Blog Post

Core Infrastructure and Security Blog
11 MIN READ

Use Azure Logic Apps to Notify of Pending AAD Application Client Secrets and Certificate Expirations

Russ_Rimmerman's avatar
Russ_Rimmerman
Icon for Microsoft rankMicrosoft
Nov 29, 2021

Managing the expiration dates of client secrets and certificates for Azure Active Directory (AAD) applications can be challenging, especially for organizations with numerous applications. To address this, leveraging Azure Logic Apps offers an automated solution to proactively monitor and notify administrators and application owners of impending expirations. This approach enhances security and ensures uninterrupted application functionality by providing timely alerts for necessary credential updates.

Disclaimer The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclai...
RussRimmerman_0-1638198579862.png
Updated Jan 29, 2025
Version 5.0
RussRimmerman
Raka74's avatar
Raka74
Copper Contributor
Feb 15, 2023

Russ_Rimmerman Vitalii_Kopach MasumAhmed 

 

Regarding the CWAP_AuthSecret / App Proxy applications filter:

 

I've got this working now - maybe for others looking to filter out app Proxy apps a short description:

 

1. Initialize a variable as String for tags:

 

 

2. In the 'Initialize NextLink' step add tags to the query:

 

 

 

3. In the 'Until' loop modify the Parse JSON step so it includes 'tags':   ( use this - https://jsoneditoronline.org/)

 

 

4. In the Foreach - apps loop set the 'tags' variable like so:

 

5. In the For each PasswordCred on the left side (where it found expiring secrets) 'edit the In case of No Owner' condition , set it to 'Or'  and ad a line to check for the presence of the 'tags' item (we used the text PROXY in the tag of Appproxy applications):

 

If there's no owner defined or there's PROXY in the tags it will go left (thus not sending the 'owner' mail)

 

6. Make another condition below this containing 'tags contains PROXY' - and drag the 'Append to String variable' to the 'False' Box:

 This will make sure that if there's PROXY in the tag the app will also not be added to the (string variable) overview mail at the end of the logic app.

 

Now the only thing left to do is to tag all App Proxy apps from the app registrations / manifest screen: