Do you keep track of expiring app registration secrets and certificates?

Last updated by Chris Schultz [SSW] about 1 year ago.See history

In Azure AD, App Registrations are used to establish a trust relationship between your app and the Microsoft identity platform. This allows you to give your app access to various resources, such as Graph API.

App Registrations use secrets or certificates for authentication. It is important to keep track of the expiry date of these authentication methods, so you can update them before things break.

Use a PowerShell script to check expiry dates

An easy way to do this is to run a PowerShell script that checks the expiry date of all app registration secrets or certificates. This requires the AzureAD module; the cmdlets used are:




There's an example of a working script here:

To extend the example above, you can run the script on a schedule using Task Scheduler or an Azure Automation Runbook, and send an email with Send-MailMessage.

Note: To run this on a schedule, you should create an app registration to authenticate the script. The app registration will need the role Cloud Application Administrator.

Use a Logic App to check expiry dates

If you prefer working with Logic Apps, there's an example of how it can be done here:

You will also need an App Registration to authenticate your Logic App. Notifications can then be sent to email or a Teams channel.

app reg email
Figure: Example email, listing app registration secrets that are expiring soon

We open source. Powered by GitHub