Automating Entra ID App Registration Secret Renewal with Azure Runbook

Question

I have a scenario where I want to renew the Entra ID App registration secret value every 365 days and store it in Azure Key Vault. To achieve this, I have deployed a Key Vault to store the Entra ID App registration details as a secret. Additionally, I have developed a PowerShell script that renews the Entra ID App registration secret value and updates it in Azure Key Vault. In this process, I am using one app registration to authenticate to Entra ID and Azure Key Vault and update the secret value in both Entra App registration and Azure Key Vault.

The script works fine when executed manually from any device. However, I want to automate the script using an Azure Runbook.

I need some assistance with Azure Runbook, and I have the following queries:

How can I securely store and pass the Entra ID App registration Client ID and Client Secret values into the script for authentication in an Azure Runbook?
How can I allow the Runbook's IP address in the Key Vault so that only that Runbook can access the Key Vault?

Your suggestions would be greatly appreciated.

Thank you in advance.

Answer

Hello, Good day !

To automate your PowerShell script using an Azure Runbook and securely store and pass the Azure App registration Client ID and Client Secret values, follow these steps:

Securely Storing and Passing Client ID and Client Secret

a. Store Secrets in Azure Key Vault:

Store your Client ID and Client Secret in Azure Key Vault as secrets.

You can do this via the Azure portal, PowerShell, or CLI.

b. Configure Azure Automation to Access Key Vault:

Create a System-Assigned Managed Identity for your Azure Automation account.

Go to your Azure Automation account in the Azure portal.

Under "Account Settings," select "Identity."

Enable the "System assigned" managed identity.

Grant Access to the Managed Identity:

In the Azure Key Vault where your secrets are stored, go to "Access policies."

Add an access policy that grants "Get" permission to the managed identity of your Azure Automation account.

Retrieve Secrets in Runbook:

In your PowerShell script within the Runbook, retrieve the secrets from the Key Vault using the managed identity.

# Authenticate using Managed Identity
Connect-AzAccount -Identity
# Call the function to retrieve the secret
$vaultName = "your-key-vault-name"
$secretName = "your-secret-name"
# Define the function to get the client secret from Key Vault
Function Get-ClientSecretFromKeyVault 
{
    param (
	    [Parameter(Mandatory = $true)]
		[string]$VaultName,
        [Parameter(Mandatory = $true)]
		[string]$SecretName
    )
	try 
    {
	    $secret = Get-AzKeyVaultSecret -VaultName $VaultName -Name $SecretName -AsPlainText -WarningAction SilentlyContinue
		return $secret
    }
	catch 
    {
	    Write-Error "Failed to retrieve the client secret from Key Vault. Details: $_"
		return $null
    }
}
$clientSecret = Get-ClientSecretFromKeyVault -VaultName $vaultName -SecretName $secretName
# Use the retrieved client secret in your script
Write-Host "The retrieved client secret is: " -NoNewline -ForegroundColor Yellow
Write-Host "$clientSecret" -ForegroundColor Green

Restrict Key Vault Access to the Runbook’s IP Address

Azure Runbooks run in a dynamic IP environment where IP addresses can change, so it’s not recommended to restrict access to a single IP address. However, you can restrict access to the Azure Virtual Network if your Runbook is running in a virtual network.

Share via

Automating Entra ID App Registration Secret Renewal with Azure Runbook

1 answer

Your answer