Expiring App Credentials
Checks for application credentials expiring within 30 days
Why this matters
What this means
One or more application registrations have credentials (client secrets or certificates) that will expire within the next 30 days. When credentials expire, the application will stop being able to authenticate.
Why is it a security risk?
- Expired credentials cause service outages — any automation, daemon, or integration using the application will silently fail.
- In a panic to restore service, teams may skip security review and create overly permissive replacement credentials.
- Long-lived secrets that are close to expiry are often also secrets that haven't been rotated — they may already be compromised.
Recommended next steps
- Go to Microsoft Entra admin center → App registrations → [App] → Certificates & secrets.
- Rotate the credential: create a new secret or upload a new certificate before removing the old one.
- Update the consuming service to use the new credential.
- Prefer certificate credentials over client secrets, and consider managed identities where possible to eliminate credentials entirely.
How to fix it
Rotate application credentials before expiration
Required Microsoft Graph permissions
EntraAnalyzer needs the following read-only Graph permissions to evaluate this rule:
Directory.Read.AllApplication.Read.All
Further reading
Run this check on your tenant
EntraAnalyzer evaluates this rule automatically on every scan and emails you the results.
Get started — free first scan →