Entra ID App Registration Event Monitor Reference Guide
Entra ID App Registration Event Monitor
Checks app registrations and sends alerts when client secrets are about to expire.
Overview
The Entra ID App Registration Event Monitor checks your app registrations in Microsoft Azure and alerts if the client secrets are due to expire within a specified number of days.
Use Cases
- Keeping a list of app registrations
- Receiving notifications well before your app registrations are due to expire
Monitoring Options
This event monitor provides the following options:
Alert with [Info/Warning/Error/Critical] if Azure cannot be contacted
Use this option to alert you if the event monitor is unable to connect to Microsoft Azure. Reasons for a failure to connect include invalid security tokens and loss of external network access.
Alert with [Info/Warning/Error/Critical] when app registrations are added
Use this option to receive an alert of your choice when an app registration is added.
Alert with [Info/Warning/Error/Critical] when app registrations are removed
Use this option to receive an alert of your choice when an app registration is removed.
Alert with [Info/Warning/Error/Critical] when client secrets are expired
This option will alert you with your choice of severity when one or more client secrets are found to have expired.
Alert about client secrets that will expire in less than a specified number of days
This option lets you specify the number of days before client secret expiry that you'll receive an alert.
Don't alert about client secrets that have already expired
Check this box to exclude alerts about client secrets that have already expired.
Alert with [Info/Warning/Error/Critical] when certificates are expired
With this option enabled, any certificate that expires will send you an alert of your choosing.
Alert about certificates that will expire in less than a specified number of days
This option lets you know ahead of time when your certificates are due to expire. Enter the number of days that will trigger each alert level.
Don't alert about certificates that have already expired
Enable this option to avoid duplicate alerts about certificates that have previously expired.
Include a table of client secrets [before all/after all] event text
Check this box to add a table of client secrets to the event text generated each time the event monitor runs.
Include all the client secrets
Check the box next to this option to include a list of all client secrets in the notification generated each time the event monitor runs.
Include valid client secrets
This option lets you include valid client secrets in the text generated each time the event monitor runs.
Include expired client secrets
Check this box to include a list of all expired client secrets in the notification generated each time the event monitor runs.
Include client secrets expiring in the next 30 days
Use this checkbox to show all client secrets expiring in the next 30 days in the notification generated each time the event monitor runs.
Only check the following app registrations
This option lets you list app registrations to check. All app registrations not listed here will not be checked.
App registrations to ignore
List app registrations to ignore in this text box. The event monitor will skip monitoring these app registrations.
Client secrets to ignore
Enter a list of client secrets to ignore in this text box. The event monitor will skip monitoring these client secrets.
Certificates to ignore
Enter the description or certificate ID of certificates to ignore here.
Authentication and Security
First, you'll need to create an app registration to add to your event monitor's authentication profile. Information on how to do this can be found in our "Creating an Azure Authentication Profile" article.
Your event monitor will need Application.Read.All, Directory.Read.All, and User.Read permissions with the delegated type. Additionally, you'll need Application.Read.All permissions with the application type under Microsoft Graph.
Protocols
Data Points
This event monitor generates the following data points:
| Data Point | Description |
|---|---|
| App Registrations | Total app registration count. |
| Deleted App Registrations | Total number of deleted app registrations. |
| New App Registrations | Number of new app registrations since last event monitor run. |
Sample Output
Comments
Add a comment