The Default: No Alerts At All
By default, Azure Key Vault doesn’t notify you when a secret is about to expire. It will happily let a certificate reach its expiry date and take down your production TLS endpoint without sending a single email.
This catches a lot of teams off guard. Key Vault stores the expiry date, displays it in the portal, and does absolutely nothing with it unless you configure alerting yourself.
Here are the three main approaches, from simplest to most comprehensive.
Option 1: Azure Policy (Compliance Flagging)
Azure Policy can flag secrets, keys, and certificates that expire within a certain number of days. This doesn’t send alerts directly, but it surfaces non-compliant resources in the Azure Policy compliance dashboard.
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.KeyVault/vaults/secrets"
},
{
"field": "Microsoft.KeyVault/vaults/secrets/attributes.expiresOn",
"lessOrEquals": "[addDays(utcNow(), 30)]"
}
]
},
"then": {
"effect": "audit"
}
}Microsoft provides built-in policies for this:
- Secrets should have more than the specified number of days before expiration
- Keys should have more than the specified number of days before expiration
- Certificates should have more than the specified number of days before expiration
Assign these at the subscription or management group level with the threshold set to 30 days.
Pros: Easy to set up. Works across all vaults in scope. No custom code. Cons: Policy compliance is evaluated periodically, not in real-time. You need to actually check the compliance dashboard. No push notifications.
Option 2: Event Grid + Logic App (Real-time Alerts)
Key Vault emits events through Azure Event Grid when secrets, keys, or certificates approach expiry. This is the most common approach for real alerting.
Events available
| Event | When it fires |
|---|---|
Microsoft.KeyVault.SecretNearExpiry | 30 days before expiry |
Microsoft.KeyVault.SecretExpired | On expiry date |
Microsoft.KeyVault.KeyNearExpiry | 30 days before expiry |
Microsoft.KeyVault.KeyExpired | On expiry date |
Microsoft.KeyVault.CertificateNearExpiry | 30 days before expiry |
Microsoft.KeyVault.CertificateExpired | On expiry date |
The “NearExpiry” events fire at 30 days by default. For certificates, you can configure this threshold in the certificate’s lifecycle management policy.
Setting up the Event Grid subscription
# Create an Event Grid subscription that sends to a Logic App
az eventgrid event-subscription create \
--name secret-expiry-alerts \
--source-resource-id "/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.KeyVault/vaults/my-vault" \
--endpoint "LOGIC_APP_TRIGGER_URL" \
--included-event-types \
Microsoft.KeyVault.SecretNearExpiry \
Microsoft.KeyVault.SecretExpired \
Microsoft.KeyVault.CertificateNearExpiry \
Microsoft.KeyVault.CertificateExpiredThe Logic App
Create a Logic App with an HTTP trigger that receives the Event Grid event and sends an email or Teams message. The event payload includes:
{
"subject": "my-secret",
"eventType": "Microsoft.KeyVault.SecretNearExpiry",
"data": {
"Id": "https://my-vault.vault.azure.net/secrets/my-secret/abc123",
"VaultName": "my-vault",
"ObjectType": "Secret",
"ObjectName": "my-secret",
"Version": "abc123",
"NBF": null,
"EXP": 1735689600
}
}Parse the EXP field (Unix timestamp) to include the actual expiry date in your notification.
Pros: Real-time. Push notifications to email, Teams, Slack, whatever your Logic App targets. Cons: Requires setup per vault (or per resource group with resource filtering). The 30-day threshold is fixed for secrets and keys. Logic Apps have their own cost.
Option 3: Azure Monitor Alerts (Metrics-Based)
Key Vault exposes metrics through Azure Monitor. You can create alert rules based on the Saturation metric or use log-based alerts with diagnostic logs.
For expiry alerting specifically, the Log Analytics approach works better:
Enable diagnostic logging
az monitor diagnostic-settings create \
--name kv-diagnostics \
--resource "/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.KeyVault/vaults/my-vault" \
--workspace "/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.OperationalInsights/workspaces/my-workspace" \
--logs '[{"category":"AuditEvent","enabled":true}]'Create a log alert rule
Write a KQL query that checks for NearExpiry events in the Key Vault audit log and creates an alert when matches are found.
Pros: Centralized in Azure Monitor. Works with existing alert infrastructure (action groups, ITSM connectors). Cons: More complex setup. Depends on diagnostic logs being enabled on every vault. Log ingestion costs.
The Blind Spots
All three approaches share the same limitation: they work per vault. If you have 30 Key Vaults across 8 subscriptions, you need to configure alerting 30 times. Miss one vault and you have a blind spot.
There are other blind spots too:
App Registration credentials aren’t in Key Vault. Event Grid doesn’t fire NearExpiry events for App Registration client secrets or certificates. Those live in Entra ID, not Key Vault, and have no built-in alerting at all.
The 30-day threshold may not be enough. For secrets that require coordination across multiple teams for rotation, 30 days is tight. You might want alerts at 90, 60, and 30 days.
No dependency context. An alert that says “secret X in vault Y is expiring” is useful, but you also need to know which applications consume that secret. Otherwise you’re scrambling to trace the dependency at alert time instead of having that context ready.
Putting It All Together
For most teams, we recommend this layered approach:
- Azure Policy at the management group level for baseline compliance visibility
- Event Grid + Logic App on production Key Vaults for real-time push notifications
- Regular discovery scans to catch App Registration credentials and any vaults missing Event Grid subscriptions
If you want all of this without the per-vault configuration burden, CertifyClouds scans every Key Vault and App Registration across all your subscriptions, alerts on configurable expiry thresholds (90, 60, 30, 14, 7 days), and maps the dependency graph so every alert includes context about what breaks if the secret expires. One setup, full coverage.
Further Reading
- The True Cost of an Expired Azure Certificate in Production -what happens when alerts fail and a certificate expires in production
- How to Find All Expiring Secrets and Certificates Across Azure Subscriptions -alerts only work if you know what to alert on; start with discovery
- Azure Key Vault Secret Rotation: Best Practices for 2026 -alerts are reactive; rotation is proactive. Combine both for full coverage