Solved: Retrieve Azure App Credential Expiration Dates for Secure Access

JeanBlanc · ‎19 Jun 2025

Hi community,

Has anyone succeeded in pulling the expiration dates of Azure App Credentials (client-secret / certificate) directly into Dynatrace?

I’m not referring to secrets stored in Azure Key Vault (those are already covered by the Key Vault integration). I need to surface the expiry information that Azure exposes under:

Azure AD ➡ App registrations ➡ Certificates & secrets

Context

Dynatrace SaaS, ActiveGate 1.313
Azure Monitor integration already enabled

What I’ve tried

Azure Monitor Metrics/Logs – couldn’t find any metric or table that exposes credential expiry.
Dynatrace Extensions 2.0 – checked available extension libraries; none seem to target applications endpoints.
Custom API pull – considered building an Extension 2.0 that calls
GET https://graph.microsoft.com/v1.0/applications/{id}?$select=id,displayName,passwordCredentials
…but before investing time I’d like to know if there’s an existing solution or best practice.

Questions

Did you manage to ingest this data into Dynatrace (metric, log, or event)?
If so, which approach worked best (builtin integration, Extension 1.0/2.0, Synthetic Monitor)?
Any pitfalls around token scopes, rate limits, or schema mapping I should watch out for?

Thanks in advance for any insights or code snippets!

Best,

IzabelaRokita · ‎16 Dec 2025

Hey @JeanBlanc ,
I just wanted to check in and see if you still need help with this. If so, I’d be happy to look into it for you! 😊
Please let me know what works best for you.

JeanBlanc · ‎17 Dec 2025

Hi @IzabelaRokita,

Thanks for checking back 😊
Yes — I can confirm that I’ve already implemented a fully functional solution for this use case.

What I ended up doing

I built an export based on Microsoft Graph to pull App Registration credential expiry (client secrets + certificates) and bring it into Dynatrace in a way that supports dashboards and alerting for customers.

So overall: solution is already in production, and my customers are using it today to monitor expiration dates and get proactive alerts.

Best,

Mattw1 · ‎19 Feb 2026

Hi @JeanBlanc,

We are looking to implement the same. Would you be able to provide further details on how you implemented this?

Thanks,

JeanBlanc · ‎23 Feb 2026

Hi @Mattw1 — happy to share the high-level approach.

Overall architecture:

A scheduled PowerShell script runs on a runner (VM/automation host).
The script queries Microsoft Graph to retrieve App Registrations / Service Principals and their credential expiration dates (secrets/certs).
It generates a status log (expired / expiring soon / valid + metadata like app name/id and expiry date).
The log is shipped into Dynatrace via Dynatrace Log Monitoring / Log ingest.
In Dynatrace, the logs are used to build a Dashboard v2 (Dynatrace Managed in this example), and optionally a log-based alert / event when thresholds are met.

Simple Diagram:

Best regards,

IzabelaRokita · ‎18 Dec 2025

Amazing @JeanBlanc , congratulations on finding & implementing the right solution and sharing the details with our Community! Much appreciated 😊