-
-
Save svarukala/64ade1ca6f73a9d18236582e8770d1d4 to your computer and use it in GitHub Desktop.
| # Requires Azure AD PowerShell Module | |
| #Prompts user to login using Azure Credentials | |
| Connect-AzureAD | |
| $results = @() | |
| Get-AzureADApplication -All $true | %{ | |
| $app = $_ | |
| $owner = Get-AzureADApplicationOwner -ObjectId $_.ObjectID -Top 1 | |
| $app.PasswordCredentials | | |
| %{ | |
| $results += [PSCustomObject] @{ | |
| CredentialType = "PasswordCredentials" | |
| DisplayName = $app.DisplayName; | |
| ExpiryDate = $_.EndDate; | |
| StartDate = $_.StartDate; | |
| KeyID = $_.KeyId; | |
| Type = 'NA'; | |
| Usage = 'NA'; | |
| Owners = $owner.UserPrincipalName; | |
| } | |
| } | |
| $app.KeyCredentials | | |
| %{ | |
| $results += [PSCustomObject] @{ | |
| CredentialType = "KeyCredentials" | |
| DisplayName = $app.DisplayName; | |
| ExpiryDate = $_.EndDate; | |
| StartDate = $_.StartDate; | |
| KeyID = $_.KeyId; | |
| Type = $_.Type; | |
| Usage = $_.Usage; | |
| Owners = $owner.UserPrincipalName; | |
| } | |
| } | |
| } | |
| $results | FT -AutoSize | |
| # Optionally export to a CSV file | |
| #$results | Export-Csv -Path "AppsInventory.csv" -NoTypeInformation |
Thank you @Raka74
I have tried using the same script as above with some modifications to get expired app's
%{
$results += [PSCustomObject] @{
CredentialType = "PasswordCredentials"
DisplayName = $app.DisplayName;
EndDate = $_.enddate;
Try this cmdlet in shell. This gets expired ones and also those that will expire in 60days. You can change that number.
az ad sp list --all --query "[?passwordCredentials[0].endDate<='$(date -d "+60 days" +%Y-%m-%d)'||keyCredentials[0].endDate<='$(date -d "+60 days" +%Y-%m-%d)'].{"Display Name":appDisplayName,"SP AppId":appId,"Pwd Expiry Date":passwordCredentials[0].endDate, "Key Expiry Date":keyCredentials[0].endDate}" -o table
@svarukala
I get the below error when i run the query you had mentioned
//az ad sp list --all --query "[?passwordCredentials[0].endDate<='$(date -d "+60 days" +%Y-%m-%d)'||keyCredentials[0].endDate<='$(date -d "+60 days" +%Y-%m-%d)'].{"Display Name":appDisplayName,"SP AppId":appId,"Pwd Expiry Date":passwordCredentials[0].endDate, "Key Expiry Date":keyCredentials[0].endDate}" -o table
az ad sp list: error: argument --query: invalid jmespath_type value: "[?passwordCredentials[0].endDate<='2020-10-20'||keyCredentials[0].endDate<='2020-10-20'].{"
usage: az ad sp list [-h] [--verbose] [--debug] [--only-show-errors]
[--output {json,jsonc,yaml,yamlc,table,tsv,none}]
[--query JMESPATH] [--spn SPN]
[--display-name DISPLAY_NAME] [--filter QUERY_FILTER]
[--show-mine] [--all]
To learn more about [--query JMESPATH] usage in AzureCLI, visit https://aka.ms/CLIQuery//
Try this cmdlet in shell. This gets expired ones and also those that will expire in 60days. You can change that number.
