Dex

๐Ÿ›ก๏ธ Recipe ยท Security & Compliance

Audit Entra ID App Registrations for Expiring Secrets/Certificates and Privileged Permissions

Identify app registrations with credentials expiring soon and flag privileged service principals that are unused or stale

Complexity

Advanced

Impact

security + compliance + identity + privileged-access + credential-management + audit

Context

Why This Matters

Entra ID (Azure AD) app registrations are a common source of security incidents and outages. Client secrets and certificates silently expire โ€” breaking backup jobs, line-of-business integrations, and SSO โ€” while abandoned apps with directory roles like Global Administrator provide a persistent, often forgotten attack path.

This recipe helps you perform a regular audit that answers two questions:

  • Which app registrations have client secrets or certificates expiring in the next 30 days that need rotation before they cause an outage?
  • Which apps hold privileged directory roles (Global Administrator and similar) and have not been used recently, making them candidates for removal or role reduction?

Run this monthly, or as part of quarterly access reviews, tenant hardening projects, or after an ownership change (e.g., an admin leaves the organization).

Expected Outcomes

After running this recipe you will have:

  • A full inventory of app registrations with any client secret or certificate expiring within 30 days, including the hint/thumbprint and expiry date.
  • A list of apps whose service principals are assigned the Global Administrator role (or other privileged roles you target) together with their last sign-in activity.
  • Flagged candidates for credential rotation and for role reduction or deletion.
  • A repeatable process you can schedule (for example, weekly) and feed into a ticketing system or notification channel.

Risks & Considerations

Warnings and gotchas

  • Do not delete unknown apps. Many Microsoft first-party and third-party SaaS connectors appear in app registrations or enterprise applications. Confirm ownership before removing credentials or roles.
  • Rotating a secret breaks the consumer. Coordinate with the app owner before invalidating a credential โ€” generate the new secret, hand it over, and only remove the old one once the consumer has switched.
  • signInActivity requires AuditLog.Read.All and an Entra ID P1/P2 license. Tenants without this data should treat "unknown last sign-in" as "needs manual review," not "safe to remove."
  • Global Administrator on a service principal is almost always wrong. Apps should use the least-privileged application permission they need. If you find one, investigate how it was granted (often via admin consent on a legacy app) and look for non-human-readable names which can be a compromise indicator.
  • Federated credentials (workload identity federation) do not expire like secrets or certs โ€” the audit should not treat missing endDateTime as a finding.
  • Auditing is read-only; mitigation (rotating or removing credentials) is a separate change that must follow your normal change control.

Required Permissions

PermissionWhy It's Needed
Application.Read.AllList all app registrations and read their passwordCredentials and keyCredentials
Directory.Read.AllRead service principals and directory role assignments
RoleManagement.Read.DirectoryEnumerate directory role assignments to identify privileged apps
AuditLog.Read.AllRead signInActivity on service principals to determine recent use

The fastest way to get this done โ€” just ask Dex. Copy the prompt below and paste it into your Dex conversation.

For IT Admins

Paste into Dex CoAdmin

Audit our Entra ID app registrations. List any apps with client secrets or certificates expiring within the next {days:30} days, and flag any apps whose service principals hold Global Administrator (or other privileged directory roles) that haven't signed in within the last {inactive_days:90} days. Return a report I can hand to owners for rotation or cleanup.
Try in Dex CoAdmin