Azure app secret expiry email report

Runbook returning a weekly email report of expired and expiring app secrets & certificates
No app secrets or expiring credentials are using during the deployment/for the runbook

Skip to the deployment portion

Summary:

Runbook runs a powershell script that authenticates with the automation account’s managed identity, the script gets all the app secrets & certificates along with their expiry time.

The script then formats the results into HTML and sends out an email using Azure Email Communication Services

All required resources are made for a ‘from-scratch’ deployment but can be altered
If used in a prod environment consider using a custom domain for the Email Communication Service to give the sending address a friendly name

Requirements:

Certain Bicep features are required, for simplicity just import the bicepconfig.json file
Experimental features & the Graph extension are required to add app roles to the managed identity within the Bicep file itself, without needing a secondary deployment script

The Microsoft Graph powershell module is also required locally to deploy this template

These features are still considered ‘experimental’ but are stable using the versions within the bicepconfig.json

Bicep resources

Bicep resources

Usage

Bicep files - Github

Download and deploy the included Bicep template and associated files - note that all the files within the linked repo are required

Input all the desired params and customise the parameters of the ‘schedule’ resource
Set the desired frequency, start date (must be in the future), time zone and week days if running on a weekly schedule
For simplicity this resource can be removed and manually set up after deployment
runbook schedule

Once deployed you will only need to edit the runbook and populate:

  • $emailRecipientTo
    Supports array so you can include multiple emails

  • SenderAddress
    Address that the email will be sent from - this is outputted in the deployment so it can be copy and pasted from there, or copy it from the Email Communication Service

  • -endpoint
    Endpoint of the Communication service - also outputted in the deployment but be found under the main Communication Service created

runbook schedule