Blog Post

Core Infrastructure and Security Blog
11 MIN READ

Use Azure Logic Apps to Notify of Pending AAD Application Client Secrets and Certificate Expirations

Russ_Rimmerman's avatar
Russ_Rimmerman
Icon for Microsoft rankMicrosoft
Nov 29, 2021

Managing the expiration dates of client secrets and certificates for Azure Active Directory (AAD) applications can be challenging, especially for organizations with numerous applications. To address this, leveraging Azure Logic Apps offers an automated solution to proactively monitor and notify administrators and application owners of impending expirations. This approach enhances security and ensures uninterrupted application functionality by providing timely alerts for necessary credential updates.

Disclaimer The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclai...
RussRimmerman_0-1638198579862.png
Updated Jan 29, 2025
Version 5.0
RussRimmerman
cloudcyberluke's avatar
cloudcyberluke
Copper Contributor
Dec 02, 2021

Thankyou Russ_Rimmerman for putting the Logic App version of this up! Really appreciate this much needed notification.

 

I got it working this morning but had to adjust a couple of settings - just sharing my experience;

 

1. I had to change the keyvault to use RBAC instead of the default vault access policy. My account had access using the vault access policy method, but it didn't work. Once I switched to RBAC and granted the 'Key Vault Secrets User' role, the logic app could read the keyvault entries.

 

2. The logic app kept failing because the 'To' field was empty in the email to app owners. This was because the app registration could not read the user account properties to get the email address. I had gone with Application.Read.All initially, so I added Directory.Read.All and this solved that issue.

 

Thanks