SPEX · Connect & Share

20 December 2022 · By Mario Almeida

Monitoring Azure AD Client Secret Expiration

How many times have you had your automations break because the client secrets have expired? If your business runs on Microsoft 365, chances are that you know what we're talking about.

  • Azure AD
  • App Registrations
  • Identity
  • Security
  • Monitoring

How many times have you had your automations break because the client secrets have expired?

If your business runs on Microsoft 365, chances are that you know what we’re talking about.

One of the most frequent questions we get from our customers is: “Is there any way we can monitor the client secrets’ expiration?” The answer is simple: yes.

There are several ways to do this, and you can take it one step further. If implemented correctly, you can have your client secrets renewed and your automations updated automatically with little human intervention. The only reason we say “little” instead of “none” is that client secrets expire for a reason: accesses should be reviewed periodically. Under no circumstances should you avoid or skip this step. It’s in your best interest to review your application accesses regularly if you want to keep your business safe.

The simplest scenario: Power Automate or Logic Apps

If you want to prevent your production from ever breaking, the first thing to do is avoid the most common mistake: hard-coding your client secrets in your HTTP calls. Instead, retrieve them directly from Azure Key Vault. By introducing Key Vault in the process, you make sure your automations always run with the latest client secret.

To accomplish this, here’s what you need:

  1. Step 1. Use Graph API to retrieve any upcoming expiration.
  2. Step 2. Add an approval process so someone reviews and agrees to the renewal.
  3. Step 3. Use Graph API to create a new secret and delete the expiring one.
  4. Step 4. Use Key Vault’s REST API to update the secret with the new value.

This process works flawlessly. It has its quirks, but it guarantees the continuity of your processes and saves a lot of maintenance time.

Strengthening security and auditing

All changes to App Registrations (including client secrets) eventually show up in the audit logs. You can access the logs using the Office Management API. All you have to do is monitor them.

There are several ways to do this. With proper observability in place you keep track of:

  • What changed
  • When it changed
  • Who changed it
  • What’s the impact

If you’d like more details on the subject, feel free to reach out.