cancel
Showing results for 
Search instead for 
Did you mean: 

Concept - Azure Key Vault Life Cycle Management - Part 01

Overview:

Azure Key Vault is a resource for storing and accessing secrets, key and certificates. But if a company need to have a rotation for these identifications? Azure key Vault has the possibility to enable key rotation and auditing, but this needs to be configured and is not a default feature. For those identifications, some specific value items can be used to build a lifecycle process. 

In this first part, a concept solution will be provided to detect the expiration date of a secret or key and to inform the IT department or owner of this key.

 

azure-key-vault-icon.pngAzure Key Vault (Preview)

This connector is available in the following products and regions:

ServiceClassRegions
Logic AppsStandardAll Logic Apps regions except the following:
     -   Azure Government regions
     -   Azure China regions
FlowPremiumAll Flow regions except the following:
     -   US Government (GCC)

PowerApps

PremiumAll PowerApps regions except the following:
     -   US Government (GCC)

Throttling Limits

NameCallsRenewal Period
API Calls per connections100060 seconds

 

How-to:

The Flow will connect to the Azure Key Vault via the connector and collect the necessary information to calculated the expiration date that has been set on the secret.

Key Vault Flow.png

TRIGGER

The trigger for this flow is a schedule that will run every day at midnight. Let's start building the flow:

FlowKV_01.png

Select 'Schedule' as a trigger and filling in the following fields:

1-2. Interval - Frequency: based on the selected frequency type, the interval can be set. In this example, a daily schedule is created by selecting the day type and with an interval of 1. 

3. Timezone - in this example the timezone UTC +01:00 is used for Belgium.

4. At these hours - the flow will be triggered at midnight, which is the 0 for this field.

ACTIONS

Following actions will be used in the flow:

  •  Connection to Azure Key Vault to get the information about the secrets in the Key Vault.
  •  Actions to calculate the days left before the expiration date.
  •  Send a notification on the number of days left.

Action - 0.2.Get Secrets

Before continuing the flow an app registration needs to be completed in the Azure portal. Go to 'Azure Active Directory', 'App Registrations', 'New registration'

FlowKV_02_2.pngClick add new registration

 

FlowKV_02_3.png

API Permissions

FlowKV_02_7.png

Register the application and create a secret, go to 'Certificates & Secret'. Create a client secret. Storing the client secret in a safe place, building the flow can be continued. Searching for the 'Azure Key Vault' and selecting the 'List Secret' - action.FlowKV_02_1.png

Select 'Connect with service principal'

FlowKV_02_4.png

FlowKV_02_5.png

1. Enter a connection name for this connector

2. Enter the name of the Key Vault in Azure. In this example, 'Cloud02KeyVault' has been used.

3 - 4 - 5. The Azure ID can be found in the App registration overview for this connection:

FlowKV_02_6.png

When the connection has been established with the Key Vault in Azure, the connector will be shown as follow in the flow: 

FlowKV_03..png

Action - 0.3.Check Days

In this apply to each - action, the days left before the expiration date will be calculated for every secret that has been found in the key vault. The value is the result of the step '0.2.Get Secrets', that will contain all the information about the secrets.
FlowKV_04_0..png

Action - 0.3.1.EndTime

Compose action that will collect the Secret end time. (in this example, we assume that there's is always an expiration time defined for each secret).

FlowKV_04_1.png

Action - 0.3.2.Today

Getting the current time and date, by using the Date Time - action. FlowKV_04_2.png

Action - 0.3.3.TicksToday 

In the next two steps, a conversion is needed to define the difference between the current time and expiration time. This can only be accomplished by converting the time to the number of ticks. So that we can subtract both values.

FlowKV_04_3.png

Expression: ticks(body('0.3.2.Today'))

Action - 0.3.3.TicksToday 

FlowKV_04_4.png

Expression: ticks(outputs('0.3.1.Endtime'))

Action - 0.3.5.DivDays

In the compose - action, a calculation will be done to get the days between the current and expiration date.
Expression: div(sub(outputs('0.3.4.TicksEndTime'),outputs('0.3.3.TicksToday')),864000000000)

FlowKV_04_5.pngThis result will show the number of days left between the current day and expiration time. 

Action - 0.3.6.Check WARNING Lvl

In this example, a WARNING message will be sent via email when the day difference is between 16 and 30 days. Is it lower then 16 days a CRITICAL message will be sent via email. 

FlowKV_05.png

Result of this concept is that there is a kind of monitoring for a secret in the Azure Key Vault. Letting you build a Life Cycle Management for your secrets.

Upcoming parts:

  •  Adding an expiration date (Azure Automation), when there's no defined
  •  Approval process to check if a secret is still in use.

Did you like this post?! Please share it on Twitter, give some Kudos, or leave some feedback! 😁

Thanks for reading!

Meet Our Blog Authors
  • Working daily with Microsoft Cloud to deliver the needs of my company, my customers and various Microsoft communities and forums. | Office 365 | Flow | PowerShell | PowerApps | SharePoint |
  • Co-founder of https://plumsail.com, Office 365 and SharePoint expert. Passionate about design and development of easy to use, convenient and flexible products.
  • Microsoft Business Apps MVP. Owner of ThriveFast, an Office 365 consulting company.
  • 7x Microsoft Business Solutions MVP (CRM)
  • Solution Architect with Slalom, and organizer of the Boston Office 365 User Group, and long term SharePoint/Office 365 veteren. Find more at http://www.davidlozzi.com. Follow @DavidLozzi
  • I'm keen in MS technologies, SharePoint, Office 365 and development for them
  • Daniel is a Business Productivity Consultant & Microsoft Business Solutions MVP who is very enthusiastic about all things Office 365, Microsoft Flow, PowerApps, Azure & SharePoint (Online). Since the preview, Daniel has been working with Microsoft Flow and later on with Microsoft PowerApps. That led to him being awarded an MVP Award for Business Solutions. He loves to blog, present and evangelize about improving productivity in the modern workspace with these amazing tools!
  • Michelle is an Office 365 solution architect in Twin Cities, MN. She has been delivering business collaboration solutions for years with her focus on SharePoint and Office 365. Michelle is a recent board member of the Minnesota Office 365 User Group and has been a member of the SharePoint community since 2009. She is a frequent speaker at MNSPUG and SharePoint Saturday and co-chaired the Legal SharePoint User Group for 4 years. Her most frequent projects have involved rolling out a large deployment of Office 365, SharePoint Online intranet, build of a "CHAMPS" Office 365 user adoption program and most recently, SharePoint On-Premise to Online Migration. Michelle is very excited about cloud technology as it is shifting her IT Pro focus to collaboration strategy and technical adoption.
  • I'm a Microsoft Office Servers and Services MVP with a special interest in SharePoint, Office 365, Microsoft Flow, Microsoft Teams and PowerApps. I work at Triad Group Plc ( https://triad.co.uk)
>