Monitoring Azure AD Client Secret Expiration

How many times have you had your automations break because the client secrets have expired?

If your business runs on Microsoft 365, chances are that you know what we’re talking about!

One of the most frequent questions that we get from our customers, at the moment, is: “Is there any way we can monitor the client secrets’ expiration?” The answer is simple: “Yes!”.

There are several ways you can do this and you can even take it one step further. If implemented correctly, you can have your client secrets renewed and your automations updated automatically with little human intervention. The only reason why I say “little”, instead of “none” it’s because client secrets expiration happens for one reason; it’s because accesses should be reviewed periodically. Under no circumstances you should avoid or skip this step!! It’s in your best interested to review your application’s accesses regularly if you want to keep your business safe.
Let’s take the simplest scenario and assume that you are using Power Automate or Logic Apps. If you want to prevent your production from ever breaking the first thing to do is to avoid the most common mistake: hard-code your client secrets in your HTTP calls. Instead, you should retrieve them directly from Azure Key Vault. By introducing Key Vault in the process, you’ll be making sure that you automations will always run using the latest client secret.

To accomplish this, this is what you need:
Step 1: Use Graph API to retrieve any upcoming expiration.
Step 2: This is where you want to add an approval process and make sure someone reviews and agrees to the renewal of your client secret.
Step 3: Use Graph API to create a new secret and delete the expiring one.
Step 4: Use Key Vault’s REST API to update the secret with the new value.

This process works flawlessly. It has it’s quirks but it will guarantee the continuity of your processes and save you a lot of time in terms of maintenance.

While we’re at it, this is the perfect opportunity to talk about strengthening your security and auditing. All changes done to App Registrations (client secrets) will, eventually, turn up in the audit logs. You can access the logs using the Office Management API, all you have to do is monitor them. Now, there are several different ways of doing this; at Spex, we’ve chosen to integrate Splunk and implement Observability which allows us to keep track of:

  • what changed
  • when it changed
  • who changed it
  • what’s the impact

If you’d like more details, on the subject, feel free to reach out.