Service Principal Secrets Expiration should create an alert (Process needs improvement)

%3CLINGO-SUB%20id%3D%22lingo-sub-1698792%22%20slang%3D%22en-US%22%3EService%20Principal%20Secrets%20Expiration%20should%20create%20an%20alert%20(Process%20needs%20improvement)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1698792%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3BWe%20ran%20into%20this%20issue%20recently%2C%20where%20the%20Azure%20DevOps%20pipeline%20Service%20Principal's%20secret%20expired%20without%20any%20indication%20that%20this%20date%20was%20nearing.%26nbsp%3B%20I%20would%20have%20assumed%20that%20critical%20components%20such%20as%20this%20would%20give%20some%20alert%20a%20week%20or%20so%20in%20advance%2C%20in%20order%20to%20update%20them%20in%20a%20timely%20manner.%3CBR%20%2F%3E%3CBR%20%2F%3E%26nbsp%3BThe%20update%20process%20was%20also%20terribly%20confusing%2C%20and%20obfuscated%20by%20the%20preview%20'View'%20for%20Service%20Connections%2C%20which%20no%20longer%20allowed%20editing%20of%20the%20password.%26nbsp%3B%20When%20we%20were%20alerted%20the%20passphrase%20expired%2C%20we%20were%20sent%20to%20a%20wizard%20to%20add%20a%20new%20password.%26nbsp%3B%20However%2C%20this%20does%20not%20change%20the%20password%20it%20uses%20only%20passwords%20that%20are%20'available'%2C%20so%20the%20process%20did%20not%20fix%20anything.%3CBR%20%2F%3E%26nbsp%3BI%20believe%20this%20process%20has%20some%20opportunity%20for%20improvement%2C%20pushing%20some%20of%20the%20management%20responsibilities%20back%20into%20Azure%20where%20they%20make%20the%20most%20sense.%26nbsp%3B%20(tracking%20them%20uniquely%20from%20a%20particular%20user's%20calendar%20is%20not%20an%20ideal%20solution%20for%20an%20enterprise%20product.)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1714828%22%20slang%3D%22en-US%22%3ERe%3A%20Service%20Principal%20Secrets%20Expiration%20should%20create%20an%20alert%20(Process%20needs%20improvement)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1714828%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F803192%22%20target%3D%22_blank%22%3E%40Jonathan_Rudolph%3C%2FA%3E%26nbsp%3Bthat's%20a%20good%20point%2C%20but%20there%20are%20alert%20for%20that%20matter%20(at%20least%20yet).%20Our%20Ops%20team%20created%20a%20shared%20calendar%20to%20track%20that%20sort%20of%20event%20(more%20about%20that%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fwww.quadrotech-it.com%2Fblog%2Fcreate-a-company-shared-calendar-in-office-365%2F)%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.quadrotech-it.com%2Fblog%2Fcreate-a-company-shared-calendar-in-office-365%2F)%3C%2FA%3E%26nbsp%3Bso%20we're%20tracking%20the%20SSL%20certificates%20expiration%2C%20SPs%2C%20and%20some%20other%20things.%20We%20plan%20the%20operations%20like%20this%20well%20in%20advance%20and%20had%20no%20issues%20with%20that%20so%20far.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1743606%22%20slang%3D%22en-US%22%3ERe%3A%20Service%20Principal%20Secrets%20Expiration%20should%20create%20an%20alert%20(Process%20needs%20improvement)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1743606%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F803192%22%20target%3D%22_blank%22%3E%40Jonathan_Rudolph%3C%2FA%3E%26nbsp%3BAgreed%2C%20this%20would%20be%20very%20useful%20feature.%20The%20applicability%20extends%20to%20Application%20registrations%20in%20the%20Azure%20AD%20also.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

 We ran into this issue recently, where the Azure DevOps pipeline Service Principal's secret expired without any indication that this date was nearing.  I would have assumed that critical components such as this would give some alert a week or so in advance, in order to update them in a timely manner.

 The update process was also terribly confusing, and obfuscated by the preview 'View' for Service Connections, which no longer allowed editing of the password.  When we were alerted the passphrase expired, we were sent to a wizard to add a new password.  However, this does not change the password it uses only passwords that are 'available', so the process did not fix anything.
 I believe this process has some opportunity for improvement, pushing some of the management responsibilities back into Azure where they make the most sense.  (tracking them uniquely from a particular user's calendar is not an ideal solution for an enterprise product.)

3 Replies
Highlighted

@Jonathan_Rudolph that's a good point, but there are alert for that matter (at least yet). Our Ops team created a shared calendar to track that sort of events (more about that here: https://www.quadrotech-it.com/blog/create-a-company-shared-calendar-in-office-365/) so we're tracking the SSL certificates and SPs expiration, and some other things. We plan the operations like this well in advance and had no issues with that so far.

Highlighted

@Jonathan_Rudolph Agreed, this would be very useful feature. The applicability extends to Application registrations in the Azure AD also.

Highlighted

@Jonathan_Rudolph 

 

I worked with a customer where we wrote an Azure Automation Runbook to check the expiration of Service Principals and Certificates weekly and would send an email two weeks before the expiration so the change request could be reviewed by the orgs change control board.