P2P Server application in Azure AD and non-deletion of expired secrets

spm 20 Reputation points
2023-06-01T14:27:33.4133333+00:00

We have an service that scans for registered Applications in AD whose secrets/certs are about to expire.  In one such notification there was a listing of P2P Server, this service seems to be automatically created when devices are joined to AD.   Further, it appears that its secrets/certs are automatically renewed.  However, the old expired secrets/certs are never deleted.  This raises false flag in the service that we have deleted, there is no way to ignore such apps as there are no distinct markers to identify such Microsoft managed apps. There are two issues here,

  • In auto renewed apps the expired secrets is not cleaned up.
  • (Feature) There should be clear markers for such auto created/managed apps.
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,446 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. VasimTamboli 4,775 Reputation points
    2023-06-04T14:16:33.5166667+00:00

    Let's address each issue separately:

    1. Expired secrets/certs not cleaned up: By default, Azure AD does not automatically delete expired secrets or certificates associated with applications. It is the responsibility of the application owner or administrator to manage and clean up the expired credentials. You can programmatically retrieve the list of secrets/certs for an application using the Azure AD Graph API or Microsoft Graph API and then delete the expired ones.

    Here's an example PowerShell script that demonstrates how to retrieve and delete the expired secrets of an application using the Microsoft Graph API:

    # Install the required module if not already installed
    Install-Module -Name AzureAD
    
    # Connect to Azure AD
    Connect-AzureAD
    
    # Define the Application (Service Principal) object ID
    $appObjectId = "YOUR_APPLICATION_OBJECT_ID"
    
    # Get the application secrets using Microsoft Graph API
    $appSecrets = Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/applications/$appObjectId/passwordCredentials" -Headers @{
        Authorization = "Bearer $((Get-AzureADAccessToken -ResourceId 'https://graph.microsoft.com').AccessToken)"
    }
    
    # Get the current date and time
    $currentDateTime = Get-Date
    
    # