Key Vault Certificate Auto-Renewal and Deploy
Before a Key Vault certificate expires, the flow requests renewal (reusing the cert policy), imports the new version, deploys it to the bound App Services via ARM, verifies the endpoint, and emails a completion report. Automates the TLS certificate lifecycle end to end.
Provided as-is, without warranty of any kind. Review and test each pattern in a non-production environment before deploying it to live automations. See our Terms.
Overview
This flow automates the TLS certificate lifecycle end to end with Azure Key Vault and Azure Resource Manager. On a daily schedule it reads the monitored certificate from Key Vault, checks whether it is inside the renewal lead window, and - when it is - requests a new certificate version (reusing the existing policy), redeploys it to every bound App Service via ARM, verifies the public endpoint, and emails a completion report.
Why it matters: expired TLS certificates cause outages and browser trust errors. Hands-off renewal and deployment eliminate the manual scramble before expiry.
Ships Off (Stopped). Certificate read/renew uses the Key Vault data-plane REST API via HTTP (the connector has no certificate operations).
Use Case
A platform / IT operations team wants fully automated certificate renewal and deployment for its public services. They configure the certificate name, renewal lead time, and bound App Services once (as env vars) and the flow keeps the certificate current and deployed without intervention.
Flow Architecture
Daily Certificate Expiry Check
RecurrenceRuns daily; swap for an Event Grid NearExpiry webhook for event-driven renewal.
Initialize Trace & Config
Initialize variableMints a correlation id and binds the vault URL, cert name, lead days, api-versions, subscription/RG, vault name, bound services, verify endpoint, AAD credentials, and notify email.
Get Current Certificate
HTTP - GET /certificatesReads the certificate's expiry, thumbprint, and policy from the Key Vault data plane.
Check If Renewal Due
Compose + ConditionConverts the expiry epoch to ISO-8601 and tests whether it is within the renewal lead window.
Renew + Reimport (due)
HTTP POST /certificates/create + GETRequests a new version reusing the existing policy, waits for issuance, and captures the new thumbprint/version.
Deploy to Bound Services
Apply to each -> ARM Resources_CreateOrUpdateByIdFor each bound service, creates/updates a Microsoft.Web/certificates resource binding the renewed version, and tallies the deployment.
Verify + Report
HTTP GET + Outlook SendEmailV2Health-checks the endpoint serves the new cert and emails the completion report (new thumbprint, services updated, verification result).
Environment Variables
| Schema name | Type | Default | Description |
|---|---|---|---|
| flowlibs_CertName | String | wildcard-yourcompany | Key Vault certificate to monitor/renew. |
| flowlibs_RenewLeadDays | String | 14 | Renew when within this many days of expiry. |
| flowlibs_VaultApiVersion | String | 7.4 | Key Vault data-plane API version. |
| flowlibs_BoundServices | String | [{"siteName":"app-flowlibs-demo","appServiceCertName":"flowlibs-cert","serverFarm":"plan-flowlibs","location":"eastus"}] | Services bound to the cert; one entry per site. |
| flowlibs_CertArmApiVersion | String | 2022-03-01 | Microsoft.Web/certificates ARM API version. |
| flowlibs_VerifyEndpointUrl | String | https://app-flowlibs-demo.azurewebsites.net | HTTPS endpoint tested after deploy. |
| flowlibs_KeyVaultUrl | String | https://kv-flowlibs-demo.vault.azure.net | Key Vault data-plane base URL. |
| flowlibs_KeyVaultName | String | kv-flowlibs-demo | Vault resource name (used to build keyVaultId). |
| flowlibs_GraphTenantId | String | <your-tenant-id> | AAD OAuth tenant for the vault HTTP calls. |
Connectors & Connections
| Connector | API name | Actions used |
|---|---|---|
| Azure Resource Manager | shared_arm | Resources_CreateOrUpdateById |
| Office 365 Outlook | shared_office365 | SendEmailV2 |
| HTTP | shared_http | GET/POST /certificates (Key Vault data plane) |
Note — All connections are referenced as solution connection references; the flow is portable between environments as long as a connection is mapped at import time.
Customization Guide
Almost every realistic variant of this flow can be implemented by changing environment variable values. A few cases require small edits inside the flow definition — those are called out explicitly below.
- Event-driven
- Replace the Recurrence with an Event Grid webhook on Microsoft.KeyVault.CertificateNearExpiry for real-time renewal.
- Multi-SAN
- Add one flowlibs_BoundServices entry per hostname/site; the loop handles many services.
- Staging slot
- Bind to a staging slot, then swap after the endpoint verification succeeds.
- Rollback
- Wrap deploy + verify in a Scope and, on failure, re-bind the previous thumbprint captured before renewal.
- App Gateway / Front Door
- Change the deploy resource type to Microsoft.Network/applicationGateways or Front Door custom-domain TLS.
Key Expressions
The flow is intentionally light on Power Fx / WDL gymnastics — the heaviest expressions are the branch-name concatenation and the approval outcome check. They are listed below in the order they appear in the flow.
EXPR.01Cert expiry datetime
Converts the exp epoch to ISO-8601.
EXPR.02Renewal due test
True when inside the renewal lead window.
EXPR.03Short resource id
For the Microsoft.Web/certificates deploy.
EXPR.04Vault data-plane URI
Cert read/renew endpoint.
Comments
Sign in to join the conversation.
Sign inNo comments yet. Be the first to share your experience with this flow.