cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
frederikbisback
Kudo Commander
‎06-25-2019 09:38 AM

Concept - Azure Key Vault Life Cycle Management - Part 01

Overview:

Azure Key Vault is a resource for storing and accessing secrets, key and certificates. But if a company need to have a rotation for these identifications? Azure key Vault has the possibility to enable key rotation and auditing, but this needs to be configured and is not a default feature. For those identifications, some specific value items can be used to build a lifecycle process. 

In this first part, a concept solution will be provided to detect the expiration date of a secret or key and to inform the IT department or owner of this key.

 

azure-key-vault-icon.pngAzure Key Vault (Preview)

This connector is available in the following products and regions:

ServiceClassRegions
Logic AppsStandardAll Logic Apps regions except the following:
     -   Azure Government regions
     -   Azure China regions
FlowPremiumAll Flow regions except the following:
     -   US Government (GCC)

PowerApps

PremiumAll PowerApps regions except the following:
     -   US Government (GCC)

Throttling Limits

NameCallsRenewal Period
API Calls per connections100060 seconds

 

How-to:

The Flow will connect to the Azure Key Vault via the connector and collect the necessary information to calculated the expiration date that has been set on the secret.

Key Vault Flow.png

TRIGGER

The trigger for this flow is a schedule that will run every day at midnight. Let's start building the flow:

FlowKV_01.png

Select 'Schedule' as a trigger and filling in the following fields:

1-2. Interval - Frequency: based on the selected frequency type, the interval can be set. In this example, a daily schedule is created by selecting the day type and with an interval of 1. 

3. Timezone - in this example the timezone UTC +01:00 is used for Belgium.

4. At these hours - the flow will be triggered at midnight, which is the 0 for this field.

ACTIONS

Following actions will be used in the flow:

  •  Connection to Azure Key Vault to get the information about the secrets in the Key Vault.
  •  Actions to calculate the days left before the expiration date.
  •  Send a notification on the number of days left.

Action - 0.2.Get Secrets

Before continuing the flow an app registration needs to be completed in the Azure portal. Go to 'Azure Active Directory', 'App Registrations', 'New registration'

FlowKV_02_2.pngClick add new registration

 

FlowKV_02_3.png

API Permissions

FlowKV_02_7.png

Register the application and create a secret, go to 'Certificates & Secret'. Create a client secret. Storing the client secret in a safe place, building the flow can be continued. Searching for the 'Azure Key Vault' and selecting the 'List Secret' - action.FlowKV_02_1.png

Select 'Connect with service principal'

FlowKV_02_4.png

FlowKV_02_5.png

1. Enter a connection name for this connector

2. Enter the name of the Key Vault in Azure. In this example, 'Cloud02KeyVault' has been used.

3 - 4 - 5. The Azure ID can be found in the App registration overview for this connection:

FlowKV_02_6.png

When the connection has been established with the Key Vault in Azure, the connector will be shown as follow in the flow: 

FlowKV_03..png

Action - 0.3.Check Days

In this apply to each - action, the days left before the expiration date will be calculated for every secret that has been found in the key vault. The value is the result of the step '0.2.Get Secrets', that will contain all the information about the secrets.
FlowKV_04_0..png

Action - 0.3.1.EndTime

Compose action that will collect the Secret end time. (in this example, we assume that there's is always an expiration time defined for each secret).

FlowKV_04_1.png

Action - 0.3.2.Today

Getting the current time and date, by using the Date Time - action. FlowKV_04_2.png

Action - 0.3.3.TicksToday 

In the next two steps, a conversion is needed to define the difference between the current time and expiration time. This can only be accomplished by converting the time to the number of ticks. So that we can subtract both values.

FlowKV_04_3.png

Expression: ticks(body('0.3.2.Today'))

Action - 0.3.3.TicksToday 

FlowKV_04_4.png

Expression: ticks(outputs('0.3.1.Endtime'))

Action - 0.3.5.DivDays

In the compose - action, a calculation will be done to get the days between the current and expiration date.
Expression: div(sub(outputs('0.3.4.TicksEndTime'),outputs('0.3.3.TicksToday')),864000000000)

FlowKV_04_5.pngThis result will show the number of days left between the current day and expiration time. 

Action - 0.3.6.Check WARNING Lvl

In this example, a WARNING message will be sent via email when the day difference is between 16 and 30 days. Is it lower then 16 days a CRITICAL message will be sent via email. 

FlowKV_05.png

Result of this concept is that there is a kind of monitoring for a secret in the Azure Key Vault. Letting you build a Life Cycle Management for your secrets.

Upcoming parts:

  •  Adding an expiration date (Azure Automation), when there's no defined
  •  Approval process to check if a secret is still in use.

Did you like this post?! Please share it on Twitter, give some Kudos, or leave some feedback! 😁

Thanks for reading!

Labels:
Comments
‎12-09-2020 07:29 AM

"List Secrets" step returns only 25 records. How can we overcome this issue and return all the secrets?

0 Kudos
About the Author
  • Experienced Consultant with a demonstrated history of working in the information technology and services industry. Skilled in Office 365, Azure, SharePoint Online, PowerShell, Nintex, K2, SharePoint Designer workflow automation, PowerApps, Microsoft Flow, PowerShell, Active Directory, Operating Systems, Networking, and JavaScript. Strong consulting professional with a Bachelor of Engineering (B.E.) focused in Information Technology from Mumbai University.
  • I am a Microsoft Business Applications MVP and a Senior Manager at EY. I am a technology enthusiast and problem solver. I work/speak/blog/Vlog on Microsoft technology, including Office 365, Power Apps, Power Automate, SharePoint, and Teams Etc. I am helping global clients on Power Platform adoption and empowering them with Power Platform possibilities, capabilities, and easiness. I am a leader of the Houston Power Platform User Group and Power Automate community superuser. I love traveling , exploring new places, and meeting people from different cultures.
  • Read more about me and my achievements at: https://ganeshsanapblogs.wordpress.com/about MCT | SharePoint, Microsoft 365 and Power Platform Consultant | Contributor on SharePoint StackExchange, MSFT Techcommunity
  • Encodian Owner / Founder - Ex Microsoft Consulting Services - Architect / Developer - 20 years in SharePoint - PowerPlatform Fan
  • Founder of SKILLFUL SARDINE, a company focused on productivity and the Power Platform. You can find me on LinkedIn: https://linkedin.com/in/manueltgomes and twitter http://twitter.com/manueltgomes. I also write at https://www.manueltgomes.com, so if you want some Power Automate, SharePoint or Power Apps content I'm your guy 🙂
  • I am the Owner/Principal Architect at Don't Pa..Panic Consulting. I've been working in the information technology industry for over 30 years, and have played key roles in several enterprise SharePoint architectural design review, Intranet deployment, application development, and migration projects. I've been a Microsoft Most Valuable Professional (MVP) 15 consecutive years and am also a Microsoft Certified SharePoint Masters (MCSM) since 2013.
  • Big fan of Power Platform technologies and implemented many solutions.
  • Passionate #Programmer #SharePoint #SPFx #M365 #Power Platform| Microsoft MVP | SharePoint StackOverflow, Github, PnP contributor
  • Web site – https://kamdaryash.wordpress.com Youtube channel - https://www.youtube.com/channel/UCM149rFkLNgerSvgDVeYTZQ/