Skip to end of banner
Go to start of banner

Azure Credential Expiration and Deletion Workflow

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

Version 1 Next »

This article provides an overview of the AzureCredentialExpirationNotification permanent workflow. This permanent workflow identifies expired client secrets and certificates in Azure and removes them from Azure and EmpowerID. The workflow scans across all Azure tenants configured in EmpowerID to locate credentials that have passed their expiration date, preventing security or compliance issues caused by retaining obsolete credentials.

Purpose

The workflow automates the detection and cleanup of expired Azure secrets and certificates. Removing these invalid credentials from Azure and EID keeps the system clean, secure, and in sync.

Workflow Logic

  1. Cross-Tenant Credential Scan

    • The workflow retrieves client secrets and certificates from every Azure tenant configured in EmpowerID.

    • It gathers metadata for all credentials associated with each application across these tenants.

  2. Expiration Check

    • Each discovered secret or certificate is evaluated against its expiration date.

    • Any credential found to be expired is flagged for removal.

  3. Azure Removal

    • If a credential is expired, the workflow attempts to delete it in Azure.

    • If Azure confirms the deletion, the process moves to removal in EmpowerID.

  4. Deletion in EmpowerID

    • Once the credential is deleted in Azure, the workflow removes EmpowerID’s corresponding external credential record.

    • This ensures that EID accurately reflects the current state of credentials.

  5. Notifications

    • An email notifies the application owners and the credential owners for each expired credential removed.

    • If multiple credentials in a single application are expired, each credential triggers a separate notification.

Key Considerations

  • Complete Scope
    The workflow evaluates credentials across all connected Azure tenants. If you have multiple tenants, the workflow checks each one.

  • Accuracy and Consistency
    The system maintains an accurate representation of valid credentials by deleting the credentials in EmpowerID only after successful Azure removal.

  • Visibility
    Email notifications are sent to both application and credential owners, ensuring they are aware of each credential’s removal.

  • No labels