Question 103238 in Azure Question posted in
The official documentation to get you started can be found here.

Azure – How to set up an alert for secret expiry for service principal?

In Azure, We are having service principal for client apps in Azure. We want to set up an alert to our group, some days before the expiry of the secret. So that we can generate new ones and update our apps without downtime. Is there any way to get an alert? If not how to manage these?

Tags:

2

Answers


  1. 0

    How to set up an alert for secret expiry for service principal? If not how to manage these?

    AFAIK, There is no way you can get an alert about Secret Expiry for Service Principal.
    But if you want to know about the expiry dates of Secrets then you can follow below process:

    • Firstly, go to azure active directory service in Azure Portal
    • Then Click on App Registrations, Then Click on Your App

    Then follow below process:

    enter image description here

    You can manually check which service expires by following above process.

    Another way of managing these are when creating these Secrets you will have something called Expires as below:

    enter image description here

    So if we keep maximum 2 yrs then it will expire after 2 yrs of creation. If you keep 90 days it will expire after 90 days.

    You can monitor the expiry using Logic Apps too.

    Login or Signup to reply.
  2. 0

    You can leverage the Graph Api to get a list of applications withs secrets that are about to expire. If you combine this with a Timer Triggered Azure Function you can create an alert and/or create a new secret automatically.

    I’ve created an Azure Function that can act as a source of inspiration, see this repo. It contains a class that lists all secrets and certificates that are about to expire

        public class GraphApiReader : IGraphApiReader
    {
        private readonly GraphServiceClient _graphServiceClient;
        private readonly Func<PasswordCredential, bool> _expiringSecretsSelector;
        private readonly Func<KeyCredential, bool> _expiringCertificatesSelector;

        public GraphApiReader(
            IOptions<GraphServiceCredentials> graphServiceConfiguration,
            IOptions<NotificationConfiguration> notificationConfiguration)
        {
            if (graphServiceConfiguration == null) throw new ArgumentNullException(nameof(graphServiceConfiguration));
            if (notificationConfiguration == null) throw new ArgumentNullException(nameof(notificationConfiguration));

            var confidentialClientApplication = ConfidentialClientApplicationBuilder
                .Create(graphServiceConfiguration.Value.AppId)
                .WithTenantId(graphServiceConfiguration.Value.TenantId)
                .WithClientSecret(graphServiceConfiguration.Value.ClientSecret)
                .Build();
            var authProvider = new ClientCredentialProvider(confidentialClientApplication);
            _graphServiceClient = new GraphServiceClient(authProvider);

            _expiringSecretsSelector = new Func<PasswordCredential, bool>(c =>
                c.EndDateTime <= DateTime.Now.AddDays(notificationConfiguration.Value.ExpirationThresholdInDays));

            _expiringCertificatesSelector = new Func<KeyCredential, bool>(c =>
                c.EndDateTime <= DateTime.Now.AddDays(notificationConfiguration.Value.ExpirationThresholdInDays));
        }

        public async Task<List<Subject>> ReadExpiringSubjectsAsync()
        {
            var subjects = new List<Subject>();

            var initialApplicationsCollectionPage = await _graphServiceClient.Applications
                .Request()
                .Select(app => new
                {
                    app.KeyCredentials,
                    app.AppId,
                    app.CreatedDateTime,
                    app.DisplayName,
                    app.PasswordCredentials
                })
                .GetAsync();

            var iterator = PageIterator<Application>.CreatePageIterator(_graphServiceClient, initialApplicationsCollectionPage, application =>
            {
                if (!application.PasswordCredentials.Any(_expiringSecretsSelector) &&
                    !application.KeyCredentials.Any(_expiringCertificatesSelector))
                {
                    return true;
                }

                var appRegistration = new AppRegistration
                {
                    AppId = application.AppId,
                    DisplayName = application.DisplayName,
                    CreatedDateTime = application.CreatedDateTime
                };

                subjects.AddRange(application.PasswordCredentials.Where(_expiringSecretsSelector).Select(cred => new Subject
                {
                    DisplayName = cred.DisplayName,
                    Context = cred.Hint,
                    EndDateTime = cred.EndDateTime,
                    StartDateTime = cred.StartDateTime,
                    Id = cred.KeyId.GetValueOrDefault().ToString(),
                    ODataType = cred.ODataType,
                    AppRegistration = appRegistration
                }));

                subjects.AddRange(application.KeyCredentials.Where(_expiringCertificatesSelector).Select(key => new Subject
                {
                    DisplayName = key.DisplayName,
                    Context = Convert.ToBase64String(key.CustomKeyIdentifier),
                    EndDateTime = key.EndDateTime,
                    StartDateTime = key.StartDateTime,
                    Id = key.KeyId.GetValueOrDefault().ToString(),
                    ODataType = key.ODataType,
                    AppRegistration = appRegistration
                }));

                return true;
            });

            await iterator.IterateAsync();

            return subjects;
        }
    }
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search