Skip to content

EntraID Secrets Removal → Ivanti Automation

Overview

This automation removes expired secrets and certificates from EntraID App Registrations, triggered automatically via Ivanti ITSM tasks.

When an EntraID secret or certificate expires, an Ivanti task is created to remove the credential. This playbook: - Authenticates to EntraID using appropriate credentials - Removes secrets via Azure RM modules - Removes certificates via Microsoft Graph removeKey API with certificate-based authentication - Updates the Ivanti task with success or failure status - Closes the task automatically on success or reassigns on failure

High-Level Flow

  1. Ivanti task is created for secret/certificate removal
  2. Ansible Automation Platform triggers this playbook
  3. Playbook retrieves task details from Ivanti
  4. Authenticates to EntraID (production or onderwijs tenant)
  5. Determines removal method based on SecretType:
  6. Secret: Direct removal via Azure RM module
  7. Certificate: Certificate-based auth + removeKey API
  8. Updates Ivanti task:
  9. Success: Close task with resolution
  10. Failure: Add note and reassign to Systeemsoftware

Execution Flow

sequenceDiagram
    participant Ivanti as Ivanti ITSM
    participant AAP as Ansible Automation
    participant PWS as Passwordstate
    participant EntraID as EntraID/Azure
    participant Graph as Microsoft Graph API

    Ivanti->>AAP: Trigger removal task
    AAP->>Ivanti: Get task details
    Ivanti-->>AAP: Task info (AppID, SecretID, SecretType)

    AAP->>PWS: Get EntraID credentials
    PWS-->>AAP: Service Principal credentials

    alt SecretType == "Secret"
        AAP->>EntraID: azure_rm_adpassword (state: absent)
        EntraID-->>AAP: Secret removed
        AAP->>Ivanti: Close task (success)
    else SecretType == "Certificaat"
        AAP->>PWS: Get PKI credentials
        PWS-->>AAP: PKI system credentials
        AAP->>PWS: Get certificate entry
        PWS-->>AAP: Certificate metadata
        AAP->>PWS: Query database for PFX
        PWS-->>AAP: Document ID
        AAP->>PWS: Download PFX file
        PWS-->>AAP: Certificate PFX
        AAP->>AAP: Generate client_assertion JWT<br/>(using current certificate)
        AAP->>EntraID: Get access token<br/>(certificate auth)
        EntraID-->>AAP: Access token
        AAP->>AAP: Generate PoP token<br/>(Proof-of-Possession)
        AAP->>Graph: POST /removeKey<br/>(with PoP proof)
        Graph-->>AAP: Certificate removed (204)
        AAP->>Ivanti: Close task (success)
    end

    alt Failure
        AAP->>Ivanti: Add note with error
        AAP->>Ivanti: Reassign to Systeemsoftware
    end

Components

Ivanti ITSM

Task Creation

Automated task creation when secrets/certificates expire

Task parameters include: - AppDisplayName: Display name of the App Registration - AppID: Application (client) ID - SecretID: Key ID of the secret or certificate to remove - SecretType: "Secret", "Certificaat", or "Cert" - Onderwijs: "Yes" for education tenant, "No" for production

Passwordstate

Credential Storage

Multiple credential sources: - Production EntraID: Sys_Azure_AppRegs_PR (list 8620) - Onderwijs EntraID: Sys_Azure_OND_Admin (list 8620) - PKI credentials: sys_srvaapwin_pki (list 8620) - Database credentials: sys_pws_ansible_read (list 8620) - Certificate entries: List 6691 (EntraID ServicePrincipal Certificaten)

EntraID / Microsoft Graph

Removal Methods

Two different approaches based on credential type: - Secrets: Azure RM module with direct removal - Certificates: Graph API removeKey with certificate authentication

Tenant Configuration

Production Tenant (Default)

  • Tenant ID: c3c1e6bb-1ebf-4335-ad13-3419266a9781
  • Tenant Name: gentplus.onmicrosoft.com
  • Subscription: 9f3c9e4f-7451-44cc-80c0-258e49e49192

Onderwijs Tenant

  • Tenant ID: c32c6912-0c85-4d02-8d38-51da93512d64
  • Tenant Name: onderwijsstadgent.onmicrosoft.com
  • Subscription: 638468ab-6418-4403-8c17-5a03453d5489

Tenant is automatically selected based on Onderwijs parameter from Ivanti task.

