No mention on how to monitor expiration date of client or certificate

[ErnestoAzure]

This article tells me to add a certificate or a client.

In the client credentials it is clearly mention you need to enter an expiration date, maximum 24 months, with a recommendation of less than 12 months. That is good.

So this is what is going to happen. I am going to enter the expiration date and forget about it. Then when the data arrives, I will have an outage :)

Can you please provide indication on how to monitor the expiration date so it can be renewed in advance to avoid outages situations please?

Certificates normally also have an expiration date, so the guidance should cover that too.

---

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: c9642c47-826b-017f-eff3-ab3b25e4e454
• Version Independent ID: 091f26e7-6543-ef0f-b575-b44519943391
• Content: Quickstart: Register an app in the Microsoft identity platform - Microsoft Entra
• Content Source: articles/active-directory/develop/quickstart-register-app.md
• Service: active-directory
• Sub-service: develop
• GitHub Login: @cilwerner
• Microsoft Alias: cwerner

[AjayBathini-MSFT]

@ErnestoAzure Thanks for your feedback! We will investigate and update as appropriate.

[SaibabaBalapur-MSFT]

@ErnestoAzure To monitor the expiration date of client credentials or certificates, you can use Azure AD's built-in email notification feature. By default, Azure AD sends email notifications to the user who created the Enterprise Application 60, 30, and 7 days before the certificate or client credential expires. However, you can add up to 5 email addresses to the notification list, including the email address of the admin who added the application.

To add email notification addresses for certificate expiration, you can follow the steps outlined in the Azure AD documentation.

Additionally, you can use PowerShell scripts to export all app registrations with expiring secrets, certificates, and their owners for the specified apps from your directory in a CSV file. This can help you keep track of the expiration dates and take action before they expire.

You can find more information on how to export app registrations with expiring secrets and certificates through PowerShell scripts in the Azure AD documentation.

I hope this helps! Let me know if you have any further questions.

[ErnestoAzure]

Let's focus on the "Add a client secret" section of https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app

What do I need to configure and where for me and other colleagues to receive e-mail notifications 60, 30, and 7 days before secret expires?

I can go to Microsoft Entra admin center and find the app. I am an owner of the app (but not the creator). I can find the secret but I cannot find where to add the e-mails to receive expiry notifications.

Can you help please?

[SaibabaBalapur-MSFT]

@ErnestoAzure To add email addresses to receive notifications for the client secret expiration, you need to go to the Azure portal and follow these steps:

1. Go to the Azure portal and navigate to the app registration you want to configure.
2. Select "Certificates & secrets" from the left-hand menu.
3. Select the client secret you want to configure.
4. Under "Managed Expiration", you can add up to 5 email addresses to receive notifications for the client secret expiration.
5. Once you have added the email addresses, select "Save" to save the changes.

After you have added the email addresses, Azure AD will send an email notification 60, 30, and 7 days before the client secret expires. If you need more people to be notified, you can use distribution list emails.

[ErnestoAzure]

Thanks for your help. I do not see "Managed Expiration"

[SaibabaBalapur-MSFT]

@ErnestoAzure Add email notification addresses for certificate expiration. Azure AD will send an email notification 60, 30, and 7 days before the SAML certificate expires. You may add more than one email address to receive notifications. To specify the email address(es), you want the notifications to be sent to:

In the SAML Signing Certificate page, go to the notification email addresses heading. By default, this heading uses only the email address of the admin who added the application. Below the final email address, type the email address that should receive the certificate's expiration notice, and then press Enter. Repeat the previous step for each email address you want to add. For each email address you want to delete, select the Delete icon (garbage can) next to the email address. Select Save. You can add up to five email addresses to the Notification list (including the email address of the admin who added the application). If you need more people to be notified, use the distribution list emails.

You'll receive the notification email from azure-noreply@microsoft.com. To avoid the email going to your spam location, add this email to your contacts.

Here Microsoft document might be helpful. https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/tutorial-manage-certificates-for-federated-single-sign-on#:~:text=experience%20application%20outage.-,Add%20email%20notification%20addresses%20for%20certificate%20expiration,going%20to%20your%20spam%20location%2C%20add%20this%20email%20to%20your%20contacts.,-Renew%20a%20certificate

[ErnestoAzure]

Hi Saibaba, Thanks for sharing the info about certificates. But the case I am really interested is for client secrets, not certificates. In the Client secrets tab I cannot see the "manage expiration" option. See screenshot provide above. Ernesto

[SaibabaBalapur-MSFT]

@ErnestoAzure I understand now. Unfortunately, the "Managed Expiration" feature is a built-in policy in Azure that allows you to set an expiration date for certificates stored in Azure Key Vault. When you enable this policy, you can specify the number of days until the certificate expires, and Azure will automatically send notifications to the email addresses you specify when the certificate is about to expire. This feature is only available for certificates and not for client secrets.

You can find more information about the "Managed Expiration" feature in the Azure documentation here: https://docs.microsoft.com/en-us/azure/key-vault/certificates/about-certificates#managed-certificate-lifecycle

I'd recommend working closer with our support team via an Azure support request. Or you can leverage our Q&A forum by posting your issue there so our community, and MVPs can further assist you in troubleshooting this issue or finding potential workarounds.Teams Q&A forum for technical questions about the configuration and administration of Microsoft Teams on Windows. Microsoft Teams Community forum

I hope this helps! Let me know if you have any other questions.

We are going to close this thread as resolved but if there are any further questions regarding the documentation, please tag me in your reply and we will be happy to continue the conversation.