Azure / Azure Governance – Getting notification before expiration of Azure app client secret keys

fig : Power Automate - All flow actions for "notifying admins for Azure app's client secret keys expiration"
fig : Power Automate - All flow actions for "notifying admins for Azure app's client secret keys expiration"

Hi All,

Greetings for the day!!!

In my one of the previous article we discussed best practices for Certificates and Client secret keys of applications in Azure Active Directory – https://knowledge-junction.in/2022/09/09/best-practices-azure-security-best-practices-for-certificates-and-client-secret-keys-of-applications-in-azure-active-directory/

Today we will continue on same topic related to Azure app Client Secret keys

Use case / Background

  • In one of our Python application we are using Microsoft GRAPH API to query SharePoint online. For authentication we have our Azure APP ID (Client ID) and Secret (Client Secret).
  • Suddenly our application stopped working and we are getting an “Unauthorised” exception

Error:Token request failed., InnerMessage:System.Net.WebException: The remote server returned an error: (401) Unauthorized.”

  • Our application is critical and we wont afford more downtime
  • This is the exception because our Azure apps client secret key is expired
  • And here we found we are lacking governance – Our developers must get informed before few days of expiration of client secret

Also Microsoft removes the option “Never expire” for client secret keys of Azure applications

fig : Azure AD - "Never expire" option removed from the "Expires" drop-down while adding new client secret
fig : Azure AD – “Never expire” option removed from the “Expires” drop-down while adding new client secret

Getting notification before expiration of Azure app client secret keys

  • We have found there is GRAPH APIhttps://graph.microsoft.com/v1.0/applications available for getting all applications from the tenant with details like credentials and there respective start and end date
  • Lets have look into Graph Explorer
fig : Microsoft Graph Explorer - Executing query to get all Azure apps from tenant and respective credentials - to know the expiring credentials
fig : Microsoft Graph Explorer – Executing query to get all Azure apps from tenant and respective credential details – to know the expiring credentials
  • If we notice the response in above fig, we will notice we have “endDateTime” parameter of “passwordCredentials” property of Azure app
  • Since we have list of all Azure apps and respective password credentials with “startDateTime” and “endDateTime” we could compare “endDateTime” and with “Today” or what ever duration before we need notification
  • The respective Graph API, we can use in Power Automate and check condition for “endDateTime” as shown in above fig

Power Automate

  • To call Graph API from our flow we can use “HTTP” action “Invoke an HTTP request” as
fig : Power Automate - Calling GRAPH API to get all Azure Apps from our tenant - using "HTTP" action - Invoke an HTTP request
fig : Power Automate – Calling GRAPH API to get all Azure Apps from our tenant – using “HTTP” action – “Invoke an HTTP request”
  • We will get JSON response as – List of all our Azure apps with respective properties
fig : Power Automate - Json response of an action "Invoke an HTTP request" - calling Microsoft Graph API for getting all Azure Apps in our tenant
fig : Power Automate – Json response of an action “Invoke an HTTP request” – calling Microsoft Graph API for getting all Azure Apps in our tenant
  • As we have JSON response – we need to parse JSON to get the respective details – “endDateTime” parameter of “passwordCredentials” property of app
  • We will us “Parse JSON” action to parse our JSON
fig : Power Automate - "Parse JSON" action to parse the response of "Invoke an HTTP request" action
fig : Power Automate – “Parse JSON” action to parse the response of “Invoke an HTTP request” action
  • Following is the complete schema of “Parse JSON” action

{
    "type": "object",
    "properties": {
        "@@odata.context": {
            "type": "string"
        },
        "value": {
            "type": "array",
            "items": {
                "type": "object",
                "properties": {
                    "id": {
                        "type": "string"
                    },
                    "appId": {
                        "type": "string"
                    },
                    "displayName": {
                        "type": "string"
                    },
                    "passwordCredentials": {
                        "type": "array"
                    }
                },
                "required": [
                    "id",
                    "appId",
                    "displayName",
                    "passwordCredentials"
                ]
            }
        }
    }
}

  • We will see response of “Parse JSON” action as
  • Input to “Parse JSON” action
fig : Power Automate - Input from action "Invoke an HTTP request" to "Parse JSON" action
fig : Power Automate – Input from action “Invoke an HTTP request” to “Parse JSON” action
  • And output will be
fig : Power Automate – Output from action “Parse JSON” action
  • As we have result ready we could “Apply to each” action to go through each Azure app and verifying the “endDateTime” property
fig : Power Automate - "Apply to each" action - for traversing through response of "Parse JSON" action
fig : Power Automate – “Apply to each” action – for traversing through response of “Parse JSON” action
  • In this way we could verify “endDateTime” of our app and send notification to admin or can post to message in respective channel of Teams
  • We could also schedule flow for having automatic notification

Complete Flow

fig : Power Automate - All flow actions for "notifying admins for Azure app's client secret keys expiration"
fig : Power Automate – All flow actions for “notifying admins for Azure app’s client secret keys expiration”
  • Since flow is long – dividing in multiple snaps
fig : Power Automate - Flow actions for "notifying admins for Azure app's client secret keys expiration"
fig : Power Automate – Flow actions for “notifying admins for Azure app’s client secret keys expiration”
fig : Power Automate - Flow actions for "notifying admins for Azure app's client secret keys expiration"
fig : Power Automate – Flow actions for “notifying admins for Azure app’s client secret keys expiration”
  • Here we will use “DateTime” function to compare with our Azure app “endDateTime
  • We have separate article on “addDays()” of DateTime, please have a look for more details – Small Tricks and Tips : Power Automate – using addDays()
  • Based on result of condition either we will send an email or put message to Teams channel of respective admin
fig : Power Automate – Flow actions for “notifying admins for Azure app’s client secret keys expiration”

References

Thanks for reading !! If its worth at least reading once, kindly please like and share !!! SHARING IS CARING 🙂

Enjoy the beautiful life !! Have a FUN !! HAVE A SAFE LIFE !! TAKE CARE 🙂

Prasham Sabadra

LIFE IS VERY BEAUTIFUL :) ENJOY THE WHOLE JOURNEY :) Founder of Knowledge Junction and live-beautiful-life.com, Author, Learner, Passionate Techie, avid reader. Certified Professional Workshop Facilitator / Public Speaker. Scrum Foundation Professional certificated. Motivational, Behavioral , Technical speaker. Speaks in various events including SharePoint Saturdays, Boot camps, Collages / Schools, local chapter. Can reach me for Microsoft 365, Azure, DevOps, SharePoint, Teams, Power Platform, JavaScript.

You may also like...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: