Expiry monitoring · Free
The app secret expires Friday. Nobody knows.
Entra ID won't email you before an app registration secret or SSO certificate expires - you find out when sign-ins break. Tenant Hawk watches every secret, certificate, and domain in your tenant and warns you first. Free, forever, on one tenant.
Free tier · read-only Graph access · no card required · 2-minute setup
How this outage usually happens
Every M365 shop has lived some version of this.
A secret is created and forgotten
An integration gets a client secret with a 12-month lifetime. The admin who made it changes roles. The clock keeps ticking.
The tracking spreadsheet goes stale
Expiry dates live in a spreadsheet, a wiki page, or one person's calendar reminders. None of them get updated after quarter two.
It expires on a weekend
Backups silently stop, SSO fails Monday morning, and the fix takes an hour - after four hours of figuring out what broke.
What Tenant Hawk watches
App registration secrets & certificates
Every client secret and certificate across your app registrations, with days-to-expiry and the apps that depend on them.
SSO signing certificates
SAML signing certificates on enterprise applications - the ones that take down single sign-on for a whole SaaS app when they lapse.
Domains, DNS & mailbox limits
Expiring custom domains, DNS misconfigurations, and mailboxes approaching storage caps - the quiet reliability issues that become loud.
Frequently asked questions
Doesn't Microsoft notify me before an app secret expires?
No. Entra ID has no built-in notification for expiring app registration secrets or certificates. The usual workarounds are a PowerShell script on a scheduled task, a Logic App, or a spreadsheet someone forgets to check. Tenant Hawk replaces all three with a read-only scan and an email before anything expires.
What does the free tier monitor?
App registration client secrets and certificates, SAML/SSO signing certificates on enterprise applications, custom domain and DNS issues, and mailboxes approaching storage limits - on one tenant, with a weekly health score and email alerts. Free forever, no card required.
How much warning do I get?
Findings appear as soon as a credential enters the expiry window, ranked by urgency - so a secret expiring in 14 days shows as high severity while one expiring in 60 days is tracked but calmer. Alert emails go out as findings appear or change.
Does this need write access or an agent?
No agents, no write access. Tenant Hawk uses app-only, read-only Microsoft Graph permissions granted through standard admin consent, and never stores your credentials.
What happens when a secret I use actually expires?
Whatever depends on it breaks - backup jobs stop, SSO sign-ins fail, integrations 401. That's why this is the one category we monitor for free: it's the cheapest outage you'll ever prevent.
Two minutes of setup. Zero surprise expiries.
Connect read-only, see every expiring credential in your tenant, and get emailed before the next one lapses. Free on one tenant, forever.
Start monitoring free