09-22-2020 06:25 AM
09-22-2020 06:25 AM
We ran into this issue recently, where the Azure DevOps pipeline Service Principal's secret expired without any indication that this date was nearing. I would have assumed that critical components such as this would give some alert a week or so in advance, in order to update them in a timely manner.
The update process was also terribly confusing, and obfuscated by the preview 'View' for Service Connections, which no longer allowed editing of the password. When we were alerted the passphrase expired, we were sent to a wizard to add a new password. However, this does not change the password it uses only passwords that are 'available', so the process did not fix anything.
I believe this process has some opportunity for improvement, pushing some of the management responsibilities back into Azure where they make the most sense. (tracking them uniquely from a particular user's calendar is not an ideal solution for an enterprise product.)
09-25-2020 02:24 PM - edited 09-25-2020 02:25 PM
@Jonathan_Rudolph that's a good point, but there are alert for that matter (at least yet). Our Ops team created a shared calendar to track that sort of events (more about that here: https://www.quadrotech-it.com/blog/create-a-company-shared-calendar-in-office-365/) so we're tracking the SSL certificates and SPs expiration, and some other things. We plan the operations like this well in advance and had no issues with that so far.
10-04-2020 11:26 AM
@Jonathan_Rudolph Agreed, this would be very useful feature. The applicability extends to Application registrations in the Azure AD also.
10-08-2020 06:16 AM
I worked with a customer where we wrote an Azure Automation Runbook to check the expiration of Service Principals and Certificates weekly and would send an email two weeks before the expiration so the change request could be reviewed by the orgs change control board.