Automated monitoring Azure App Registration secrets using using Logic Apps

When provisioning App Registrations, their secrets are set to a maximum of 24 months. Currently, Azure does not provide a notification platform to proactively alert you when secrets are nearing expiration, which can result in business disruption.

We are often asked by clients to implement automated monitoring and alerting platforms especially with regards to secrets expirations which have the potential to disrupt business if not caught in time.

This blog demonstrates the deployment of a Logic App to automate the monitoring of all the Registered Apps secrets and sends a proactive email or Teams notification when the secret is about to expire.

Step 1 – Provision an App Registration

Step 2 – Provision App Registration Secret

Step 3 – Configure App Registration API Permission

Step 4 – Deploy Logic App

Step 5 – Logic App Designer

Deployment Steps

Step 1 - Provision an App Registration

In this step we are going to provision a new Registered App in order to provide Microsoft Graph permissions to access a Registered App API in order to read the secrets expiration dates by creating an API connection for a Logic App connector using ARM REST API.

#(This Registered App will be created specifically for this is Logic App and will not be used for any other service).

Provision your new dedicated Registered App:
 

In Azure Portal > search for App Registration > + New registration >

Select a descriptive name,

Select the single tenant,

Register,

Step 2 - Provision App Registration Secret

Go to your new App Registration > Select Certificates & secrets,

+ New client secret >

#(Im creating a sandbox secret that will expire in < 30 days for testing later on)

Add,

Copy the secret value into notepad before you change windows!

Step 3 - Configure App Registration API Permission

Go to API permissions and add 4 RBAC roles:

+Add a permission > Microsoft APIs tab > select Microsoft Graph,

**You need to add all 4 of these permissions by following the steps below:

Select Application permissions (which does not require a signed-in user account),

Verification – your permissions list should like look the list below.

You will notice that the permissions are not yet granted for your domain,

Now click on Grant admin consent for your domain (if the option is greyed out, you may need to enable PIM),

Once granted permission, your status must all turn green / consented:

Step 4 - Deploy Logic App

Create and deploy a consumption based Logic App,

Step 5 - Logic App Designer

Go to your Logic App > open your Designer >

Select a blank logic app >

Part 1 – Adding a trigger >

Search for recurrence schedule and select >

Select the interval and frequency of how often you want the Logic App to run (I want the Logic App to check the key vaults daily),

Add optional parameters,

Part 2 – Now create 3 variables

Add an Action >

#1 – Search for initialize variable >

Create the 1st init variable > Name AppID with the value of string,

Add an Action >

Create the 3rd init variable > Name passwordCredential with the value of array,

Part 3 – Create the HTTP GET

Add an Action >

Search for HTTP >

Method = GET

URI =

https://graph.microsoft.com/v1.0/applications?$top=2&$select=id,appId,displayName,passwordCredentials

(dont edit the URL!)

Add new parameter > select Authentication

Authentication Type = Active Directory Oauth

Tenant ID = <your tenant ID>

Audience = https://graph.microsoft.com

Client ID = <your reg app ID>

Credential Type = secret

Secret = <your secret value>

Click on Save to make sure everything is configure correctly,

For verification > Run Trigger > Run

Stay in Run mode for the next step,

Part 4 – Parse JSON

To continue building the Logic app, we need to populate the body of the HTTP function,

Staying in Run mode, or

Click on Run Trigger > Run,

You should end up with this result,

Stay in Run mode > select your  HTTP function and copy the entire contents of the HTTP body and paste into a notepad,

Go back to Designer mode,

Now click on the + Add an action and choose the next operation:

Search for and Parse Json and select,

Inside your function > click on the Content bar and select body >

Now click on Use sample payload to generate schema link

Paste the HTTP body code (that you copied into your notepad) into the JSON payload screen,

Done,

Click on Save to make sure everything is configure correctly,

For verification > Run Trigger > Run

Expected output:

##This is an error section, if you don’t get this error, proceed to the next step###

If you run into errors with your Parse JSON function and get a Null error:

Go back into Designer mode,

Go to your Parse Json and copy the code into a notepad,

Now run an update on the entire notepad by replacing all the

“type”: “string”

With

 “type”: [“string”, “null”]

Copy the updated notepad contents back into the Use sample payload to generate schema link,

Done,

Run Trigger > Run again and all should work

****

Part 5 – Create a For Each Loop:

Add an Action >

Control > For Each >

select Parse JSON – value

Save before continuing!

###Staying inside your For Each Loop > you are now going to add 3 x set variables:

Add an Action >

Control > Set variable >

Select parse JSON > appID

Save before continuing!

Still inside the For Each loop:

Add an Action > Control > add a 2nd Set variable >

Select parse JSON > displayName

Save before continuing!

Still inside the For Each loop:

Add an Action > Control > add a 3rd Set variable >

Select parse JSON > passwordCredentials

Save before continuing!

End result:

###Staying inside your 1st For Each Loop > you are now going to embed a 2nd For Each Loop:

Add an Action > Control > For Each >

select Parse JSON – passwordCredentials

Save before continuing!

This next step is important! Rename this embedded loop carefully!

Rename this 2nd For Each loop to a unique name as this is going to be referenced in your condition that will be created later!

Save before continuing!

You may need to refresh the window for a refreshed view,

Click on Save to make sure everything is configure correctly,

For verification > Run Trigger > Run

Expected output:

Staying inside your new 2nd For Each passwordCredentials Loop > you are now going to embed a Condition:

Add an Action > Control > Condition >

Save before continuing!

Condition >

Select the value bar:

click on Expression and paste in

items(‘For_each_passwordCredentials’)?[‘endDateTime’]

OK

Select the centre value box and select your option:

Is less than or equal to

Select the 3rd value box and define how many days you want to be alerted on secret expirations:

addToTime(utcNow(),30,’day’)

OK

Save before continuing!

Click on Save to make sure everything is configure correctly,

For verification > Run Trigger > Run

Expected output:

Let’s create a notification event when the condition is True:

Click on the True block > + Add an action

Search mail > select Office 365 Outlook >

Search and Select Send an email (v2) icon

Click on Sign in,

Sign in with a domain system email account that doesn’t required MFA,

In the To field: enter the distribution group email address,

In the email Subject field: enter the email subject line,  and add the AppID or DisplayName from the variables section,

Populate the body of the email that your distribution group audience will receive:

My example:

Good day,

This email serves to notify that the following Registered App secret is about to expire.

Registered Application: (add the appID from the Parse JSON section)

Secret Expiration Date: (endDateTime from the Parse JSON section)

Save

Run & Trigger > Run

Once provisioned, the Logic App will take about 20/30 minutes to start sending emails.

— I hope this blog provided a clear explanation on how to configure an automated monitoring and alerting solution for your Registered App secrets —