Monitoring Alerts For Expired Key Vault Secret


We use Azure key vault to store confidential secrets. All secrets which are stored in the Azure key vault have an expiry date. If we don't monitor the expiry date proactively then there are possibilities that secrets can expire and you can no longer use these secrets.

It would be great to have an automated solution in place which can notify about the expiry of key vault secrets.

Monitoring Alerts for expired key vault secrets

  • Azure Key Vault is used to store and access secrets, keys, and certificates.
  • Secrets stored in the key-vault should be rotated frequently.

The issue with expired secrets

  • Azure Platform won’t be up and running if secrets are expired.
  • Manually extend the expiry date for each secret.

Technical Solution

  • Receive an email alert before x days when the secrets are about to expire.
  • Implemented using Dev ops(CI/CD) standards.
  • Make sure that Azure Platform is secure and always up and running.
  • Used in-built Azure DevOps feature to send an email notification.
  • Highly reusable generic script with an option to configure different parameters,
    • Azure Resource Group Name
    • Key-Vault Name
    • Expiry Notification Days
    • Action Group Email

Github link for power shell.


  • Automation will save a good amount of manual effort to monitor expired secrets.
  • An email notification will be sent for expired secrets proactively.
  • Azure Platform and services using secrets will always be available.