az ad sp list --all --query "[?passwordCredentials[0].endDate<='$(date -d "+60 days" +%Y-%m-%d)'||keyCredentials[0].endDate<='$(date -d "+60 days" +%Y-%m-%d)'].{"Display Name":appDisplayName,"SP AppId":appId,"Pwd Expiry Date":passwordCredentials[0].endDate, "Key Expiry Date":keyCredentials[0].endDate}" -o table@svarukala
I get the below error when i run the query you had mentioned
//az ad sp list --all --query "[?passwordCredentials[0].endDate<='$(date -d "+60 days" +%Y-%m-%d)'||keyCredentials[0].endDate<='$(date -d "+60 days" +%Y-%m-%d)'].{"Display Name":appDisplayName,"SP AppId":appId,"Pwd Expiry Date":passwordCredentials[0].endDate, "Key Expiry Date":keyCredentials[0].endDate}" -o table
az ad sp list: error: argument --query: invalid jmespath_type value: "[?passwordCredentials[0].endDate<='2020-10-20'||keyCredentials[0].endDate<='2020-10-20'].{"
usage: az ad sp list [-h] [--verbose] [--debug] [--only-show-errors]
[--output {json,jsonc,yaml,yamlc,table,tsv,none}]
[--query JMESPATH] [--spn SPN]
[--display-name DISPLAY_NAME] [--filter QUERY_FILTER]
[--show-mine] [--all]
To learn more about [--query JMESPATH] usage in AzureCLI, visit https://aka.ms/CLIQuery//
This works in unix shell. Not in PS. To make it work in PS, change the way the dates are created using $(Get-Date).
@svarukala Is there any method to get the provisioning details via powershell for an application.
Example:
1.When is the last provisioning cycle happened?
2.steady state achieved or not.
3.No.of.errors ocuured during auto provisioning.
@svarukala Is there any method to get the provisioning details via powershell for an application.
Example:
1.When is the last provisioning cycle happened?
2.steady state achieved or not.
3.No.of.errors ocuured during auto provisioning.
Can you elaborate what do you mean by last provisioning cycle? Is it the app creation date that you are talking abt?
I am not aware of a 'steady state' property associated with an AAD app.
@svarukala Is it possible to also list the Apps that do not have Key/PasswordCredentials? Thanks
Hi @svarukala i was trying to run this script( only part of the code) and it seems the keycredentials are not getting any value
`# Check service principal expiry dates.
Get-AzureADApplication -All $:true | ForEach-Object {
$BodyTemplate = @"
{
"channel": "$CHANNELNAME",
"username": "SPN is expired",
"text": "$name is Expired $PassCredExpiry.",
"icon_emoji":":crossed_flags:"
}
"@
$BodyTemplate2 = @"
{
"channel": "$CHANNELNAME",
"username": "SPN is Almost expired",
"text": "$name Almost Expired $PassCredExpiry.",
"icon_emoji":":crossed_flags:"
}
"@
$AppID = $.AppId
$PassCredExpiry = ($).passwordcredentials.enddate
write-output "Today Date $todaysdate"
write-output "Future Date $futureCHeck"
write-output "Checkign KeyCredExpiry date $KeyCredExpiry and PassCredExpiry $PassCredExpiry"
If($KeyCredExpiry -ne $null)
{
write-output "checking $name"
If ($todaysdate -gt $KeyCredExpiry )
{
write-output "$name has expired at $KeyCredExpiry"
Invoke-RestMethod -uri $SlackChannelUri -Method Post -body $BodyTemplate -ContentType 'application/json'
$json3+= @([PSCustomObject]@{
AppDisplayName = $name;
AppID = $AppID;
CertificateExpireyDate = $KeyCredExpiry;
PasswordExpireyDate = $PassCredExpiry;
Reason = "Expired"
})
} `
when i run this piece i print the values as well with write-output, as you can see but it seems i am not getting any value for this " $KeyCredExpiry = ($_).keycredentials.enddate" any idea why?
In your script I am seeing ($).keycredentials.enddate instead of $_.keycredentials.enddate. The underscore is missing. Could that be the issue?
@Divyesh85. How abt using the script I provided above as is? Is it working in that case?
Since Azure AD PowerShell is being deprecated in favor of Microsoft Graph PowerShell SDK, I created a new MS Graph script that is equivalent to this script. You can find it here:
https://pnp.github.io/script-samples/aad-apps-expired-keys/README.html?tabs=graphps
//az ad sp list --all
az ad sp list --all --query "[?passwordCredentials[0].endDate<='$(date -d "+60 days" +%Y-%m-%d)'||keyCredentials[0].endDate<='$(date -d "+300 days" +%Y-%m-%d)'].{SP_AppId:appId,PwdExpiryDate:passwordCredentials[0].endDate, Key_Expiry_Date:keyCredentials[0].endDate,Display_Name:displayName,Account_Type: objectType}" -o table
Another option that leverages the newer Az.Resources module is available here:
https://gist.github.com/GuyPaddock/c3e0fbb1e3724822c77e35a83160af52
Great! that helps - thank you!