We ran into this issue recently, where the Azure DevOps pipeline Service Principal's secret expired without any indication that this date was nearing. I would have assumed that critical components such as this would give some alert a week or so in advance, in order to update them in a timely manner. The update process was also terribly confusing, and obfuscated by the preview 'View' for Service Connections, which no longer allowed editing of the password. When we were alerted the passphrase expired, we were sent to a wizard to add a new password. However, this does not change the password it uses only passwords that are 'available', so the process did not fix anything. I believe this process has some opportunity for improvement, pushing some of the management responsibilities back into Azure where they make the most sense. (tracking them uniquely from a particular user's calendar is not an ideal solution for an enterprise product.)

Jonathan_Rudolph I worked with a customer where we wrote an Azure Automation Runbook to check the expiration of Service Principals and Certificates weekly and would send an email two weeks before the expiration so the change request could be reviewed by the orgs change control board.

Hi Jasonls,Could you pls help me with that runbook script?ThanksRajiv

Jonathan_Rudolph that's a good point, but there are alert for that matter (at least yet). Our Ops team created a shared calendar to track that sort of events (more about that here: https://www.quadrotech-it.com/blog/create-a-company-shared-calendar-in-office-365/) so we're tracking the SSL certificates and SPs expiration, and some other things. We plan the operations like this well in advance and had no issues with that so far.

Jonathan_Rudolph Agreed, this would be very useful feature. The applicability extends to Application registrations in the Azure AD also.

Greetings JasonMay you please help with the runbook script?

Service Principal Secrets Expiration should create an alert (Process needs improvement)

aammirmirza
Copper Contributor
Feb 22, 2023
Use the Powershell Module.

Install-Module -Name AzAppRegistrationExpiry

+----------------+----------------------------------------------------------+
| Expiry | E.g : Get-ExpiringSPN -TimeFrameInDays 30 -expiry |
+----------------+----------------------------------------------------------+
| InvalidExpiry | E.g : Get-ExpiringSPN -TimeFrameInDays 30 -InvalidExpiry |
+----------------+----------------------------------------------------------+
jasonls
Copper Contributor
Oct 08, 2020
Jonathan_Rudolph

I worked with a customer where we wrote an Azure Automation Runbook to check the expiration of Service Principals and Certificates weekly and would send an email two weeks before the expiration so the change request could be reviewed by the orgs change control board.
- Lovely2402
  Copper Contributor
  Feb 15, 2023
  Hello jasonls,
  
  Can I ask a help for the runbook?
- Jayben
  Copper Contributor
  May 13, 2022
  Hi Jasonls,
  
  Can you please help me with that runbook script?
  
  TYIA
- Neha625
  Copper Contributor
  Sep 27, 2021
  jasonls : Kindly help with the runbook script
subhankars
Copper Contributor
Oct 04, 2020
Jonathan_Rudolph Agreed, this would be very useful feature. The applicability extends to Application registrations in the Azure AD also.
Command0r
Iron Contributor
Sep 25, 2020
Jonathan_Rudolph that's a good point, but there are alert for that matter (at least yet). Our Ops team created a shared calendar to track that sort of events (more about that here: https://www.quadrotech-it.com/blog/create-a-company-shared-calendar-in-office-365/) so we're tracking the SSL certificates and SPs expiration, and some other things. We plan the operations like this well in advance and had no issues with that so far.

Forum Discussion

Service Principal Secrets Expiration should create an alert (Process needs improvement)

Share

Resources