![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 28.000000000000004%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ1%3C/text%3E%3C/svg%3E)
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,385 questions
Hi ,
Thanks for reaching out to Microsoft Q&A.
A few things can cause “SecretNearExpiry” (and other Keyvault events) to stop arriving even though the Event Grid subscription still appears in the portal.
In general, i suggest you to verify each of the following:
- Check the actual subscription hooked to your Key Vault
- In the portal (or via CLI/PowerShell), ensure that the Microsoft.KeyVault.SecretNearExpiry” subscription really is associated with the same Key Vault and the same system topic. Sometimes we end up looking at an old or deleted subscription, or the Key Vault is pointing to a stale system topic.
- Verify the subscription’s status is “enabled” and not in a failed or disabled state.
Verify no advanced filters block the event
- If you set an Advanced Filter on
eventTypeor on any Key Vault property, make sure it doesn’t exclude “SecretNearExpiry.” A slightly wrong filter can silently discard your events.
- Confirm your expiration window is truly “near”
- Key Vault typically treats “near expiry” as roughly 30 days or less. If you keep adjusting the expiration in a way that no longer satisfies the “near expiry” calculation, the event won’t fire.
- Test a secret that expires much sooner (1–2 days from now?) so you can confirm the event is triggered in a tight window.
Double‐check the endpoint (Service Bus Queue)
- Make sure the queue name hasn’t changed or that the subscription is not referencing the wrong queue. Also check if messages might be showing up in “Dead‐letter” or “Poison” subqueues.
- If the queue or SAS credentials changed, you may have to recreate or update the subscription.
- Look at the metrics & logs for the actual subscription
- In the Azure portal, under “Event Subscriptions” for your Key Vault --> “Metrics,” see if any “Publish Failed Events” or “Dead‐Lettered Events” show up. If no events are published at all, you are likely dealing with the wrong subscription or a filter mismatch.
- You can also query Activity Logs to see if the subscription was disabled or if a “Delete” or “Update” operation was applied.
- If your code/ARM templates/TF references an old subscription ID that was deleted, you’ll see weird behavior or no events at all. Removing or updating that reference in your IaC, config files, etc. can help clear it up.
In short, the typical culprit is that the Key Vault’s near expiry window doesn’t line up with your new expiration date or there is a mismatch or filter problem on the newly created (or presumed existing) subscription. Double check that you really do have a working subscription for “SecretNearExpiry” with an endpoint that is accepting messages and that your secret’s expiry fits in the near expiry threshold. Once you straighten out the correct subscription and filters, you should see near expiry events flowing again.
Please feel free to click the 'Upvote' (Thumbs-up) button and 'Accept as Answer'. This helps the community by allowing others with similar queries to easily find the solution.