Showing results for 
Search instead for 
Did you mean: 

Concept - Azure Key Vault Life Cycle Management - Part 01


Azure Key Vault is a resource for storing and accessing secrets, key and certificates. But if a company need to have a rotation for these identifications? Azure key Vault has the possibility to enable key rotation and auditing, but this needs to be configured and is not a default feature. For those identifications, some specific value items can be used to build a lifecycle process. 

In this first part, a concept solution will be provided to detect the expiration date of a secret or key and to inform the IT department or owner of this key.


azure-key-vault-icon.pngAzure Key Vault (Preview)

This connector is available in the following products and regions:

Logic AppsStandardAll Logic Apps regions except the following:
     -   Azure Government regions
     -   Azure China regions
FlowPremiumAll Flow regions except the following:
     -   US Government (GCC)


PremiumAll PowerApps regions except the following:
     -   US Government (GCC)

Throttling Limits

NameCallsRenewal Period
API Calls per connections100060 seconds



The Flow will connect to the Azure Key Vault via the connector and collect the necessary information to calculated the expiration date that has been set on the secret.

Key Vault Flow.png


The trigger for this flow is a schedule that will run every day at midnight. Let's start building the flow:


Select 'Schedule' as a trigger and filling in the following fields:

1-2. Interval - Frequency: based on the selected frequency type, the interval can be set. In this example, a daily schedule is created by selecting the day type and with an interval of 1. 

3. Timezone - in this example the timezone UTC +01:00 is used for Belgium.

4. At these hours - the flow will be triggered at midnight, which is the 0 for this field.


Following actions will be used in the flow:

  •  Connection to Azure Key Vault to get the information about the secrets in the Key Vault.
  •  Actions to calculate the days left before the expiration date.
  •  Send a notification on the number of days left.

Action - 0.2.Get Secrets

Before continuing the flow an app registration needs to be completed in the Azure portal. Go to 'Azure Active Directory', 'App Registrations', 'New registration'

FlowKV_02_2.pngClick add new registration



API Permissions


Register the application and create a secret, go to 'Certificates & Secret'. Create a client secret. Storing the client secret in a safe place, building the flow can be continued. Searching for the 'Azure Key Vault' and selecting the 'List Secret' - action.FlowKV_02_1.png

Select 'Connect with service principal'



1. Enter a connection name for this connector

2. Enter the name of the Key Vault in Azure. In this example, 'Cloud02KeyVault' has been used.

3 - 4 - 5. The Azure ID can be found in the App registration overview for this connection:


When the connection has been established with the Key Vault in Azure, the connector will be shown as follow in the flow: 


Action - 0.3.Check Days

In this apply to each - action, the days left before the expiration date will be calculated for every secret that has been found in the key vault. The value is the result of the step '0.2.Get Secrets', that will contain all the information about the secrets.

Action - 0.3.1.EndTime

Compose action that will collect the Secret end time. (in this example, we assume that there's is always an expiration time defined for each secret).


Action - 0.3.2.Today

Getting the current time and date, by using the Date Time - action. FlowKV_04_2.png

Action - 0.3.3.TicksToday 

In the next two steps, a conversion is needed to define the difference between the current time and expiration time. This can only be accomplished by converting the time to the number of ticks. So that we can subtract both values.


Expression: ticks(body('0.3.2.Today'))

Action - 0.3.3.TicksToday 


Expression: ticks(outputs('0.3.1.Endtime'))

Action - 0.3.5.DivDays

In the compose - action, a calculation will be done to get the days between the current and expiration date.
Expression: div(sub(outputs('0.3.4.TicksEndTime'),outputs('0.3.3.TicksToday')),864000000000)

FlowKV_04_5.pngThis result will show the number of days left between the current day and expiration time. 

Action - 0.3.6.Check WARNING Lvl

In this example, a WARNING message will be sent via email when the day difference is between 16 and 30 days. Is it lower then 16 days a CRITICAL message will be sent via email. 


Result of this concept is that there is a kind of monitoring for a secret in the Azure Key Vault. Letting you build a Life Cycle Management for your secrets.

Upcoming parts:

  •  Adding an expiration date (Azure Automation), when there's no defined
  •  Approval process to check if a secret is still in use.

Did you like this post?! Please share it on Twitter, give some Kudos, or leave some feedback! 😁

Thanks for reading!


"List Secrets" step returns only 25 records. How can we overcome this issue and return all the secrets?

Meet Our Blog Authors
  • Experienced Consultant with a demonstrated history of working in the information technology and services industry. Skilled in Office 365, Azure, SharePoint Online, PowerShell, Nintex, K2, SharePoint Designer workflow automation, PowerApps, Microsoft Flow, PowerShell, Active Directory, Operating Systems, Networking, and JavaScript. Strong consulting professional with a Bachelor of Engineering (B.E.) focused in Information Technology from Mumbai University.
  • I am a Microsoft Business Applications MVP and a Senior Manager at EY. I am a technology enthusiast and problem solver. I work/speak/blog/Vlog on Microsoft technology, including Office 365, Power Apps, Power Automate, SharePoint, and Teams Etc. I am helping global clients on Power Platform adoption and empowering them with Power Platform possibilities, capabilities, and easiness. I am a leader of the Houston Power Platform User Group and Power Automate community superuser. I love traveling , exploring new places, and meeting people from different cultures.
  • MCT | SharePoint, Microsoft 365 and Power Platform Consultant | Contributor on SharePoint StackExchange, TechCommunity
  • Encodian Owner / Founder - Ex Microsoft Consulting Services - Architect / Developer - 20 years in SharePoint - PowerPlatform Fan
  • I am the Owner/Principal Architect at Don't Pa..Panic Consulting. I've been working in the information technology industry for over 30 years, and have played key roles in several enterprise SharePoint architectural design review, Intranet deployment, application development, and migration projects. I've been a Microsoft Most Valuable Professional (MVP) 12 consecutive years and am also a Microsoft Certified SharePoint Masters (MCSM) since 2013.
  • Big fan of Power Platform technologies and implemented many solutions.
  • Passionate #Programmer #SharePoint #SPFx #Office365 #MSFlow | C-sharpCorner MVP | SharePoint StackOverflow, Github, PnP contributor
  • Web site – Youtube channel -