Azure Arc Service Principal Expiry Monitoring

Introduction

When implementing Azure Arc at scale, service principal credentials power your automated server onboarding. These credentials have expiration dates - and when they expire, your onboarding scripts fail.

The script executes, the agent installs, but nothing gets onboarded to Azure Arc. You're left with servers that appear configured but are completely invisible to Arc management, security policies, and monitoring.

This monitoring solution provides automated service principal expiry tracking with proactive alerts, ensuring your Azure Arc onboarding remains operational.

Solution Overview

This monitoring solution checks Azure Arc service principal credential expiry and sends proactive alerts before credentials expire.

Technology Approach

• Azure Automation - Scheduled credential checks using managed identity
• Microsoft Graph API - Reads service principal credential expiry dates
• Alert Delivery - Azure Logic Apps for Teams notifications OR Microsoft Sentinel for incident tracking
• Proactive Timing - Alerts at 7 days, 3 days, and expiry events

The solution monitors Azure Arc onboarding service principal credentials and alerts your team before expiry impacts production.

Two Monitoring Approaches

Option 1: Logic Apps with Teams Notifications

Direct notification approach for operational teams:

• Azure Automation runbook checks credential expiry
• Logic App receives expiry data via HTTP trigger
• Adaptive cards posted to Microsoft Teams channel
• Team sees alerts immediately in their workflow

Option 2: Microsoft Sentinel Integration

Security operations approach for centralized monitoring:

• Azure Automation checks credentials and creates Sentinel incidents
• Incidents include full credential details and context
• Security team manages through existing Sentinel workflows
• Complete audit trail in security operations platform

Technical Requirements

Azure Environment

• Active Azure subscription with Automation Account capability
• Azure Arc service principal with credentials to monitor
• Entra ID permissions to read application registrations

For Logic Apps Approach

• Azure Logic Apps workspace
• Microsoft Teams with target channel
• Service account with Teams access (licensed, secured with Conditional Access)

For Sentinel Approach

• Microsoft Sentinel workspace configured
• Sentinel Responder permissions for incident creation

Skills Needed

• Azure Automation Account configuration
• PowerShell and Microsoft Graph API experience
• Basic Logic Apps or Sentinel familiarity

Implementation Scope

The complete solution includes four main implementation phases:

1. Azure Automation Setup - Create Automation Account with system-assigned managed identity and custom runtime environment
2. Permissions Configuration - Delegate Microsoft Graph permissions to read application credentials
3. Alert Delivery Setup - Configure either Logic Apps with Teams integration OR Sentinel incident creation
4. Monitoring Deployment - Deploy and test credential monitoring with scheduled execution

Alert Timing & Frequency

Default alert thresholds are 7 days, 3 days, and expiry - but you configure these to match your needs:

• 7 Days Before Expiry - Early warning to plan credential renewal (configurable)
• 3 Days Before Expiry - Urgent reminder to renew credentials (configurable)
• Expired Credentials - Immediate alert when onboarding is broken

Set your own check frequency (daily recommended) and customize alert thresholds to match your operational requirements.

Complete Implementation Guide

The full Azure Arc service principal monitoring solution includes:

• Azure Automation Account configuration guide
• System-assigned managed identity setup
• Microsoft Graph permissions delegation
• Logic Apps HTTP trigger and Teams integration
• Microsoft Sentinel incident creation approach
• Complete PowerShell monitoring scripts
• Adaptive card templates for Teams notifications
• Testing and validation procedures
• Troubleshooting guidance