Notify Microsoft Entra ID Application Secret Expiry

Introduction

Microsoft Entra ID is a cloud-based identity and access management service. It offers features like single sign-on (SSO), multifactor authentication, and automated user provisioning to enhance organizational security. 

In my last blog, I used Microsoft Graph API to get a Microsoft Entra ID application. Now, we are trying to extend the functionality to get the application expiry date so that we can send the notification to the application owner before it expires. 

Send alert on Microsoft Entra ID application secret expiry

       DateTime currentDate = DateTime.Now;
       TimeSpan duration = new TimeSpan(7, 0, 0, 0); // 7 days
       DateTime resultDate = currentDate.Add(duration); 
       var result = await _graphServiceClient.Applications.Request().GetAsync();
       var appList=new List<Models.Application>();
       foreach(var app in result.CurrentPage)
       {
             var isToBeExpired= app.PasswordCredentials.Where(e => e.EndDateTime <= resultDate).Count()>0?true:false; 
               appList.Add(new Models.Application
               {
                   Id = app.Id,
                   ApplicationId = app.AppId,
                   ApplicationName = app.DisplayName,
                   SecretToBeExpired=isToBeExpired,
                   Owner = app.Owners.FirstOrDefault().ToString()
               });
           if (isToBeExpired)
           {
               //send email to owner
           }
       }

The above function will get the client's secret end date time. It checks for each application's client secret to be expired within 7 days anpreparesre the list; we can add one more function to send an email as a notification to the application owner. The ideal way of rotating the secret keys is using the Azure Key Vault, but in some cases, if the application doesn’t use the Azure key Vault, you can follow this approach. 

Summary

We have seen how to get all Azure AD B2C applications using Microsoft Graph API and retrieve the client secret and its expiry date detail to send an alert to the application owner. We will see more about managing the Entra ID application using Graph API in my next blog