Solution was designed for the purpose of providing the ability to monitor and notify in the event of App Registration\Service Principal Name (SPN) secret key or certificate coming within the threshold of expiring. The solution is designed to be cross tenant and requires an App Registration\SPN in the desired environment with Global Reader rights. Utilizing Azure Automation (AA) and AA resources like Variables and Credentials our runbook pulls an array of SPN’s from the environment and calculates the time until expiration before using our custom function to send the data to a Log Analytics Workspace. Finally, Azure Monitor alerts can be triggered based on a Kusto query to notify resources that there are SPN’s within the threshold for expiration.
Azure services do not have a native feature to report on expiring App registrations. Without a solution in place to monitor and notify on expiration of these SPN’s solutions ranging from Custom Apps, and DevOps CI\CD Pipelines too orchestration engines like Azure Automation and Logic Apps, can and will cease to function without notice.
- Purpose: To provide an automated mechanism of calculating and ingesting the expiration dates into Log Analytics and automatically notify resources when expiration is within threshold.
- Requisites: This solution consists of:
- 1 Runbook consisting of the PowerShell script in this document.
- 2 Automation Variables containing the Log Analytics Workspace ID and the Log Analytics Primary Key.
- 1 SPN in the monitored cloud environment with Global Reader role.
This document will not go over creating the runbook and scheduling its execution but does provide the source code and how to setup the requisite assets.
The App Registration Monitor is a SPN or App Registration that is created in the Azure Active Directory (AAD) tenant to be monitored. The SPN must have Global Reader rights in order to query all App Registrations and their property fields.
1. From the desired AAD resource navigate to App Registrations ->New Registration -> In the Name: AppRegistrationMonitor
- Account Types: Accounts in this organizational directory only
- Redirect URL: Blank
- Click Register
2. Once the account has been created you will be redirected to the account Overview pane. Copy the value for the Application (client) ID to a notepad.
- Description: Optional
- Expires: 1 year
- Click Add
- Before navigating away Copy the Value to Notepad.
4. Navigate to Azure Active Directory -> Roles and Administrators -> Global Reader -> Add Assignments. Select the AppRegistrationMonitor account and click ok.
- Name: AppRegistrationMonitor
- Description: Optional
- User name: Paste the Application Client ID from step 2
- Password: Paste the Secret Value from Step 3
- Confirm Password: Paste the Secret Value from Step 3
- Click Create
The Log Analytics Primary key is an Azure Automation variable that can be encrypted to prevent unauthorized disclosure. To obtain the key, navigate to the Log Analytics Workspace -> Agents Management and copy the Primary Key field.
Once you have the key, return to the Azure Automation Account -> Variables -> + Add Variable.
- Name: LogAnalyticsPrimaryKey
- Description: Optional
- Type: String
- Value: Paste the key
- Encrypted: Yes
- Click Create
The Log Analytics Workspace ID is an Azure Automation variable that can be encrypted to prevent unauthorized disclosure. To obtain the key, navigate to the Log Analytics Workspace -> Agents Management and copy the WorkspaceID field.
Once you have the key, return to the Azure Automation Account -> Variables -> + Add Variable.
- Name: LogAnalyticsWorkspaceID
- Description: Optional
- Type: String
- Value: Paste the key
- Encrypted: Optional Click Create
The Tenant ID for the cloud environment that is going to be monitored is an Azure Automation variable that can be encrypted to prevent unauthorized disclosure. To obtain the key, navigate to the AppRegistrationMonitor SPN in Azure Active Directory on the Overview page you will find the Directory (tenant) ID Copy the value. Once you have the ID, return to the Azure Automation Account -> Variables -> + Add Variable.
- Name: MonitoredTenantID
- Description: Optional
- Type: String
- Value: Paste the key
- Encrypted: Optional Click Create
Navigate to your Automation Accout -> Modules Gallery Search for and select Az.Accounts. Click Import. Search for and select Az.Resources. Click Import.
Navigate to your Automation Account -> Runbooks -> Click +Create a runbook Give the runbook a name. Select "PowerShell" as Runbook type and click Create. Copy the PowerShell script from "Get-AppRegistrationExpiration.ps1" into the Runbook. Click Publish and Yes to confirm. From the Automation account Overview, click Start to run the task and confirm it completes with no errors. Within the Runbook, go to Schedules. Add/create a schedule that runs this scripts periodically.
To create the Azure monitor alert rule, navigate to Monitor -> Alerts -> New alert rule.
AppRegistrationExpiration_CL | summarize arg_max(TimeGenerated,*) by KeyId_g | where DaysToExpiration_d <= 50 //Change this value to the expiration threshold | where TimeGenerated > ago(1d) | project TimeGenerated, DisplayName_s, ApplicationId_Guid_g, Type_s, StartDate_value_t, EndDate_value_t, Status_s, DaysToExpiration_d
Note: If the kusto query presents an error that it "failed to resolve table or column expression" you may need to wait and try again later.
- Input a 0 to the threshold Value box.
- And change the evaluation to 1440 and 1440 for a daily run.
- Click Done
If you do not already have one click Create action Group and follow the prompts. Fill out the Basic and Notifications Tabs.
- Subject Line: NoReply: WARNING:: AppRegistrations Expiring
- Alert Rule Name: AppRegistrationsExpiring Notifications
- Description: Optional
- Save Alert rule to resource group: Select Log Analytics Workspace RG
- Severity: Warning Sev 1
- Enable alert rule upon creation: Checked
- Suppress alert: not checked.
- Create alert rule