/
Automating Cleanup of Expired Client Secrets and Certificates

Automating Cleanup of Expired Client Secrets and Certificates

Owned by Phillip Hanegan
Last updated: Jan 17, 2025
2 min read

This article provides an overview of the AzureCredentialExpirationNotification permanent workflow. This permanent workflow identifies expired client secrets and certificates in Azure and removes them from Azure and EmpowerID. The workflow scans across all Azure tenants configured in EmpowerID to locate credentials that have passed their expiration date, preventing security or compliance issues caused by retaining obsolete credentials.

Purpose

The workflow automates the detection and cleanup of expired Azure secrets and certificates. Removing these invalid credentials from Azure and EmpowerID keeps the system clean, secure, and in sync.

Workflow Logic

  1. Cross-Tenant Credential Scan

    • The workflow retrieves client secrets and certificates from every Azure tenant configured in EmpowerID.

    • It gathers metadata for all credentials associated with each application across these tenants.

  2. Expiration Check

    • Each discovered secret or certificate is evaluated against its expiration date.

    • Any credential found to be expired is flagged for removal.

  3. Azure Removal

    • If a credential is expired, the workflow attempts to delete it in Azure.

    • If Azure confirms the deletion, the process moves to removal in EmpowerID.

  4. Deletion in EmpowerID

    • Once the credential is deleted in Azure, the workflow removes EmpowerID’s corresponding external credential record.

    • This ensures that EmpowerID accurately reflects the current state of credentials.

  5. Notifications

    • An email notifies the application and credential owners of each expired credential removed.

    • If multiple credentials in a single application are expired, each credential triggers a separate notification.

Key Considerations

  • Complete Scope
    The workflow evaluates credentials across all connected Azure tenants. If you have multiple tenants, the workflow checks each one.

  • Accuracy and Consistency
    The system maintains an accurate representation of valid credentials by deleting the credentials in EmpowerID only after successful Azure removal.

  • Visibility
    Email notifications are sent to application and credential owners, ensuring they know about each credential’s removal.