Summary
This workflow automates the monitoring and renewal of Azure Enterprise Application credentials, including client secrets and certificates. The solution scans all registered enterprise applications for expiring or expired credentials, generates alerts for upcoming expirations, and can automatically rotate secrets and certificates to prevent service disruptions. By proactively managing credential lifecycles, the workflow eliminates unexpected authentication failures, maintains application availability, and ensures security compliance through regular credential rotation.
Usage
Prerequisites
Before using this workflow, ensure the following requirements are met:
-
Microsoft Graph API Integration: Configure with the following permissions:
Application.ReadWrite.All- To read and update application registrationsDirectory.Read.All- To read directory dataMail.Send- To send notification emails
-
Organizational Variables: Configure the following:
azure_app_expiry_warning_days: Days before expiration to trigger alerts (e.g., 30, 60, 90)azure_app_auto_renew: Enable automatic credential renewalazure_app_secret_validity_days: Validity period for new secrets (e.g., 365)azure_app_notification_recipients: Email addresses for expiration alerts
Workflow Inputs
| Parameter | Type | Required | Description |
|---|---|---|---|
tenant_id | String | No | Specific Azure AD tenant to scan |
app_ids | Array | No | Specific application IDs to check (defaults to all) |
warning_threshold_days | Number | No | Days before expiration to alert. Default: 30 |
auto_renew | Boolean | No | Automatically renew expiring credentials. Default: false |
secret_validity_days | Number | No | New secret validity in days. Default: 365 |
include_expired | Boolean | No | Include already expired credentials. Default: true |
send_notifications | Boolean | No | Send email notifications. Default: true |
Execution
Scheduled Execution (Recommended)
- Run daily or weekly to scan for expiring credentials
- Configure alerts at multiple thresholds (90, 60, 30, 7 days)
Manual Trigger
- Run on-demand for specific applications or full tenant scan
Renewal Process Flow
- Application Discovery: Enumerate all enterprise applications and app registrations
- Credential Scan: Check client secrets and certificates for expiration dates
- Threshold Evaluation: Compare expiration dates against warning thresholds
- Alert Generation: Create alerts for credentials approaching expiration
- Auto-Renewal: Generate new secrets/certificates if auto-renew is enabled
- Credential Distribution: Securely distribute new credentials to stakeholders
- Notification: Send expiration warnings or renewal confirmations
- Documentation: Log all findings and actions for audit
Returned Data
{
"success": true,
"scan_summary": {
"total_applications_scanned": 45,
"credentials_checked": 87,
"expiring_soon": 5,
"already_expired": 2,
"healthy": 80,
"auto_renewed": 3
},
"expiring_credentials": [
{
"app_name": "CRM Integration",
"app_id": "app-12345",
"credential_type": "client_secret",
"credential_id": "key-67890",
"expiration_date": "2026-04-01",
"days_until_expiry": 28,
"status": "warning",
"auto_renewed": false,
"owner": "admin@company.com"
}
],
"renewed_credentials": [
{
"app_name": "Backup Service",
"app_id": "app-54321",
"old_expiration": "2026-03-10",
"new_expiration": "2027-03-10",
"credential_type": "client_secret",
"renewed_timestamp": "2026-03-04T15:30:00Z"
}
],
"notifications_sent": {
"warning_emails": 5,
"renewal_confirmations": 3,
"recipients": ["it-admin@company.com", "security@company.com"]
}
}
Changelog
2026-03-04
- Initial version of the document