Documentation 7 min read Updated July 10, 2026

How to get Azure App Registration expiration alerts by email

Azure does not email you before an App Registration client secret or certificate expires. There is no built-in notification, no reminder, nothing — the credential simply stops working on its expiry date, and the first "alert" is usually a production error like AADSTS7000222. Email is the simplest way to close that gap, because every team already has an inbox.

Inbox
Token Watch: 1 expired, 3 expiring soon — action needed
Token Watch <alerts@aztokenwatch.com>
to demo@aztokenwatch.com
Today, 02:00

Some of your credentials have expired or will soon. Review the list below and renew them before they cause failure.

Token Watch daily email report with cards for expired and expiring Azure App Registration credentials, each showing the expiry date and Open in Azure and Open in Token Watch buttons.
The daily report as it lands in your inbox: one card per credential, deep-linked to the Azure portal and Token Watch.

Token Watch monitors every App Registration in your Microsoft Entra ID tenant through read-only Microsoft Graph access and emails you before tracked secrets and certificates expire. No agents, no scripts to maintain, no Logic App to babysit — you grant admin consent once, toggle email reports on, and the reports arrive on their own.

Is email an "integration"? Not really — it is the built-in delivery channel, the one that works on every plan with nothing to configure on the receiving end. That is exactly why it is the right starting point: everything else (Slack, Teams, Azure DevOps work items, webhooks) is layered on top of the same monitoring.

How email alerts work

Microsoft Entra ID / Azure AD App Registrations
  -> Token Watch (daily monitoring run)
  -> Daily email report
  -> Your team's inboxes

It starts with what you choose to watch. In Token Watch, every secret and certificate carries a tracking state, so an admin decides exactly which credentials count — flip on the ones that matter and leave dead test apps untracked so they never page anyone.

Token Watch Applications view showing each Azure App Registration secret and certificate with its expiry status and a per-credential tracking toggle.
Each credential has its own tracking toggle — the admin decides what Token Watch watches.

Token Watch syncs credential metadata through Microsoft Graph after admin consent. Once a day — overnight, around 02:00 UTC — it checks every tracked secret and certificate against your expiring threshold and emails a report of everything that is expiring soon or already expired. Each item ties the credential straight back to its Entra App Registration and to Token Watch, so you can jump to the exact app that needs a new secret. If nothing needs attention, no email is sent — a quiet inbox means a healthy tenant, not a broken alert.

What you get on each plan

Email alerts are available on every plan, including Free — but the coverage differs.

  • Free: a single heads-up per credential, sent about 3 days before it expires, to your admin email address. It is a one-time notice for still-valid credentials only — already-expired credentials are not reported, and the alert does not repeat.
  • Starter and Team: a daily report covering both expiring and already-expired credentials, on your own expiring threshold (1–120 days, default 15), sent to as many addresses as you like. The report keeps arriving every day until the issue is actually resolved — an expired credential cannot silently fall off your radar.
The expiring threshold is shared across every channel: the same setting drives email reports, webhook alerts, and Azure DevOps work item creation, and matches the status shown in the app.

Step-by-step setup

  1. Sign up at app.aztokenwatch.com and grant Microsoft admin consent (read-only Graph access).
  2. Wait for applications to sync — typically under a minute.
  3. On a paid plan, open Monitoring, add the additional receiver addresses the report should go to — a shared team alias like identity-ops@yourcompany.com beats a personal inbox.

That is the whole setup. There is nothing to install and no receiving endpoint to build; the first report arrives overnight the next time something is expired or expiring.

Making email alerts actually work

Email is the easiest channel to set up and the easiest one to ignore. A few habits keep the alerts actionable instead of archived:

  • Send the report to a shared alias or distribution list, not one person's inbox — people go on vacation, credentials do not.
  • Set the threshold to match your rotation lead time. If getting a new secret approved and deployed takes two weeks, a 15–30 day threshold gives you room; 3 days does not.
  • If alerts keep being read and not acted on, that is an ownership problem, not an alerting problem — consider creating Azure DevOps work items instead, so each expiring credential becomes an assignable ticket on the board.

When email isn't enough

Email is the right default for small teams and a solid safety net for everyone. Reach for another channel when:

  • Your team triages in chat — add Slack or Microsoft Teams alerts.
  • Renewal work needs an owner and a place in the sprint — use the Azure DevOps integration to create work items.
  • Another system (SIEM, ticketing, incident tooling) should ingest the alert — use the signed JSON webhook.

The channels are not either/or: many teams keep the email report as the durable record and add a chat or board channel on top.

Troubleshooting

  • Nothing lands in the inbox: check spam/quarantine and allow-list the sender; corporate filters are the most common culprit.
  • A credential you expected isn't in the report: check that it is tracked in Token Watch and within your expiring threshold.

Limitations

  • Token Watch does not renew or rotate credentials for you — it makes sure a human knows in time.
  • Emails carry metadata only, never secret values or private keys.
  • An email can be ignored; if that keeps happening, escalate to a channel with built-in ownership like Azure DevOps work items.

FAQ

No. Microsoft Entra ID has no built-in expiration notifications for App Registration client secrets or certificates. Token Watch fills that gap with a daily email report of everything expired and expiring in your tenant.

Yes — the Free plan includes email alerts: one heads-up per credential, about 3 days before it expires. Paid plans upgrade that to a daily report on your own threshold, covering already-expired credentials too, with configurable recipients.

Once a day, overnight — around 02:00 UTC — and only when at least one tracked credential is expired or expiring. Days with nothing to report send nothing.

Yes, on paid plans you can add any number of receiver addresses — a shared alias or distribution list works best. The Free plan sends to your admin email.

No — and it can't. Microsoft Graph never returns secret values or certificate private keys, so Token Watch only ever sees and sends metadata: application name, credential name, status, and expiry date.

Start with email — it needs zero receiving setup. Add Slack or Teams for chat visibility, Azure DevOps to make renewal an owned work item, or the JSON webhook for machine ingestion. They all run side by side.

Back to all guides

Top