Azure / Azure Governance – Getting notification before expiration of Azure app client secret keys

Hi All,
Greetings for the day!!!
In my one of the previous article we discussed best practices for Certificates and Client secret keys of applications in Azure Active Directory – https://knowledge-junction.in/2022/09/09/best-practices-azure-security-best-practices-for-certificates-and-client-secret-keys-of-applications-in-azure-active-directory/
Today we will continue on same topic related to Azure app Client Secret keys
Use case / Background
- In one of our Python application we are using Microsoft GRAPH API to query SharePoint online. For authentication we have our Azure APP ID (Client ID) and Secret (Client Secret).
- Suddenly our application stopped working and we are getting an “Unauthorised” exception
“Error:Token request failed., InnerMessage:System.Net.WebException: The remote server returned an error: (401) Unauthorized.”
- Our application is critical and we wont afford more downtime
- This is the exception because our Azure apps client secret key is expired
- And here we found we are lacking governance – Our developers must get informed before few days of expiration of client secret
Also Microsoft removes the option “Never expire” for client secret keys of Azure applications

Getting notification before expiration of Azure app client secret keys
- We have found there is GRAPH API – https://graph.microsoft.com/v1.0/applications available for getting all applications from the tenant with details like credentials and there respective start and end date
- Lets have look into Graph Explorer –

- If we notice the response in above fig, we will notice we have “endDateTime” parameter of “passwordCredentials” property of Azure app
- Since we have list of all Azure apps and respective password credentials with “startDateTime” and “endDateTime” we could compare “endDateTime” and with “Today” or what ever duration before we need notification
- The respective Graph API, we can use in Power Automate and check condition for “endDateTime” as shown in above fig
Power Automate
- To call Graph API from our flow we can use “HTTP” action “Invoke an HTTP request” as

- We will get JSON response as – List of all our Azure apps with respective properties

- As we have JSON response – we need to parse JSON to get the respective details – “endDateTime” parameter of “passwordCredentials” property of app
- We will us “Parse JSON” action to parse our JSON
- Following is the complete schema of “Parse JSON” action
{
"type": "object",
"properties": {
"@@odata.context": {
"type": "string"
},
"value": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string"
},
"appId": {
"type": "string"
},
"displayName": {
"type": "string"
},
"passwordCredentials": {
"type": "array"
}
},
"required": [
"id",
"appId",
"displayName",
"passwordCredentials"
]
}
}
}
}
- We will see response of “Parse JSON” action as
- Input to “Parse JSON” action
- And output will be
- As we have result ready we could “Apply to each” action to go through each Azure app and verifying the “endDateTime” property

- In this way we could verify “endDateTime” of our app and send notification to admin or can post to message in respective channel of Teams
- We could also schedule flow for having automatic notification
Complete Flow

- Since flow is long – dividing in multiple snaps


- Here we will use “DateTime” function to compare with our Azure app “endDateTime”
- We have separate article on “addDays()” of DateTime, please have a look for more details – Small Tricks and Tips : Power Automate – using addDays()
- Based on result of condition either we will send an email or put message to Teams channel of respective admin

References
- M365 / SharePoint Online – PowerShell to renew expiring client secret key for SharePoint App
- Small Tricks and Tips : Power Automate – using addDays()
- Best Practices – Azure – Security best practices for Certificates and Client secret keys of applications in Azure Active Directory
- Office 365 – Azure Active Directory – Registering/Creating new Azure App – detailed steps
Thanks for reading !! If its worth at least reading once, kindly please like and share !!! SHARING IS CARING 🙂
Enjoy the beautiful life !! Have a FUN !! HAVE A SAFE LIFE !! TAKE CARE 🙂
You must log in to post a comment.