Token Watch logo Token Watch  Sign In  Sign Up
Documentation 8 min read Updated June 13, 2026

How to send Azure App Registration expiration alerts to Slack

An App Registration secret can expire without a single line of code changing — no deploy, no commit, nothing in the diff to blame. One day the credential is simply past its date and an integration stops working. If your team already watches a Slack channel for operational noise, an expiry warning ought to land there too, while you can still do something about it.

Secret expiry is really an ownership problem wearing a technical hat. Somebody has to know a credential is about to lapse, know which app it belongs to, and renew it before the integration falls over. Slack works for that when the renewal actually happens in an engineering, platform, identity, or operations channel — somewhere a person will see it and pick it up.

After admin consent, Token Watch reads your Entra credential metadata through Microsoft Graph and can post a Slack Block Kit message to an incoming webhook URL. It sends metadata only — application name, secret or certificate name, status, expiry timestamp — and never the secret values or certificate private keys. It can't, in fact: Graph does not return them.

Integration overview

Microsoft Entra ID / Azure AD App Registrations
  -> Token Watch
  -> Slack webhook channel
  -> Slack incoming webhook URL
  -> Slack channel

Token Watch syncs credential metadata through Microsoft Graph after Microsoft admin consent. On a daily monitoring run, it posts to Slack only when at least one tracked credential is expired or expiring soon. If nothing is expiring, nothing is delivered.

When to use Slack alerts

Use Slack if your team already reacts to operational alerts there; it is good for visible triage and the gentle peer pressure of a public channel. For a very small team, email may be enough on its own. The moment you need ticket creation, SIEM ingestion, or a signed payload another system can verify, switch to the JSON webhook channel instead.

Prerequisites

  • Token Watch tenant setup is complete.
  • Microsoft admin consent has been granted and applications have synced.
  • Monitoring is enabled and webhook delivery is available in your Token Watch plan.
  • You have a Slack app with incoming webhooks enabled.
  • You have a Slack incoming webhook URL for the target channel.
The Slack incoming webhook URL must be a public HTTPS endpoint.

Step-by-step setup

  1. In Slack, create or choose a Slack app that can use incoming webhooks.
  2. Enable incoming webhooks for that Slack app.
  3. Create a webhook URL for the target channel, such as #entra-expiry-alerts or #identity-ops.
  4. In Token Watch, open Monitoring > Webhook reporting.
  5. Select Slack.
  6. Paste the Slack incoming webhook URL.
  7. Enable webhook delivery.
  8. Send a test webhook.
  9. Check the Slack channel for the test message.

Token Watch sends the webhook as a POST with application/json. Slack returns a 2xx when it accepts the message; anything else counts as a failed attempt, and Token Watch retries up to three times in total with backoff in between.

What the Slack message includes

The channel gets a Block Kit message: a header, then one section per expired or expiring credential, each showing the application name, the secret or certificate name, the status, and the expiry timestamp. Slack caps how many blocks a single message can hold, so Token Watch lists up to 40 sections and adds a summary line when there are more. 

Token Watch — 2 secret(s) need attention

Contoso API — client-secret
Expiring · expires 2026-06-20T00:00:00Z

Fabrikam Web — signing-cert
Expired · expires 2026-06-11T00:00:00Z

Security notes

Slack mode is for people to read, not for machines to verify. Incoming webhooks do not carry the X-TW-Signature header, so the webhook URL itself is the only thing standing between your channel and everyone else — anyone holding that URL can post to it. Store it like the secret it effectively is.

If you need signature verification, raw-body handling, replay-window checks, or routing logic of your own, send the alerts to the JSON webhook channel, verify them in your own receiver, and have that receiver post to Slack. And if your team lives in Microsoft 365 rather than Slack, the Microsoft Teams guide covers the Power Automate path.

Routing ideas

  • Use a dedicated channel for Microsoft Entra App Registration credential expiry.
  • Route Expired credentials to a higher-urgency operational channel.
  • Route Expiring credentials to a maintenance channel or weekly renewal workflow.
  • Put the owning team or service name in the application naming convention.
  • Use Slack alerts for visibility, then create tickets manually or through a separate signed receiver.
  • Avoid relying only on chat history if you need a durable audit trail.

Troubleshooting

  • No webhook arrived: confirm webhook delivery is enabled and there was at least one expired or expiring tracked credential.
  • Token Watch says the URL is invalid: confirm the URL is a public https:// endpoint.
  • Slack does not show the message: check that the Slack webhook URL is active and the selected Token Watch channel is Slack.
  • The endpoint returns 404: regenerate or recopy the Slack incoming webhook URL.
  • The endpoint returns 429: check Slack-side rate limiting or channel/app configuration.
  • Webhook health is unhealthy: health is based on recent scheduled deliveries, not just manual tests.
  • Nothing was delivered: if a day's run finds nothing expiring, no message is sent.

Limitations

  • Token Watch does not renew credentials for you.
  • Token Watch does not send secret values.
  • Slack mode is for readable team notifications, not signed ingestion.
  • The alert only helps if the team has an owner and renewal process.

FAQ

Azure won't do it for you, but Token Watch will. It posts secret and certificate expiry alerts into a Slack channel through a Slack incoming webhook URL.

Connect Token Watch to your tenant with Microsoft admin consent, sync applications, enable monitoring, and set up the Slack webhook.

No — it can't. Graph never returns secret values, so Token Watch only ever sees and sends metadata. Your secret values and certificate private keys stay in Azure.

No. Slack mode uses Slack incoming webhooks and is not signed with X-TW-Signature. Use the JSON webhook for signed ingestion.

It skips empty runs on purpose. If no tracked credential was expired or expiring on that day's run, there is nothing worth pinging the channel about, so nothing is sent.

Use Slack for human-readable team visibility. Use a JSON webhook when another system needs to verify, route, deduplicate, or persist the event.

Back to all guides

Top