Client Secret Expiry Monitoring in Applications Manager – Setup for Microsoft Azure and 365
Client Secret Expiry Monitoring
Overview
To proactively monitor client secret expirations, a new table called Client Secret Expiry Details has been introduced under the Management tab (formerly "Billing") in both Microsoft 365 and Microsoft Azure monitors.
This enables customers to track and address expiring secrets in advance.
This enhancement is only available in Applications Manager version 172500 and above.
Table Columns and Data Fields
| Field | Description |
|---|---|
| Client Secret ID | Unique identifier of the client secret. |
| Application Name | Name of the application the client secret belongs to. |
| Expires On | Date the client secret will expire. |
| Days to Expire | Number of days remaining until the client secret expires. |
| Status | Expired – Secret expired (up to 30 days ago). Expiring Today – Secret expires today. Expiring Soon – Secret expires within the next 90 days. |
Note: Client secrets expiring today or already expired will show "0" under Days to Expire. The Status field will indicate whether the secret is expiring today or has already expired.Data Collection - Permissions and Enablement
Default Status
By default, Client secret expiry monitoring is disabled for both Microsoft 365 and Microsoft Azure monitors. When enabled, it covers:
- Client secrets that expired in the last 10 days.
- Client secrets expiring in the next 30 days.
Required Permission
To enable Client secret expiry monitoring, customers must:
- Grant the Application.Read.All permission to the app credentials used in Applications Manager.
- Manually enable Performance Polling for data collection.
Important:
Performance Polling should be enabled only after granting the required permission.
Enabling polling before providing the correct permission may cause data collection failures. If this happens, customers may need to wait until the next polling cycle (up to 12 hours or the configured interval) to see the data.
Configuring Polling Frequency & Expiry Range
Customers can customize polling frequency and monitoring range under:
Settings → Performance Polling → Optimize Data Collection → Choose Monitor Type (Microsoft Azure/Microsoft 365)
Polling Frequency
Metric Name: Client Secret Expiry Details.
Options:
- Collect data at default intervals (12 hours) - Recommended
- Collect data at customized intervals - Specify your preferred interval
Note: Polling intervals below 12 hours may cause performance issues. If a lower interval is set, a warning alert will be displayed on the monitor page.Monitoring Range - Expired and Expiring Secrets
The Day range configuration is only available in Applications Manager version 175400 and above.
Customers can also adjust the date ranges for which secrets are monitored:
| Option | Allowed Range | Default |
|---|---|---|
| Number of days to monitor expired secrets | 1 to 30 days | 10 days |
| Number of days to monitor expiring secrets | 0 to 90 days | 30 days |
Key Takeaways
- Client secret monitoring is disabled by default. Enable it via Performance Polling after granting the required permission.
- The Application.Read.All permission is mandatory to collect data.
- Performance Polling must be enabled only after setting permissions to avoid data collection failures.
- Polling intervals below 12 hours may affect performance trigger a warning.
- Monitoring ranges are customizable from last 1-30 days for expired secrets and next 0-90 days for expiring secrets.
New to ADSelfService Plus?
Related Articles
Microsoft Azure VM - Enabling Diagnostics extension for Windows & Linux VMs
Diagnostic Extension is now considered a legacy approach and it is limited to some server distributions. It is recommended to switch to Azure Monitor Agent (AMA). From Applications Manager v171400, Azure monitor agent is supported. Refer here to know ...Microsoft Azure - FAQ
1. What happens to the Azure monitor in Applications Manager when you delete any of the supported services from the Azure portal? When a resource is deleted in Azure portal, the monitor status depends on the 'Action on Deleted Resources' option. ...Licensing of Azure cloud monitor instances in Applications Manager
Licensing for Azure Cloud Monitor instances in Applications Manager is typically based on the number of individual resources being monitored within your Azure environment. In Azure, each child monitor is considered a separate licensed instance. ...How to install .NET agent on Azure app services?
You can track the performance of your .NET and .NET Core web app's key metrics like response time, throughput, and Apdex score via the APM Insight .NET agent hosted in Azure App Services. Installing APM Insight extension via Azure portal 1. Log in to ...How to integrate Microsoft Teams with Applications Manager using Webhook?
Microsoft Teams is a personal/workplace communication and collaboration platform that helps you stay connected over chat, calls, and video meetings. Using Webhook, you can now integrate Microsoft Teams with Applications Manager and receive real-time ...
