Skip to content
/ azuread-b2c-cert-rotator Public

Using Azure Functions, check an Azure AD B2C policy certificate's expiration date, and then be able to take action on it (setup auto-rotation of the certificate)

License

MIT license
2 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kevinhillinger/azuread-b2c-cert-rotator

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
.vscode
.vscode
 
 
data
data
 
 
img
img
 
 
scripts
scripts
 
 
src
src
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
solution.sln
solution.sln
 
 

Repository files navigation

Azure AD B2C - How To Check Certificate Expiration

Azure AD B2C allows for custom policies to have certificates uploaded to what's called a "KeySet". However, other than manually confirming the certificate's expiration date, there's really no easily apparent way to automate this.

Yet another C# example.

Solution overview

diagram

Using Azure Functions, you'll retrieve an Azure AD B2C policy certificate's expiration date using the Microsoft Graph SDK (beta), fetching the KeySet information.

Responding (the scheduled caller)

In this example, I setup a scheduled Logic App that will execute on an interval:

  1. Store an array of policy key ids in a Logic App variable (set it to what you want or you could retrieve this list dynamically)
  2. Execute the Function, get the result, and take conditional action
  3. In this example, I triggered sending an SMS to be sent

You can trigger anything if you don't want a simple SMS or email to be sent. You can even cause another process to be triggered to rotate the key value in B2C.

Getting Started

BC2 configuration

  1. Create an app registration in the B2C tenant
  2. Give it Application Permission of TrustFrameworkKeySet.Read.All

You'll need the following "parameters" from the app registration:

  • Client ID of the app
  • Client secret
  • the tenant ID of the B2C tenant (format: mydomain.onmicrosoft.com)

Deploy resources

Follow these steps to get this setup and running. First, open cloud shell in Bash.

git clone --depth 1 https://github.com/kevinhillinger/azuread-b2c-cert-rotator.git 
cd azuread-b2c-cert-rotator

./scripts/deploy.sh

Resources that get deployed

In ./scripts/deploy.sh, the following gets deployed:

  • Resource Group
  • Function App (on demand, linux)
    • Storage account for the function instance
    • Application Insights instance for logging
    • values in the FunctionApp's application settings should get set
  • Logic App

Running the serverless function locally

Install the Azure Functions Core Tools

cd src/Functions
func start --build

App Settings:

{
    "IsEncrypted": false,
    "Values": {
        "AzureWebJobsStorage": "UseDevelopmentStorage=true",
        "FUNCTIONS_WORKER_RUNTIME": "dotnet",
        "B2C_CLIENT_ID": "<client id, e.g. 845cea86-4a21-406a-b5ef-7abb75b8b5f9>",
        "B2C_CLIENT_SECRET": "<client secret>",
        "B2C_TENANT_ID": "<the b2c domain, e.g. mydomain.onmicrosoft.com>"
    }
}

Logic App - Scheduled check of a list of certificates

logic app flow

Using a logic app found in src/Logic, you can deploy this definition as an example of how to schedule the work to check a list of certificates.

There are placeholder values you'll need to update in the logic app definition before deploying.

Example SMS message

Sample POST to the Azure Function

POST http://localhost:7071/api/GetCertificateExpiration

{
    "policyKeyId": "B2C_1A_Certificate"
}

Example response:

{
    "expired": true,
    "hoursToExpiration": -3077,
    "value": "2020-04-26T11:07:01-04:00"
}

About

Using Azure Functions, check an Azure AD B2C policy certificate's expiration date, and then be able to take action on it (setup auto-rotation of the certificate)

Topics

serverless certificates azuread-b2c

Resources

Readme

License

MIT license
Activity

Stars

2 stars

Watchers

3 watching

Forks

0 forks
Report repository

Languages