Azure : Using Logic Apps to Monitor Azure App Registration Expiration

When we switched to use OAuth2 authentication, we now need to create Azure AD App Registration with expiration date. The client secret expiration date can only be set to maximum of 24 months. We cannot set a client secret that will never expire due to security reason. Unfortunately, Azure currently does not natively provide a way to notify expired client secret. An expired secret can cause a lot of damage on the business process.

There are ways to get the reminder, such as using the Power Shell script by Stefano Demiliani. However, I prefer to use the Logic App solution by Russ Rimmerman.

I made a slight modification to the Logic App solution and here is the link to the my GitHub repository. This logic app will run once everyday, check the expiry date on App Registrations listed on storage account, and send a reminder email.

Besides the logic app, we also need to use three other resources:
– Key Vault with Managed Identity to store the App Registration Client Id, Client Secret, and Client TenantId.
– Storage Account to store Azure AD App Registration that we want to monitor.
– Office365 connection to send reminder email.

I will not going to talk about much about these three resources, but the ARM Template will need the three resources and its API Connection.

To use the Logic App, we first need to use App Registration that has permission to Microsoft Graph – Application.Read.All. This will be used to read secret expiration date. Here I am using a different App Registration than the one for Business Cental OAuth.

We will put the App Registration Client Id, Client Secret, and Client TenantId inside the Key Vault.

Inside the Storage Account, create a table called AppRegistrationMonitoring.

Fill in all the Azure AD App Registration that we want to monitor. The PartitionKey is the Application Client Id. We can use the RowKey as additional information.

Let’s deploy the template. Go to Azure and create using “Template deployment (deploy using custom templates)” in the Marketplace.

Click “Build your own template in the editor”, paste the armTemplate.json content in it, and process to create and deploy the logic app. Make sure to change the email address.

Because we are using Managed Identity, don’t forget to add new logic app under the Key Vault access policy. We can then test run the logic app.

We will get the email only if there is any client secret expired within 30 days. Any client secret expired within 5 days will be in red. We can configure this in the Logic App parameters.

The logic app works for both Secret and Certificates.

The post Azure : Using Logic Apps to Monitor Azure App Registration Expiration appeared first on That NAV Guy.