Entra ID Token Rotation Guide¶
Overview¶
MazeVault provides automated lifecycle management for Microsoft Entra ID (Azure AD) enterprise application credentials. This includes automatic discovery, expiry monitoring, dual-secret rotation with grace periods, and multi-target propagation to Azure Key Vault, Spring applications, and webhooks.
Key Features¶
- Automatic Discovery: Sync app registrations and credentials from Entra ID
- Expiry Monitoring: Alerts at 30-day and 7-day thresholds
- Dual-Secret Rotation: New credential created before old one is removed
- Grace Period: Configurable period (default 30 days) where both credentials are valid
- Multi-Target Propagation: Sync to Azure Key Vault, Spring Actuator, webhooks, agents
- Full Audit Trail: Every rotation recorded with timestamps and status
Getting Started¶
1. Configure Entra ID Integration¶
Navigate to Integrations → Add Integration → Microsoft Entra ID.
Provide: - Tenant ID: Your Azure AD tenant ID - Client ID: Service principal client ID - Client Secret or Managed Identity: Authentication method
2. Sync App Registrations¶
After configuring the integration, click Sync to discover all app registrations in your tenant. MazeVault will import: - App registration metadata - Client secrets with expiry dates - Certificate credentials
3. View Credential Status¶
The Entra Dashboard shows: - Total active credentials - Credentials expiring in 7/30/90 days - Credentials in grace period - Most urgent credentials requiring attention
4. Configure Rotation¶
For each credential, you can configure: - Auto-rotation: Enable automatic rotation before expiry - Days before expiry: When to trigger rotation (default: 30 days) - Grace period: How long to keep both credentials active (default: 30 days) - Key Vault targets: Primary and secondary Key Vaults for secret storage - Spring endpoints: Spring Actuator refresh endpoints - Webhook URLs: Notification webhooks
5. Manual Rotation¶
Click the Rotate button on any credential to trigger immediate rotation. The process:
- Creates a new credential in Entra ID
- Stores the new secret in configured Key Vaults
- Refreshes Spring Actuator endpoints
- Sends webhook notifications
- Marks old credential for grace period cleanup
6. Monitor Rotation History¶
View the complete rotation history for any credential or app registration, including: - Rotation type (manual/automatic) - Duration - Steps completed - Any errors encountered
Lifecycle States¶
| State | Description |
|---|---|
| Active | Credential is valid and in use |
| Expiring Soon | Credential expires within threshold |
| Rotating | Rotation in progress |
| Grace Period | Both old and new credentials are valid |
| Expired | Credential has expired |
| Cleaned Up | Old credential removed after grace period |
Security¶
- All credential values are encrypted at rest with AES-256-GCM
- Graph API calls use exponential backoff with retry
- OData filter inputs are sanitized to prevent injection
- RBAC permissions:
entra:read,entra:write,entra:rotate
Troubleshooting¶
Rotation Failed¶
Check the rotation history for error details. Common causes: - Insufficient Graph API permissions - Key Vault access denied - Network connectivity issues
Credentials Not Syncing¶
Verify:
- Integration is enabled
- Service principal has Application.ReadWrite.All permission
- Tenant ID and Client ID are correct