Forum Discussion

terruahmad's avatar
terruahmad
Icon for Microsoft rankMicrosoft
Nov 06, 2024
Solved

Entra App Registration - Policy to Restrict Client Secret Expiration to 6 Months Globally.

A customer is looking to restrict app registration client secret to 6 months globally. Is there a way to accomplish this using Azure policy for example or any other form?

Thanks.

azure
Azure Essentials
Entra
Identity
  • Mks_1973's avatar
    Mks_1973
    Nov 08, 2024

    Currently, you can't enforce a client secret expiration policy directly via Azure Policy for App Registrations. Instead, use automation (PowerShell, Azure Automation, Logic Apps) to periodically check and enforce the 6-month expiration limit and set up alerts for monitoring new secrets. 


    Although Conditional Access and PIM don't directly control client secret expiration, they can limit access to sensitive resources and ensure that only privileged users can create and manage app registrations.

    You can use an Azure Function or Logic App scheduled to run periodically to check the expiration dates of all app registration secrets and send alerts or automatically expire/reset them if they exceed the 6-month limit.


    Use PowerShell scripts or the Microsoft Graph API to audit and modify client secrets

    powershell:

    # Connect to Azure AD
    Connect-AzAccount
    Connect-AzureAD

    # Define the maximum age in days (6 months ~ 180 days)
    $maxSecretAgeDays = 180

    # Get all applications in Azure AD
    $applications = Get-AzureADApplication

    foreach ($app in $applications) {
        # Get all secrets for each application
        $secrets = Get-AzureADApplicationPasswordCredential -ObjectId $app.ObjectId

        foreach ($secret in $secrets) {
            # Calculate secret age
            $secretAgeDays = (Get-Date) - $secret.StartDate

            # Check if the secret is older than the defined policy
            if ($secretAgeDays.TotalDays -gt $maxSecretAgeDays) {
                Write-Output "App $($app.DisplayName) has a secret older than $maxSecretAgeDays days."

                # Optionally, you could disable or remove the secret
                # Remove-AzureADApplicationPasswordCredential -ObjectId $app.ObjectId -KeyId $secret.KeyId
            }
        }
    }

     

    Use Azure Monitor and Microsoft Graph API to set up custom alerts when app registration secrets are created with expiration dates beyond the 6-month limit

    Enable Azure AD Identity Protection to monitor risky app registrations and require privileged users to review them periodically.

     

     

4 Replies

Sort By
  • Mks_1973's avatar
    Mks_1973
    Iron Contributor
    Nov 08, 2024

    Currently, you can't enforce a client secret expiration policy directly via Azure Policy for App Registrations. Instead, use automation (PowerShell, Azure Automation, Logic Apps) to periodically check and enforce the 6-month expiration limit and set up alerts for monitoring new secrets. 


    Although Conditional Access and PIM don't directly control client secret expiration, they can limit access to sensitive resources and ensure that only privileged users can create and manage app registrations.

    You can use an Azure Function or Logic App scheduled to run periodically to check the expiration dates of all app registration secrets and send alerts or automatically expire/reset them if they exceed the 6-month limit.


    Use PowerShell scripts or the Microsoft Graph API to audit and modify client secrets

    powershell:

    # Connect to Azure AD
    Connect-AzAccount
    Connect-AzureAD

    # Define the maximum age in days (6 months ~ 180 days)
    $maxSecretAgeDays = 180

    # Get all applications in Azure AD
    $applications = Get-AzureADApplication

    foreach ($app in $applications) {
        # Get all secrets for each application
        $secrets = Get-AzureADApplicationPasswordCredential -ObjectId $app.ObjectId

        foreach ($secret in $secrets) {
            # Calculate secret age
            $secretAgeDays = (Get-Date) - $secret.StartDate

            # Check if the secret is older than the defined policy
            if ($secretAgeDays.TotalDays -gt $maxSecretAgeDays) {
                Write-Output "App $($app.DisplayName) has a secret older than $maxSecretAgeDays days."

                # Optionally, you could disable or remove the secret
                # Remove-AzureADApplicationPasswordCredential -ObjectId $app.ObjectId -KeyId $secret.KeyId
            }
        }
    }

     

    Use Azure Monitor and Microsoft Graph API to set up custom alerts when app registration secrets are created with expiration dates beyond the 6-month limit

    Enable Azure AD Identity Protection to monitor risky app registrations and require privileged users to review them periodically.

     

     

    • terruahmad's avatar
      terruahmad
      Icon for Microsoft rankMicrosoft
      Nov 27, 2024

      Mks_1973, I shared this information with my customer, and he will try it out.

      Thanks.

Resources