Why reliability issues are easy to miss
Security problems make headlines; expiring secrets make Slack channels panic at 4 p.m. on a Friday. App registrations, SAML certificates, and custom domains all have expiry dates that Microsoft does not always surface in one place.
Proactive monitoring beats calendar reminders scattered across teams.
App registration secrets and certificates
Every integration — SSO, automation, line-of-business apps — depends on credentials that expire.
- Client secrets expiring within 30, 60, and 90 days
- Certificate-based auth without a documented rotation owner
- Apps with no listed owner in Entra ID
- Secrets shared across environments without separate registrations
Domains and DNS
A lapsed custom domain breaks mail flow, sign-in branding, and federated identity.
- Custom domains approaching registrar renewal
- Missing or incorrect DNS records for M365 verification
- Federation certificates nearing expiry on hybrid setups
- Unused verified domains that should be removed or documented
Mailbox and service limits
Storage and quota issues degrade mail delivery before they trigger obvious alerts.
- Mailboxes above 90% of quota without archiving policy
- Shared mailboxes converted to user mailboxes without license review
- Large inactive mailboxes consuming backup and eDiscovery scope
Building an expiry calendar
Export all app registrations with secret expiry dates, assign owners, and set rotation runbooks. Pair domain renewals with your IT asset register. Review quarterly even if nothing is expiring soon — ownership changes get missed.
Tenant Hawk tracks expiring secrets and reliability findings and can alert Pro subscribers when new risks appear.