Removal Process

Secret Removal (SecretType: "Secret")

Simple direct removal using Azure modules:

  1. Get EntraID credentials from Passwordstate
  2. Lookup App Registration by AppID
  3. Remove secret using azure_rm_adpassword:
  4. app_id: Application ID
  5. key_id: Secret ID to remove
  6. state: absent
  7. Mark success if removal completes

No additional authentication required - uses service principal credentials directly.

Certificate Removal (SecretType: "Certificaat" or "Cert")

Complex removal using certificate-based authentication:

  1. Retrieve Certificate Information
  2. Get PKI credentials from Passwordstate
  3. Retrieve certificate entry from Passwordstate (list 6691)
  4. Query Passwordstate database for PFX document ID

  5. Download current certificate PFX file

  6. Generate Authentication Tokens

  7. Generate client_assertion JWT using current certificate
  8. Obtain access token from EntraID using certificate authentication

  9. Generate Proof-of-Possession (PoP) token for removeKey API

  10. Remove Certificate

  11. Call Microsoft Graph removeKey API:

    • Endpoint: POST /applications/{id}/removeKey
    • Headers: Bearer token
    • Body: keyId + PoP proof
    • Expected response: 204 No Content

  12. Verify Success

  13. HTTP 204 = success
  14. Any other status = failure with error message

Why certificate authentication? Microsoft requires proof of possession of the current certificate before allowing removal via the removeKey API. This prevents unauthorized removal of certificates.

Error Handling

Rescue Block

Catches any errors during removal process: - Sets secret_removal_success: false - Captures error message in noteError

Always Block

Executes regardless of success or failure:

  1. Validate SecretType
  2. Only "Secret", "Certificaat", "Cert" are supported

  3. Invalid types set appropriate error message

  4. Update Success Status

  5. If remove_sp_secret.changed == true: mark as successful

  6. Handle Failures

  7. Reassign task to Systeemsoftware team

  8. Add note to task with error details

  9. Handle Success

  10. Close task with resolution message
  11. Log 1 minute time spent

Required Python Script

The playbook requires generate_jwt_token.py for certificate removal to create JWT tokens:

For client_assertion: - TOKEN_TYPE: "client_assertion" - PFX_PATH: Path to current certificate PFX - PFX_PASSWORD: Certificate password - TENANT_ID: Azure tenant ID - CLIENT_ID: Application (client) ID

For PoP token: - TOKEN_TYPE: "pop" - PFX_PATH: Path to current certificate PFX - PFX_PASSWORD: Certificate password - TENANT_ID: Azure tenant ID - SUB_ID: Application object ID - ISS_ID: Application object ID - AUD: 00000002-0000-0000-c000-000000000000

Integration with Ivanti

Task Input

Retrieved via d09.ivanti_itsm.verwerk_task role, provides: - task_info.servicereq_params.AppDisplayName - task_info.servicereq_params.AppID - task_info.servicereq_params.SecretID - task_info.servicereq_params.SecretType - task_info.servicereq_params.Onderwijs - task_info.AssignmentID (task number) - task_info.RecId (record ID for notes)

Task Output

On Success: - Close task using d09.ivanti_itsm.close_task - Resolution: "Expired secret for {AppDisplayName} removed" - Time spent: 1 minute

On Failure: - Reassign task using d09.ivanti_itsm.assign_task to Systeemsoftware - Add note using d09.ivanti_itsm.add_note: - Subject: "{SecretType} removal failed" - Body: Error message from noteError - Category: Status Update - Time spent: 1 minute

Idempotency & Safety

  • Uses ignore_errors: true on removal operations to prevent playbook failure
  • Success is tracked via secret_removal_success variable
  • Always block ensures Ivanti task is updated regardless of outcome
  • Certificate authentication prevents unauthorized removals
  • No destructive actions on failure - task is reassigned for manual review

Benefits

  • Fully automated cleanup of expired credentials
  • Secure certificate removal using proof-of-possession
  • Multi-tenant support (production and onderwijs)
  • Automatic task closure on success
  • Clear error handling and manual escalation on failure
  • Audit trail via Ivanti task notes
  • Reduces manual overhead for credential lifecycle management

Notes

  • Secret removal uses simpler Azure RM module approach
  • Certificate removal requires the current certificate to generate PoP token
  • Failed removals are reassigned to Systeemsoftware for manual intervention
  • All credentials retrieved from Passwordstate are marked no_log: true
  • Database queries are used to retrieve PFX documents from Passwordstate
  • Supports both "Certificaat" and "Cert" as valid SecretType values for certificates