this script to work. The original one from Russ works, but not this one. I continuously get an error about resources not found for the API Connections. is there something i missed?

    • Allen says:

      u need to pre-create those api connections. i cant figure that part out either. that is a pre-requisite step to get the script working

  3. Allen says:

    the most important part of this blog is how to create those api connections without having to pre deploy a basic logic app before hand?

  4. Erik Wold says:

    Anyone know how to get passed the error of deploying API connection to table storage? The Resource ‘Microsoft.Web/connections/azuretables’ under resource group was not found.

Leave a Reply

Your email address will not be published. Required fields are marked *