Azure Service Principal Expiry Notification
What is Azure App Registration ?
Azure App Registration is a service provided by Microsoft Azure that enables developers to register their web or mobile applications, and obtain the necessary credentials for authentication and authorization.
By registering an application in Azure, developers can access various Azure services, such as Azure Active Directory (Azure AD), Azure API Management, and Azure Functions. App registration provides a unique identifier (Application ID) and a secret key (Client Secret) that is used for authentication and authorization purposes. These credentials are also used to manage access to Azure resources.
What is Azure Service Principal ?
In Azure, a service principal is a security identity that is used by applications, services, and automation tools to access Azure resources. A service principal is an instance of an Azure Active Directory (Azure AD) application, and it is typically used to authenticate and authorize access to Azure resources without the need for human interaction.
Azure service principals are commonly used in scenarios such as:
- Automating Azure resource management: Service principals can be used to run automation scripts, tools, and other services to manage Azure resources programmatically, without requiring manual authentication or user intervention.
- Granting permissions to applications: Service principals can be assigned roles, permissions, and access policies to authorize access to specific Azure resources. This enables applications to interact with Azure resources in a secure and controlled manner.
- Integrating with external services: Service principals can be used to integrate Azure with other services or platforms that support OAuth2 authentication. This allows for seamless authentication and authorization between the services.
To create a service principal, developers must first create an Azure AD application and then configure the necessary permissions and roles. After creating a service principal, developers can obtain the necessary credentials (client ID, client secret) to authenticate and authorize access to Azure resources.
Overall, Azure service principals are an important aspect of Azure security, enabling secure access to Azure resources by automation tools, applications, and other services.
Challenges with maintaining the secrets
Expiry Alert
We ran into this issue recently, where the Azure DevOps pipeline Service Principal’s secret expired without any indication that expiring date was nearing. I would have assumed that critical components such as this would give some alert a week or so in advance, in order to update them in a timely manner. (Agree… ?)
While you were reading this you must have already experienced this issues and breaks in your past.
Solution to deal with it
Powershell module to configure notification to SP owners and extract the nearly expiring SP from the AAD.
Install-Module -Name AzAppRegistrationExpiry
How it works ?
Soon expiring SP’s
Install-Module -Name AzAppRegistrationExpiry
Import-Module -Name AzAppRegistrationExpiry
Syntax:
Get-ExpiringSPN -TimeFrameInDays <NumberDaystoExpire> -expiry
Example:
$data = (Get-ExpiringSPN -TimeFrameInDays 30 -expiry)
The above command generates all the SPs details that will be expiring in coming month. Example in below image.
As you can see in the above image it generates all the required information about the expiring SP and whom to communicate.
Same returned array can be used for setting up notifications to respective OwnerUPN about the expiry.
SP’s with invalid expiry dates (Expiring in 2–10 years)
As best practice SP’s should have key rotation set within 6-months, at max keeping them for 1-year could be digestible in some scenarios where we have deployments and app integrations, but more then that it is big NO. To identify such SP’s with unexpected secret expiring age (2299, 2032 etc), you can use the module to identify such SP’s.
Install-Module -Name AzAppRegistrationExpiry
Import-Module -Name AzAppRegistrationExpiry
Syntax:
Get-ExpiringSPN -TimeFrameInDays <NumberDaystoExpire> -expiry
Example:
$data = (Get-ExpiringSPN -TimeFrameInDays 600 -InvalidExpiry)
PreReqs
Permission needed — Azure AD DirectoryReadAll
How we can use this module ?
Local PS Console with Connect-AzAccount
Automation Account with MI permitted for DirectoryReadAll
FunctionApp with MI permitted for DirectoryReadAll