Monitor Your Expired Azure App Certificates

Author: Eitan Talmi

Published on: Jan 9, 2023

This article will explain how to build an automation account to monitor your Azure App Certificates and to notify you before expiration.

Prepare the Certificates

1. Open PowerShell window as administrator.
2. Run the following command:

            New-SelfSignedCertificate -Subject 'CN=AzureAppCertsChecker' -KeyLength 2048 -KeyUsageProperty All -KeyAlgorithm 'RSA' -HashAlgorithm 'SHA256' -Provider 'Microsoft Enhanced RSA and AES Cryptographic Provider' -NotAfter (Get-Date).AddYears(10)
        

1. Extract the certificate from your computer using MMC.

2. The certificate will be in the personal store; export it twice, one with the private key and one without.

Create the App

1. Go to Azure App registrations.
2. Click on New registration, give a name to the application, and click on Register.
3. Click on the app you just created and click on Certificates & secrets.
4. Click on Certificates and then on Upload certificate.
5. Choose the certificate without the private key you exported.
6. Click on API permissions.
7. Click on Add a permission.
8. Click on Microsoft Graph and on Application permissions.
9. Search for mail and under the Mail section check all five.
10. Search for application and check Application.Read.All.
11. Click on Add permissions.
12. Click on Grant admin consent for….
13. Click on Overview and copy the Application (client) ID and Directory (tenant) ID.

Assign Roles to the App

1. Go to Azure Roles.
2. Click on Application Administrator.
3. Click on Add assignments and add the app you created.

Create the Automation Account

1. Go to Azure Automation Accounts.
2. Click on Create and create a new account.
3. Go to Microsoft.Graph.Authentication.
4. Click on Azure Automation and then click on Deploy to Azure Automation to deploy it to your new account.
5. Repeat for Microsoft.Graph.Mail, Microsoft.Graph.Users.Actions, and AzureAD.
6. Go back to your Automation Account, click on Modules, and ensure the status of all modules is available.
7. Click on Certificates, then on Add a certificate, and upload the certificate with the private key. Note the name you gave it.

Deploy the Code

1. Click on Runbooks and then on Create a runbook.
2. Type a name, select PowerShell as the runbook type, and select 5.1 as the runtime version.
3. Click on Edit and paste the following code:

            $cert = Get-AutomationCertificate -Name 'Certificate Name'
$TenantID = 'Tenant ID'
$ClientID = 'Client ID'

Connect-AzureAD -TenantId $TenantID -ApplicationId $ClientID -CertificateThumbprint $cert.Thumbprint
Connect-MgGraph -TenantId $TenantID -ClientID $ClientID -CertificateThumbprint $cert.Thumbprint

# Secret expiration date filter (for example 30 days)
$LimitExpirationDays = 30

# Retrieving the list of secrets that expire in the above range of days
$SecretsToExpire = Get-AzureADApplication -All:$true | ForEach-Object {
    $app = $_
    @(
        Get-AzureADApplicationPasswordCredential -ObjectId $_.ObjectId
        Get-AzureADApplicationKeyCredential -ObjectId $_.ObjectId
    ) | Where-Object {
        $_.EndDate -lt (Get-Date).AddDays($LimitExpirationDays)
    } | ForEach-Object {
        $id = "Not set"
        if ($_.CustomKeyIdentifier) {
            $id = [System.Text.Encoding]::UTF8.GetString($_.CustomKeyIdentifier)
        }
        [PSCustomObject] @ {
            App = $app.DisplayName
            ObjectID = $app.ObjectId
            EndDate = $_.EndDate
        }
    }
}

if ($SecretsToExpire.Count -ne 0) {
    $Header = @"

"@

    $results = [PSCustomObject]$SecretsToExpire | Sort-Object App | ConvertTo-Html -Fragment -As Table
    $body = $results -join ' '
    $HTML = -join($Header, $body)
    $MessageBody = @{
        ContentType = 'html'
        Content = $HTML
    }

    write-host $MessageBody
    $recipient = @(@{emailAddress = @{address = '[email protected]'}})
    $NewMessage = New-MgUserMessage -UserId '[email protected]' -body $MessageBody -ToRecipients $recipient -Subject 'Expiring Client Certificate Secrets'
    Send-MgUserMessage -UserId '[email protected]' -MessageId $NewMessage.id
}
            
        

Saving the Runbook

1. Replace the placeholder values with your actual certificate name, tenant ID, and client ID.
2. Click on Save.
3. Click on Test pane, then on Start, and ensure your code runs without errors.
4. Go back to your code and click on Publish.

Add a Schedule

1. Click on Runbooks and then on the runbook you created.
2. Click on Link to schedule.
3. Click on Link a schedule to your runbook.
4. Click on Add a schedule, fill up the details, and click on Create.

Limit the Application

1. Create a Mail-Enabled security group.
2. In this group, add the members which the app should send email to.
3. From PowerShell, connect to Exchange Online.
4. Run the following command:

            New-ApplicationAccessPolicy -AppId <ClientID> -PolicyScopeGroupId <MailEnabledSecurityGroup> -AccessRight RestrictAccess -Description "Limit my app application emails sending"
        

Following these steps will help you effectively monitor your Azure App Certificates and receive notifications before they expire.

×