Credential Expiration
When certificates and secrets expire in Microsoft Entra ID, applications stop working—often without warning. These outages can disrupt critical business services, impact customer experiences, and require emergency intervention to restore.
The business problem:
- Application outages from expired credentials cause business disruption
- Microsoft Entra ID provides limited built-in alerting for expiring credentials
- Manual tracking across hundreds or thousands of applications doesn't scale
- Organizations often discover expired credentials only after services fail
Benefits
Proactive credential expiration tracking delivers measurable value:
✅ Prevent application outages - Identify expiring credentials before they cause service disruptions
✅ Reduce emergency interventions - Plan credential renewals during maintenance windows instead of reacting to failures
✅ Improve operational efficiency - Eliminate manual spreadsheet tracking and calendar reminders
✅ Ensure business continuity - Maintain uninterrupted service for critical applications
✅ Reduce incident response costs - Avoid expensive after-hours emergency credential renewals
✅ Demonstrate compliance - Provide evidence of proactive credential lifecycle management for audits
How credential expiration works
Credential expiration is the core signal EasyLife 365 Identity uses to prevent application outages and drive timely action. The product continuously evaluates certificates and secrets across your Entra ID applications and identifies its status based on its remaining lifetime.
This section explains:
- How expiration status is determined
- What each status means
- How expiring and expired credentials are surfaced in the UI
- How notifications are triggered
Expiration status
Each credential is assigned one of three statuses based on its expiration date relative to a configurable expiration threshold.
Current
A credential is considered current when its expiration date is beyond the configured expiration threshold.
- The credential is valid and does not require immediate action
- In tables, the expiration date is displayed with a green tag
- No warnings are shown in the application navigation
- No notifications are sent for this credential
Expiring
A credential is considered expiring when its expiration date falls within the configured expiration threshold.
- The credential is still valid, but requires attention
- In tables, the expiration date is displayed with a yellow tag
- A warning indicator is shown in the navigation menu of the application the credential belongs to
- Accountable users begin receiving periodic notification emails prompting them to take action
Expired
A credential is considered expired once its expiration date is in the past.
- The credential is no longer valid and may cause application outages
- In tables, the expiration date is displayed with a red tag
- The application remains flagged with a warning
- No notifications are sent for this credential
Expiration threshold
The expiration threshold defines how far in advance EasyLife 365 Identity should start treating a credential as expiring.
Administrators can configure this threshold from the admin portal, expressed as a number of days before expiration.
Default thresholds
By default, EasyLife 365 Identity uses different thresholds depending on the credential type:
- Certificates and client secrets: 30 days
- SAML signing certificates: 60 days
These defaults reflect the higher operational risk and replacement complexity typically associated with SAML certificates.
How the threshold is applied
The threshold is evaluated continuously:
- If
expiration date > today + threshold→ Current - If
today ≤ expiration date ≤ today + threshold→ Expiring - If
expiration date < today→ Expired
Any change to the threshold immediately affects the status of all credentials across the tenant.