Get Azure Key Vault expired secrets

KeyVault expired

Hey Scripters! If you want to gather Azure Key Vault expired secrets by the script, today is your lucky day – I’ve prepared script for that 🙂

I was searched for some easy functionality which will easily notify me about Key Vault expired secrets. The only solution I found is Events functionality in Key Vault. However after few of my test (during writing this article this option is still in preview) I found that it is very limited and you can monitor only modification/addition of the secret. Events with expiration of the secrets are not working and that’s the reason why I prepared my PowerShell script.

How the script works?

It’s quite easy – on the begin you must provide $subscriptionId parameter which defines source subscription for Key Vault. Next you must provide $DaysNearExpiration integer – it declare number of the days before which you should be notified about secret expiration. $VaultName parameter is optional, you can provide name of the Key Vault if you want to check only one. If this parameter will be empty script will gather information from all Key Vaults from subscription.

Once parameters are defined script gather information about all Key Vaults. Next it iterates across all of them, gather secrets from all of them and comparing expiration date set with current date and expiration notification date. Base on that it’s adding them to proper array and display information from them at the end of the script.


To run the script you must have proper permission set on access policies on all affected Key Vault. List permission is enough for that operation.



Select-AzSubscription -SubscriptionId $SubscriptionID | Out-Null

$ExpiredSecrets = @()
$NearExpirationSecrets = @()

#gather all key vaults from subscription
if ($VaultName) {
    $KeyVaults = Get-AzKeyVault -VaultName $VaultName
else {
    $KeyVaults = Get-AzKeyVault
#check date which will notify about expiration
$ExpirationDate = (Get-Date (Get-Date).AddDays($DaysNearExpiration) -Format yyyyMMdd)
$CurrentDate = (Get-Date -Format yyyyMMdd)

# iterate across all key vaults in subscription
foreach ($KeyVault in $KeyVaults) {
    # gather all secrets in each key vault
    $SecretsArray = Get-AzKeyVaultSecret -VaultName $KeyVault.VaultName
    foreach ($secret in $SecretsArray) {
        # check if expiration date is set
        if ($secret.Expires) {
            $secretExpiration = Get-date $secret.Expires -Format yyyyMMdd
            # check if expiration date set on secret is before notify expiration date
            if ($ExpirationDate -gt $secretExpiration) {
                # check if secret did not expire yet but will expire soon
                if ($CurrentDate -lt $secretExpiration) {
                    $NearExpirationSecrets += New-Object PSObject -Property @{
                        Name           = $secret.Name;
                        Category       = 'SecretNearExpiration';
                        KeyVaultName   = $KeyVault.VaultName;
                        ExpirationDate = $secret.Expires;
                # secret is already expired
                else {
                    $ExpiredSecrets += New-Object PSObject -Property @{
                        Name           = $secret.Name;
                        Category       = 'SecretNearExpiration';
                        KeyVaultName   = $KeyVault.VaultName;
                        ExpirationDate = $secret.Expires;


Write-Output "Total number of expired secrets: $($ExpiredSecrets.Count)"
Write-Output "Total number of secrets near expiration: $($NearExpirationSecrets.Count)"

You can easily combine script with Log Analytics in order you want to be notified about expiration date. I will share you script for posting Log analytics message in next article!

Hope that it will be usefull for some of you 😉


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.