Introduction
Azure AD app registration, commonly known as Service Principal, is one of the most preferred methods for communicating with Azure services using tools or scripts to update or modify them. App Registrations are an integral part of security validation, providing authentication and authorization for applications. Organizations often prefer using service accounts over user accounts to deploy code using CI/CD or any other third-party tools for integration with Azure resources. This approach ensures consistency and reliability by building configurations only once and relying on a service managed by the AAD team of the organization. By utilizing Service Principal, organizations can establish secure and efficient communication between their applications and Azure services, ensuring smooth operations and maintaining data integrity.
Why Is It Needed?
Azure services lack a built-in feature to track expiring App registrations, which can cause issues with existing integrations and authorization methods used in automation scripting, trigger-based Function Apps, and services that require interaction in Azure. Without a solution for monitoring and notifying on the expiration of these AD App registrations, DevOps CI/CD pipelines can suddenly stop functioning, causing serious disruptions. Initially, there was an option to create a secret that never expired, but this option has been removed from AD App registration settings due to security concerns, and now the expiration date can be set for a maximum of 24 months. It is crucial for organizations to implement a reliable monitoring solution to ensure the continuous operation of their Azure services and avoid any potential security risks associated with expired App registrations.
Approaches
- Using Logic Apps and Function Apps
- Using paid monitoring tools
- Using Azure automation accounts
One possible solution is to create a function app that tracks the expiry of secrets of AD App registration, and a logic app that gets triggered based on business logic and notifies based on monitoring tools. However, running multiple function apps and logic apps can be costly.
Another option is to use paid solutions like Serverless 360 monitoring, which takes care of notifying about expiration.
The third solution is to use Azure automation accounts, which can run PowerShell scripts as jobs. To receive email notifications, we can use a SendGrid account (free tier available) without any extra integration steps with other resources. In this blog, we will discuss the third solution.
Simplified Approach Using Azure Automation Accounts
To track AD application secret expiry, we will use PowerShell, automation accounts, and SendGrid for notification.
- To begin, we need to connect to Azure AD with another app registration that has Global reader permission. For authentication, we will use a self-signed X.509 certificate instead of a secret.
- Once connected, we can fetch a list of all app registrations, which will provide an array of all app registrations, including their secret expiry details. We can then compare this information with today’s date to identify which secrets are expired, going to expire soon, or still valid.
- After collecting the necessary information, we can use SendGrid PowerShell API v3 commands to send an email notification using an API Key and an HTML body.
- Once the PowerShell script is ready, we should upload it to an Azure automation runbook and test it by running it in the Test pane. The email sent will look something like this:
With this approach, we can proactively monitor and manage AD application secrets, ensuring the continuous operation of our Azure services and avoiding any potential security risks associated with expired secrets.
Conclusion
The simplest and most cost-effective approach, involving DevOps services, has been outlined above. Using this method, we can establish an Automation account job to monitor and alert the team about expiring credentials. This proactive approach allows them to renew credentials in advance, preventing potential last-minute disruptions that could impact integrated applications or pipelines.
With expertise in Azure and AWS platforms, eInfochips has led strategic cloud initiatives such as cloud-native design and development, monolithic to microservices architecture, and enterprise cloud migration. Our team consists of over 500 engineers who support Azure/AWS based projects, including more than 100 Azure/AWS certified experts. By leveraging our Cloud expertise, we have made a significant impact on our customers’ key business metrics, such as achieving a 50% reduction in TCO and TTM, monetizing on additional revenue streams, and enabling new business models.