🔐 Recipe · Entra ID & Identity

Find Entra ID App Registrations With Secrets or Certificates Expiring Soon

Audit all app registrations for client secrets and certificates nearing expiration so you can coordinate renewals before outages occur

Complexity

Intermediate

Impact

prevents-outage + security-hygiene + automation-friendly + scheduled-audit

Context

Why This Matters

Why this matters

Every Entra ID (Azure AD) application registration that integrates with APIs, SaaS apps, or custom workloads authenticates using either a client secret or a certificate (keyCredential). When those credentials expire, the app silently stops working — causing broken integrations, failed automations, and production outages that are notoriously hard to diagnose after the fact.

Microsoft does not send proactive alerts for expiring app credentials by default. This recipe gives you a repeatable audit so you can find soon-to-expire secrets/certs across the entire tenant and coordinate renewals with the app owners in advance.

When to run it

Weekly, as a scheduled housekeeping task
Before scheduled change freezes or holidays
After inheriting a new tenant or taking over IT responsibilities
Whenever a production integration fails with an AADSTS7000222 or AADSTS700027 error

Expected Outcomes

What you will have

A complete list of app registrations with credentials expiring within a configurable window (default: 7 days)
For each app: display name, appId, object id, credential type (secret vs. certificate), credential display name, and exact expiry timestamp
Enough information to contact app owners and coordinate renewal before expiration
An auditable record you can re-run on a schedule or commit to a runbook

Risks & Considerations

Warnings & gotchas

Don't rotate credentials without the app owner. Replacing a secret/cert on the app registration breaks any workload still using the old credential. Always add the new one first, redeploy, then remove the old.
Enterprise Applications ≠ App Registrations. This audit targets /applications (app registrations). Service principals for gallery SaaS apps rarely carry secrets you manage — focus on custom/line-of-business apps.
Federated credentials are not covered. Workload identity federation credentials (used by GitHub Actions, Kubernetes, etc.) don't expire the same way and use a different endpoint (/applications/{id}/federatedIdentityCredentials).
Permission scope: Reading passwordCredentials and keyCredentials requires Application.Read.All at minimum. The secret value is never returned — only the hint and metadata.
Pagination matters. Large tenants can have thousands of app registrations. Don't forget to follow @odata.nextLink or you will miss apps.

Required Permissions

Permission	Why It's Needed
Application.Read.All	Required to list app registrations and read their passwordCredentials and keyCredentials metadata
Directory.Read.All	Useful for resolving app owners when coordinating renewals

The fastest way to get this done — just ask Dex. Copy the prompt below and paste it into your Dex conversation.

For IT Admins

Paste into Dex CoAdmin

Audit all Entra ID app registrations in our tenant and list any with client secrets or certificates expiring in the next {days} days. For each hit, include the app display name, appId, credential type, credential name, and exact expiry date, then identify the app owners so I can coordinate renewals.

Try in Dex CoAdmin