Azure Graph Query for Expiring certificates or secrets in App Registration

Question

Hi Team,

Is there a way to use Resource Graph Explorer to query Azure App Registration in order to find expired certificates or secrets.

I am sure that this can be done using APIs, I'd want to know if this can be done using Graph Query?

Answer 1

Sure, as long as you have granted it the necessary permissions (Application.Read.All). I.e. you can paste this query in the Graph explorer tool:

GET https://graph.microsoft.com/v1.0/applications?$select=id,keyCredentials,passwordCredentials

Unfortunately, you cannot filter against the corresponding keyCredentials/passwordCredentials properties, so you will not be able to get just the ones that are expired without using another tool.

Answer 2

Hello @H M, Abhilash , querying Azure AD resources such as app registrations or their certificates is not possible from Resource Graph Explorer. As stated by Vasil Michev, you will have to use Microsoft Graph for that. Follows a sample PowerShell script to list expired certs:

Connect-MgGraph -Scopes "Application.Read.All"
Get-MgApplication -All -PageSize 999 |
Select-Object  -Property @{Label = "Application Object Id"; Expression = { $_.Id } }, `
@{Label = "Application App Id"; Expression = { $_.AppId } }  -ExpandProperty keyCredentials |
Where-Object -Property Count -LT 0 |
Where-Object -Property EndDateTime -lt (Get-Date) |
Select-Object -Property KeyId, EndDateTime, "Application Object Id", "Application App Id"

For more information about resources supported by Resource Graph Explorer take a look to Azure Resource Graph table and resource type reference.

Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.