Versions Compared

Version Old Version 2 New Version Current
Changes made by

Phillip Hanegan

Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This article provides an overview of the AzureCredentialExpirationNotification permanent workflow. This permanent workflow identifies expired client secrets and certificates in Azure and removes them from Azure and EmpowerID. The workflow scans across all Azure tenants configured in EmpowerID to locate credentials that have passed their expiration date, preventing security or compliance issues caused by retaining obsolete credentials.

Purpose

The workflow automates the detection and cleanup of expired Azure secrets and certificates. Removing these invalid credentials from Azure and EmpowerID keeps the system clean, secure, and in sync.

Workflow Logic

  1. Cross-Tenant Credential Scan

    • The workflow retrieves client secrets and certificates from every Azure tenant configured in EmpowerID.

    • It gathers metadata for all credentials associated with each application across these tenants.

  2. Expiration Check

    • Each discovered secret or certificate is evaluated against its expiration date.

    • Any credential found to be expired is flagged for removal.

  3. Azure Removal

    • If a credential is expired, the workflow attempts to delete it in Azure.

    • If Azure confirms the deletion, the process moves to removal in EmpowerID.

  4. Deletion in EmpowerID

    • Once the credential is deleted in Azure, the workflow removes EmpowerID’s corresponding external credential record.

    • This ensures that EmpowerID accurately reflects the current state of credentials.

  5. Notifications

    • An email notifies the application owners and the credential owners for of each expired credential removed.

    • If multiple credentials in a single application are expired, each credential triggers a separate notification.

Key Considerations

  • Complete Scope
    The workflow evaluates credentials across all connected Azure tenants. If you have multiple tenants, the workflow checks each one.

  • Accuracy and Consistency
    The system maintains an accurate representation of valid credentials by deleting the credentials in EmpowerID only after successful Azure removal.

  • Visibility
    Email notifications are sent to both application and credential owners, ensuring they are aware of know about each credential’s removal.