App Registration Expiration Monitoring and Notifications

Published 01-11-2021 12:01 AM 4,132 Views




Problem Statement 

Azure services do not have a native feature to report on expiring App registrations. Without a solution in place to monitor and notify on expiration of these SPN’s solutions ranging from Custom Apps, and DevOps CI\CD Pipelines too orchestration engines like Azure Automation and Logic Apps, can and will cease to function without notice. 

  • Purpose of this solution: To provide an automated mechanism of calculating and ingesting the expiration dates into Log Analytics and automatically notify resources when expiration is within threshold. 
  • Requisites: This solution consists of: 
  • 1 Runbook consisting of the PowerShell script in this document. 
  • 2 Automation Variables containing the Log Analytics Workspace ID and the Log Analytics Primary Key. 
  • 1 SPN in the monitored cloud environment with Global Reader role. 

Solution Overview 

The solution is designed to be cross tenant and requires an App Registration\SPN in the desired environment with Global Reader rights. Utilizing Azure Automation (AA) and AA resources like Variables and Credentials our runbook pulls an array of SPN’s from the environment and calculates the time until expiration before using our custom function to send the data to a Log Analytics Workspace. Finally, Azure Monitor alerts can be triggered based on a Kusto query to notify resources that there are SPN’s within the threshold for expiration. 


Where can I get this solution? 

The solution is documented in detail on my GitHub repo and available for consumption immediately. 

Occasional Visitor
Occasional Visitor

Hi Christopher,

you've linked to in your link to your github repo.




Frequent Visitor

This looks like an awesome solution and exactly what we need ... trying it out now!




Frequent Visitor

Nice @Russ Rimmerman in some ways your solution is better ... I like the email formatting at the end!


Currently running with the solution described above but may end up using both solutions ... the solution above can be used to generate a ServiceNow ticket when a App Registration is due to expire exactly 30 days from now.  The Power Automate solution can be used to generate a tidy "Report" ... great stuff guys!


Occasional Visitor

Hi all,


Is this working with multiple Subscriptions on the tenant?







@Skywalker The Power Automate solution could also be used to generate a ServiceNow ticket when an app registration is due 30 days from now as well - Power Automate has a ServiceNow connector.

@nono7390 Yes it shoudl work across multiple subscriptions. It can also work across multiple tenants and environments but would require multiple runbooks and SPN's with the required permissions.

Version history
Last update:
‎May 28 2021 07:34 AM