Let's address each issue separately:
- Expired secrets/certs not cleaned up: By default, Azure AD does not automatically delete expired secrets or certificates associated with applications. It is the responsibility of the application owner or administrator to manage and clean up the expired credentials. You can programmatically retrieve the list of secrets/certs for an application using the Azure AD Graph API or Microsoft Graph API and then delete the expired ones.
Here's an example PowerShell script that demonstrates how to retrieve and delete the expired secrets of an application using the Microsoft Graph API:
# Install the required module if not already installed
Install-Module -Name AzureAD
# Connect to Azure AD
Connect-AzureAD
# Define the Application (Service Principal) object ID
$appObjectId = "YOUR_APPLICATION_OBJECT_ID"
# Get the application secrets using Microsoft Graph API
$appSecrets = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/applications/$appObjectId/passwordCredentials" -Headers @{
Authorization = "Bearer $((Get-AzureADAccessToken -ResourceId 'https://graph.microsoft.com').AccessToken)"
}
# Get the current date and time
$currentDateTime = Get-Date
# Iterate through each secret
foreach ($secret in $appSecrets.value) {
$expiryDate = $secret.endDateTime
# Check if the secret has expired
if ($expiryDate -lt $currentDateTime) {
# Delete the expired secret using Microsoft Graph API
Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/applications/$appObjectId/passwordCredentials/$($secret.id)" -Method DELETE -Headers @{
Authorization = "Bearer $((Get-AzureADAccessToken -ResourceId 'https://graph.microsoft.com').AccessToken)"
}
Write-Host "Expired secret $($secret.displayName) deleted."
}
}
Replace "YOUR_APPLICATION_OBJECT_ID" with the object ID of the P2P Server application. This script retrieves the secrets of the application and checks if any of them have expired. If an expired secret is found, it is deleted using the Microsoft Graph API.
- Clear markers for auto-created/managed apps: Currently, Azure AD does not provide clear markers or attributes to distinguish auto-created/managed apps like the P2P Server application from user-created applications. One possible approach is to maintain a whitelist of known auto-created/managed app names and exclude them from your scanning/notification process. However, this approach requires manual maintenance of the whitelist.
You could also consider providing feedback or feature requests to the Azure AD product team through the Azure feedback portal (https://feedback.azure.com/forums/169401-azure-active-directory).
I hope this helps! Let me know if you have further questions.