Azure AD B2C - How To Check Certificate Expiration

Azure AD B2C allows for custom policies to have certificates uploaded to what's called a "KeySet". However, other than manually confirming the certificate's expiration date, there's really no easily apparent way to automate this.

Yet another C# example.

Solution overview

Using Azure Functions, you'll retrieve an Azure AD B2C policy certificate's expiration date using the Microsoft Graph SDK (beta), fetching the KeySet information.

Responding (the scheduled caller)

In this example, I setup a scheduled Logic App that will execute on an interval:

Store an array of policy key ids in a Logic App variable (set it to what you want or you could retrieve this list dynamically)
Execute the Function, get the result, and take conditional action
In this example, I triggered sending an SMS to be sent

You can trigger anything if you don't want a simple SMS or email to be sent. You can even cause another process to be triggered to rotate the key value in B2C.

Getting Started

BC2 configuration

Create an app registration in the B2C tenant
Give it Application Permission of TrustFrameworkKeySet.Read.All

You'll need the following "parameters" from the app registration:

Client ID of the app
Client secret
the tenant ID of the B2C tenant (format: mydomain.onmicrosoft.com)

Deploy resources

Follow these steps to get this setup and running. First, open cloud shell in Bash.

git clone --depth 1 https://github.com/kevinhillinger/azuread-b2c-cert-rotator.git 
cd azuread-b2c-cert-rotator

./scripts/deploy.sh

Resources that get deployed

In ./scripts/deploy.sh, the following gets deployed:

Resource Group
Function App (on demand, linux)
- Storage account for the function instance
- Application Insights instance for logging
- values in the FunctionApp's application settings should get set
Logic App

Running the serverless function locally

Install the Azure Functions Core Tools

cd src/Functions
func start --build

App Settings:

{
    "IsEncrypted": false,
    "Values": {
        "AzureWebJobsStorage": "UseDevelopmentStorage=true",
        "FUNCTIONS_WORKER_RUNTIME": "dotnet",
        "B2C_CLIENT_ID": "<client id, e.g. 845cea86-4a21-406a-b5ef-7abb75b8b5f9>",
        "B2C_CLIENT_SECRET": "<client secret>",
        "B2C_TENANT_ID": "<the b2c domain, e.g. mydomain.onmicrosoft.com>"
    }
}

Logic App - Scheduled check of a list of certificates

Using a logic app found in src/Logic, you can deploy this definition as an example of how to schedule the work to check a list of certificates.

There are placeholder values you'll need to update in the logic app definition before deploying.

Example SMS message

Sample POST to the Azure Function

POST http://localhost:7071/api/GetCertificateExpiration

{
    "policyKeyId": "B2C_1A_Certificate"
}

Example response:

{
    "expired": true,
    "hoursToExpiration": -3077,
    "value": "2020-04-26T11:07:01-04:00"
}

kevinhillinger / azuread-b2c-cert-rotator Goto Github PK

azuread-b2c-cert-rotator's Introduction

Azure AD B2C - How To Check Certificate Expiration

Solution overview

Responding (the scheduled caller)

Getting Started

BC2 configuration

Deploy resources

Resources that get deployed

Running the serverless function locally

Logic App - Scheduled check of a list of certificates

Example SMS message

Sample POST to the Azure Function

azuread-b2c-cert-rotator's People

Contributors

Stargazers

Watchers

azuread-b2c-cert-rotator's Issues

Recommend Projects

Recommend Topics

Recommend Org