Skip to content

EntraID Secrets Renewal Schedule → Ivanti Automation

Overview

This automation proactively identifies and schedules renewal of expiring EntraID secrets and certificates by creating Ivanti Service Requests.

The playbook runs on a schedule to scan all EntraID App Registrations for credentials expiring within a configurable window (default: 28 days). For each expiring credential, an Ivanti Service Request is automatically created, ensuring timely renewal and preventing service disruptions.

High-Level Flow

  1. Scheduled job runs periodically to scan EntraID
  2. PowerShell script retrieves all App Registrations
  3. Identifies secrets and certificates expiring within cutoff period
  4. Queries Ivanti for existing renewal requests (prevents duplicates)
  5. Enriches data with Master Data Applications (MDA) ownership information
  6. Creates Service Requests for new expiring credentials
  7. Service Requests trigger downstream renewal automation

Execution Flow

sequenceDiagram
    participant Schedule as Scheduled Job
    participant AAP as Ansible Automation
    participant PWS as Passwordstate
    participant EntraID as EntraID/Graph
    participant MDA as Master Data API
    participant Ivanti as Ivanti ITSM

    Schedule->>AAP: Trigger renewal scan
    AAP->>PWS: Get EntraID credentials
    PWS-->>AAP: Service Principal credentials

    AAP->>EntraID: Scan App Registrations<br/>(PowerShell + Graph API)
    EntraID-->>AAP: All App Registrations

    AAP->>AAP: Filter expiring credentials<br/>(28 day window)
    AAP->>AAP: Exclude system apps<br/>(Power Virtual Agents, etc.)

    AAP->>Ivanti: Query existing Service Requests<br/>(prevent duplicates)
    Ivanti-->>AAP: Active renewal requests

    loop For each expiring credential with MDAPPGUID
        AAP->>MDA: Lookup application details
        MDA-->>AAP: Team ownership info
        AAP->>AAP: Enrich credential with team
    end

    loop For each new expiring credential
        AAP->>Ivanti: Create Service Request<br/>(SecretType, AppID, SecretID, Team)
        Ivanti-->>AAP: SR created
    end

Components

Scheduled Job

Trigger Frequency

Runs periodically (typically daily) to scan for expiring credentials

Scan Parameters - start_days: Days from now to start looking (default: 0 = today) - cutoff_days: Days from now to stop looking (default: 28) - Configurable via job template extra_vars

EntraID / Microsoft Graph

PowerShell Scanning

Uses win_powershell module with Microsoft Graph SDK: - Authenticates using Service Principal - Retrieves all App Registrations (or filters by name) - Examines both PasswordCredentials (secrets) and KeyCredentials (certificates)

Exclusion Filters

Automatically excludes system/managed applications: - Power Virtual Agents - Microsoft Copilot - Werkstroom - Portals-* - ConnectSyncProvisioning_SRVACCMAN

Credential Classification

  • Secrets: Reports only the LATEST secret by EndDate
  • Prevents multiple SRs for apps with many secrets

  • Ensures renewal focuses on current credential

  • Certificates: Reports ALL certificates individually

  • Each cert gets its own Service Request
  • Allows independent cert lifecycle management

Master Data Applications (MDA)

Ownership Enrichment

Looks up team ownership when App Registration has MDAPPGUID tag: - Tag format: MDAPPGUID : {guid} - Queries MDA API for application details - Extracts team name for approval routing - Skips lookup if MDAPPGUID is missing or invalid

Passwordstate

Credential Storage

Multiple credential sources: - Production EntraID: Sys_Azure_AppRegs_PR (list 8620) - Onderwijs EntraID: Sys_Azure_OND_Admin (list 8620)
- MDA API: Sys_Azure_AppRegs_PR (list 8620) - Ivanti API: Ivanti RestAPI PR (list 8620)

Ivanti ITSM

Service Request Creation

  • Template: "Renew EntraID Application Secret"
  • Service: Datacenter
  • Source: Self Service
  • Default Owner: Systeemsoftware (overridden if MDA team found)

Custom Fields: | Field | Description | |-------|-------------| | SecretEndDate | Expiration date (dd/MM/yyyy format) | | AppID | Application (client) ID | | SecretID | Key ID of the expiring credential | | SecretType | "Secret" or "Cert" | | AppDisplayName | Display name of App Registration | | Onderwijs | "Yes" for education tenant, "No" for production | | ApprovalTeam | Team name from MDA (if resolved) | | MDAPPGUID | Master Data Application GUID (if present) |

Duplicate Prevention

Queries existing active Service Requests: - Filter: subject eq 'Renew EntraID Application Secret' and status eq 'Active' - Skips credential if SR already exists with same AppID or SecretID - Prevents spam from repeated scans

Tenant Configuration

Production Tenant (Default)

  • Tenant ID: c3c1e6bb-1ebf-4335-ad13-3419266a9781
  • Tenant Name: gentplus.onmicrosoft.com
  • Variable: onderwijs: 'no'

