Ignore expired secrets named CWAP_AuthSecret if Azure Application Proxy is used. #3
Comments
|
Thank you for your feedback! There is another app with similar behavior. Microsoft creates an app registration for Power Virtual Agents (Bots) and each app has 4 auto managed certificates. I think it would be the best to ignore these apps completely. Actually you can disable the service with the rule „Disabled services“, but I will check if I can disable the discovery of these kinds of app registrations. |
|
Yeah of course we can disable specific services but we do have ~1000 app-registrations, which makes it hard to select them individually. If the Services could get a Tag if they are a Bot or a Published App we could disable them based on a Rule. |
Hi,
we are using that extension and it is working great, many thanks for that 👍👍.
We noticed something that could be impoved:
When an Application is published using the Azure-AD-Application-Proxy, three client secrets are created for the App-Registration, and usually one of them is expired. The Microsoft Documentation clearly states that this is expected and the expired secrets should not be deleted.
The CheckMK-Plugin does generate a warning for this situation, cause one of the secrets is expired.
It would be great if the Plugin would ignore the oldest secret named "CWAP_AuthSecret" as along as there are two more "CWAP_AuthSecrets" that are still valid.
Here are some more details for reference:
https://www.reddit.com/r/AZURE/comments/p9uk2d/azure_app_proxy_registration_expiring_client/
https://learn.microsoft.com/en-us/entra/identity/app-proxy/application-proxy-faq#can-i-modify-an-application-proxy-app-from-the---app-registrations---page-in-the-microsoft-entra-admin-center-
The text was updated successfully, but these errors were encountered: