Expiry monitoring · Free

The app secret expires Friday. Nobody knows.

Entra ID won't email you before an app registration secret or SSO certificate expires - you find out when sign-ins break. Tenant Hawk watches every secret, certificate, and domain in your tenant and warns you first. Free, forever, on one tenant.

Free tier · read-only Graph access · no card required · 2-minute setup

How this outage usually happens

Every M365 shop has lived some version of this.

A secret is created and forgotten

An integration gets a client secret with a 12-month lifetime. The admin who made it changes roles. The clock keeps ticking.

The tracking spreadsheet goes stale

Expiry dates live in a spreadsheet, a wiki page, or one person's calendar reminders. None of them get updated after quarter two.

It expires on a weekend

Backups silently stop, SSO fails Monday morning, and the fix takes an hour - after four hours of figuring out what broke.

What Tenant Hawk watches

App registration secrets & certificates

Every client secret and certificate across your app registrations, with days-to-expiry and the apps that depend on them.

SSO signing certificates

SAML signing certificates on enterprise applications - the ones that take down single sign-on for a whole SaaS app when they lapse.

Domains, DNS & mailbox limits

Expiring custom domains, DNS misconfigurations, and mailboxes approaching storage caps - the quiet reliability issues that become loud.

Frequently asked questions

Doesn't Microsoft notify me before an app secret expires?

No. Entra ID has no built-in notification for expiring app registration secrets or certificates. The usual workarounds are a PowerShell script on a scheduled task, a Logic App, or a spreadsheet someone forgets to check. Tenant Hawk replaces all three with a read-only scan and an email before anything expires.

What does the free tier monitor?

App registration client secrets and certificates, SAML/SSO signing certificates on enterprise applications, custom domain and DNS issues, and mailboxes approaching storage limits - on one tenant, with a weekly health score and email alerts. Free forever, no card required.

How much warning do I get?

Findings appear as soon as a credential enters the expiry window, ranked by urgency - so a secret expiring in 14 days shows as high severity while one expiring in 60 days is tracked but calmer. Alert emails go out as findings appear or change.

Does this need write access or an agent?

No agents, no write access. Tenant Hawk uses app-only, read-only Microsoft Graph permissions granted through standard admin consent, and never stores your credentials.

What happens when a secret I use actually expires?

Whatever depends on it breaks - backup jobs stop, SSO sign-ins fail, integrations 401. That's why this is the one category we monitor for free: it's the cheapest outage you'll ever prevent.

Two minutes of setup. Zero surprise expiries.

Connect read-only, see every expiring credential in your tenant, and get emailed before the next one lapses. Free on one tenant, forever.

Start monitoring free