Onderwijs Tenant

  • Tenant ID: c32c6912-0c85-4d02-8d38-51da93512d64
  • Tenant Name: onderwijsstadgent.onmicrosoft.com
  • Variable: onderwijs: 'yes'

Tenant selection affects: - Which EntraID credentials are retrieved - Which tenant is scanned - Value of Onderwijs field in Service Request

Credential Expiration Logic

Expiring Credentials (Trigger SR Creation)

Credentials are considered "expiring" when: - EndDate > (Today + start_days) - EndDate < (Today + cutoff_days)

Default Window: Days 0-28 from today

Example (Today = Jan 22, 2026): - Secret expiring Jan 25, 2026 → Included - Secret expiring Feb 10, 2026 → Included
- Secret expiring Feb 20, 2026 → Excluded (beyond 28 days)

Expired Credentials (Tracked but Not Used)

Credentials with EndDate < Today are: - Identified and logged - NOT used to create Service Requests - Handled by separate removal automation

Secrets vs Certificates

Secrets (Type: PasswordCredentials): - Multiple secrets may exist per app - Only the latest by EndDate is reported - Creates 1 SR per app with expiring secret

Certificates (Type: KeyCredentials, AsymmetricX509Cert): - Multiple certificates commonly exist per app - All certificates are reported individually - Creates 1 SR per expiring certificate - Display name preserved in SR for identification

Enrichment with MDA

MDAPPGUID Tag

App Registrations may have tags like: 

["WindowsAzureActiveDirectoryIntegratedApp", "MDAPPGUID : a1b2c3d4-e5f6-7890-abcd-ef1234567890"]

Lookup Process

  1. Extract MDAPPGUID from tags
  2. Validate format (contains hyphen)
  3. Call MDA API: GET /api/applications?guid={MDAPPGUID}
  4. If found and not deleted:
  5. Extract team name
  6. Add OwnerTeam field to credential
  7. If not found or deleted:
  8. Continue without team
  9. SR uses default owner (Systeemsoftware)

SR Impact

When team is resolved: - owner_team: Set to MDA team instead of default - ApprovalTeam: Added to custom fields for workflow routing

Variables

Variable Default Description
start_days 0 Days from now to start expiration window
cutoff_days 28 Days from now to end expiration window
onderwijs 'no' 'yes' for education tenant, 'no' for production
servicereq_ownerteam 'Systeemsoftware' Default SR owner when MDA team not found
pws_ivanti_api_key 'Ivanti RestAPI PR' Passwordstate entry for Ivanti credentials
ivanti_request_offering 'Renew EntraID Application Secret' SR template name

Output

PowerShell Script Returns

Array of expiring credentials with: - AppRegDisplayName: App Registration display name - Tags: All tags from App Registration - Type: "Secret" or "Cert" - Description: Credential display name - AppId: Application (client) ID - ObjectId: App Registration object ID - KeyId: Credential key ID - StartDate: Credential start date - EndDate: Credential expiration date - IvantiEndDate: Formatted date (dd/MM/yyyy) - MDAPPGUID: Extracted from tags (if present)

Service Request Creation

  • Creates SR for each credential not already tracked
  • Populates custom fields for downstream automation
  • Routes to appropriate team based on MDA data

Idempotency & Safety

  • Duplicate Prevention: Queries existing active SRs before creating new ones
  • Exclusion Filters: Skips system/managed applications
  • Latest Secret Only: Prevents spam for apps with multiple secrets
  • Error Tolerance: MDA lookups use ignore_errors: true to continue on failure
  • No Destructive Actions: Only creates SRs, never modifies credentials

Integration Points

Upstream

  • Scheduled job (cron/AAP) triggers playbook periodically

Downstream

  • Created Service Requests trigger renewal automation
  • Renewal playbooks reference SR custom fields:
  • AppID, SecretID, SecretType
  • AppDisplayName, Onderwijs
  • ApprovalTeam (for routing)

Benefits

  • Proactive Management: Identifies expiring credentials before service disruption
  • Automated Intake: Eliminates manual credential tracking
  • Ownership Routing: MDA integration ensures correct team assignment
  • Duplicate Prevention: Avoids spam from repeated scans
  • Multi-Tenant Support: Handles both production and education tenants
  • Audit Trail: All renewal work tracked via Ivanti Service Requests
  • Flexible Window: Configurable lead time for renewal actions
  • Certificate Aware: Handles multi-cert applications correctly

Notes

  • PowerShell script runs directly on Windows host with Graph SDK modules
  • Credentials are marked no_log: true to prevent exposure
  • Latest secret logic prevents overwhelming approval queues
  • All certificates reported individually for proper lifecycle tracking
  • MDA lookup failures are logged but don't stop SR creation
  • Default 28-day window provides sufficient lead time for approval and renewal
  • Exclusion regex pattern can be extended for additional system apps