![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 5%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYG%3C/text%3E%3C/svg%3E)
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,297 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 47%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Here is one way to accomplish this:
1. Configure the app in tenant A
- Grant the app the necessary Microsoft Graph API permissions (e.g.,
Application.Read.AllorApplication.ReadWrite.All) for accessing application secrets. Ensure this is an Application permission. - Grant admin consent for these permissions in Tenant A.
2. Create a client secret for the app
- Generate a client secret for the app and securely store the secret (e.g., in an Azure Key Vault in the subscription associated with tenant B).
3. Assign the app registration to monitor application secrets
- Use Microsoft Graph to list the secrets for application in tenant A.
- Example: Use the endpoint
GET https://graph.microsoft.com/v1.0/applications/{application-id}. - This will return the
passwordCredentialsproperty, which includes expiration details.
- Example: Use the endpoint
4. Create a service principal for tenant A in tenant B
- In tenant B, create a service principal (SP) for the app registration in tenant A:
5. Configure the Azure Automation account in the subscription associated with tenant B
- Import the necessary modules
-
AzureAD(if using Azure AD cmdlets). -
Az.Accounts(if authenticating via service principal). -
Microsoft.GraphSDK (for Graph API calls).
-
6. Grant permissions across tenants
- In tenant A, create a custom role or use built-in roles (like Reader or App Administrator) and assign it to the service principal for Tenant B.
7. Create an Automation runbook
- Use the runbook to:
- Authenticate as the service principal in tenant A.
- Query Microsoft Graph API for application secrets.
- Parse and log expiration dates, or send alerts if expiration is near.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin