Monitor Microsoft Entra SAML Certificate Expiration in Datadog

This is an unofficial Datadog Agent custom check for monitoring Microsoft Entra SAML signing certificate expiration.

The check reads SAML Enterprise App certificate metadata from Microsoft Graph and reports the number of days until expiration as a Datadog custom metric.

Metric:

entra.saml_certificate.days_until_expiration

The check runs from one Datadog Agent host. The Agent handles metric submission, so the check does not need its own Datadog API key.

At a high level:

1. Create a Microsoft Entra app registration.
2. Grant Microsoft Graph application permission: Application.Read.All.
3. Grant admin consent.
4. Create a client secret.
5. Install the custom check on one Datadog Agent host.
6. Configure the check with the tenant ID, client ID, and client secret.
7. Test the check with datadog-agent check entra_saml_cert_expiration.
8. Restart the Datadog Agent.

The included README has the full installation steps.

Search for this metric in Datadog:

entra.saml_certificate.days_until_expiration

Suggested alerting:

• Warning: less than 60 days
• Critical: less than 30 days

New custom metrics can take a few minutes to appear in Datadog after the Agent submits them.

Download the check files

Run the check from one Datadog Agent host only. Running it from multiple hosts can duplicate metric series.

Store the Azure client secret securely and rotate it if it is ever shared accidentally.

This is an unofficial community check and is not affiliated with Microsoft or Datadog.