Token Watch logo Token Watch  Sign In  Sign Up
Documentation 8 min read Updated June 13, 2026

How to send Azure App Registration expiration alerts to Microsoft Teams

When an App Registration secret expires, the outage rarely announces itself as a credential problem. The app just looks broken — logins fail, a connector goes dark — and someone burns an hour before tracing it back to an expiry date. If your team already lives in Teams, that warning belongs in Teams, a few days before anything actually breaks.

Token Watch watches the client secrets and certificates on your Entra App Registrations. Once you grant admin consent, it reads the credential metadata through Microsoft Graph and, on a daily monitoring run, sends an alert whenever a tracked credential is expired or getting close.

Teams no longer has a native "incoming webhook" the way it once did, so Token Watch takes the path Microsoft now supports: it sends an Adaptive Card to a Power Automate workflow URL, and the flow posts that card into whichever channel or chat you point it at.

Integration overview

Microsoft Entra ID / Azure AD App Registrations
  -> Token Watch
  -> Microsoft Teams webhook channel
  -> Power Automate workflow URL
  -> Teams channel or chat

Token Watch sends metadata only. It never sends client secret values, certificate private keys, Microsoft user passwords, or payment card details. When a daily run finds nothing expiring, nothing is sent.

When to use Teams alerts

Pick Teams if your identity, platform, or operations people already triage work there — the alert lands where they are already looking. For a small team, email might cover it. If you need a signed, machine-verifiable payload, that is the JSON webhook channel, not this one. Teams mode is built for readable notifications and for fanning out into Power Automate workflows.

Prerequisites

  • Token Watch tenant setup is complete.
  • Microsoft admin consent has been granted and applications have synced.
  • Monitoring is enabled and webhook delivery is available in your Token Watch plan.
  • You can create or manage a Power Automate cloud flow.
  • You have a Teams channel or chat where alerts should be posted.
  • The generated workflow URL is a public HTTPS endpoint.
The webhook URL should be the Power Automate workflow URL, not the retired Office 365 MessageCard connector — and it has to be a public HTTPS endpoint.

Step-by-step setup

  1. Create a Power Automate cloud flow.
  2. Use a trigger that receives an HTTP or webhook request for Teams.
  3. Configure the flow to post the incoming Adaptive Card to the desired Teams channel or chat.
  4. Copy the generated workflow URL.
  5. In Token Watch, open Monitoring > Webhook reporting.
  6. Select Microsoft Teams.
  7. Paste the Power Automate workflow URL.
  8. Enable webhook delivery.
  9. Send a test webhook.

Token Watch posts JSON and treats a 2xx from your flow as success. Anything else counts as a failed attempt, and Token Watch retries — up to three attempts in total, with backoff before the second and third.

What Teams receives

The flow receives a message envelope with a single Adaptive Card attachment (card version 1.4). The card leads with a title counting the credentials that need attention, shows the generated timestamp, and lays each one out — application, secret or certificate, status, expiry — as a fact set. To stay inside the card's limits, Token Watch lists up to 40 facts and adds a summary line when there are more. 

Token Watch — 2 secret(s) need attention
Generated 2026-06-13T00:00:00Z

Contoso API — client-secret      Expiring · expires 2026-06-20T00:00:00Z
Fabrikam Web — signing-cert      Expired · expires 2026-06-11T00:00:00Z

Security notes

Teams mode is for people to read, not for machines to verify. It does not carry the X-TW-Signature header that the JSON channel uses, so the workflow URL is your control: treat it like a secret, write down who owns the flow, and decide up front where flow failures get investigated.

If you need signature verification, replay protection, custom deduplication, or SIEM-grade ingestion, send the alert to the JSON webhook channel first, verify it in your own receiver, and post into Teams from there as a downstream step. And if your team really handles operational alerts in Slack, the Slack guide covers that incoming-webhook path.

Routing ideas

  • Post alerts to an identity, platform, or production operations Teams channel.
  • Use Power Automate steps to create Planner tasks, notify owners, or send approvals.
  • Send Expired credentials to a higher-urgency path.
  • Send Expiring credentials to a maintenance queue.
  • Route by tenant, application naming convention, owner map, service catalog, or team mapping.
  • Avoid creating duplicate tasks every night for the same credential.

Troubleshooting

  • No webhook arrived: confirm there was at least one expired or expiring tracked credential.
  • Webhook URL is invalid: confirm it is a public HTTPS URL.
  • 401 or 403: check the Power Automate trigger URL and permissions.
  • 404: the workflow URL may have been regenerated or copied incorrectly.
  • 429: check Power Automate limits and downstream Teams posting behavior.
  • Teams does not show the message: confirm the flow is enabled and posts the incoming Adaptive Card to the expected destination.
  • Webhook health is unhealthy: health is computed from recent scheduled deliveries, not manual tests.

Limitations

  • Token Watch does not renew credentials for you.
  • Token Watch does not send secret values.
  • Teams delivery depends on the Power Automate workflow remaining enabled and authorized.
  • Teams mode is for human-readable notifications; a JSON webhook is better for signed automation.
  • The alert only helps if the team has an ownership and renewal process.

FAQ

Not on its own, but Token Watch can. It posts an Adaptive Card to a Power Automate workflow URL, and the flow drops it into your Teams channel or chat.

Connect Token Watch with Microsoft admin consent, sync applications, enable monitoring, and set up the Teams webhook.

No — it can't. Graph does not return secret values, so Token Watch only ever handles metadata. Secret values and certificate private keys never leave Azure.

No. Teams mode is not signed with X-TW-Signature. Use the JSON webhook for signed machine-to-machine ingestion.

Probably because nothing was due. Empty alerts are skipped, so if no tracked credential was expired or expiring on that day's run, there is no card to post.

Use Teams for team visibility and Power Automate workflows. Use a JSON webhook when a system needs to verify, deduplicate, route, or persist the event.

Back to all guides

Top