How to audit expiring soon Azure AD application credentials (keys/passwords/certificates)

How bad the feeling is when someone comes rush onto your desk because something in production stopped working overnight. This can happen if you don't take seriously the rollover of credentials for your Azure AD application. Be the hero here, be proactive instead of reactive!

Context

There is 2 types of credentials that can be used for an Azure AD application: passwords (keys) and certificates. Both could (and should) have a realistic end date, and for the sake of good practices, they should not be configured to never end.

Update: 2021-02-06 - Script reference to GitHub instead of ScriptCenter

Setup information

You'll need Azure Az PowerShell in order to use the script of this article.

  • Azure PowerShell module (Az) v1.x
  • Audit expiring soon Azure AD application credentials (keys/certificates) script from ScriptCenter

Prepare for the audit

Open a PowerShell shell, log into Azure and position yourself on the desired subscription, here is an example on how to do so:

Connect-AzAccount

Perform a 120 days audit

$audit = .\Get-AzADAppExpiringCredentials.ps1 -ExpiresInDays 120 -Verbose

Gathering necessary information... 
VERBOSE: Fetching information for application ADAuditPlus Reporting 
VERBOSE: Fetching information for application app registration 
... 
Validating expiration data... 
Done. 

#output the result as is
$audit

DisplayName   : ADAuditPlus Reporting
ObjectId      :
ApplicationId : 00000000-0000-0000-0000-000000000000
KeyId         : 00000000-0000-0000-0000-000000000000
Type          : Password
StartDate     : 4/9/2018 6:34:52 PM
EndDate       : 12/31/2299 5:00:00 AM
Status        : Valid

DisplayName   : ARM Test app
ObjectId      :
ApplicationId : 00000000-0000-0000-0000-000000000000
KeyId         : 00000000-0000-0000-0000-000000000000
Type          : Password
StartDate     : 2/12/2019 8:19:38 PM
EndDate       : 3/12/2019 8:19:38 PM
Status        : ExpiringSoon

[Optional] Perform a grouped audit

$audit | Group-Object -Property Status 

# you'll end up with an output looking like this

Count Name                      Group 
----- ----                      ----- 
   54 Expired                   {@{DisplayName=AutomationAccount_E+6heptOMzz8vX9ooTYFZq8DJYKweTDdIFrQmOo3BXs=; Objec... 
   11 ExpiringSoon              {@{DisplayName=AutomationAccountQwerty_e1yHxjl45+GwXIxG/mwqMnARwn5i6C5zSMAAIxZyzw... 
  173 Valid                     {@{DisplayName=ADAuditPlus Reporting; ObjectId=; ApplicationId=9db46068-49a0-45ae-b2... 
 

[Optional] Output the result as JSON and save it to disk for later use

$audit | ConvertTo-Json -Depth 5 | Out-File .\audit.json

# you'll end up with a JSON file in this format
 
[ 
  { 
    "DisplayName": "AutomationAccountQwerty_e1yHxjl45", 
    "ObjectId": null, 
    "ApplicationId": { 
      "value": "00000000-0000-0000-0000-000000000000", 
      "Guid": "00000000-0000-0000-0000-000000000000" 
    }, 
    "KeyId": "00000000-0000-0000-0000-000000000000", 
    "Type": "Password", 
    "StartDate": { 
      "value": "2016-05-11T14:55:30", 
      "DateTime": "Wednesday, May 11, 2016 2:55:30 PM" 
    }, 
    "EndDate": { 
      "value": "2019-05-11T14:55:30", 
      "DateTime": "Thursday, May 11, 2019 2:55:30 PM" 
    }, 
    "Status": "ExpiringSoon" 
  }, 
    ... 
] 

Conclusion

If you want to be proactive and know in advance what application will have trouble because of expiring credentials, you now have another tool in your tool belt!

You can download the Audit expiring soon Azure AD application credentials (keys/certificates) script (for free) on Github

References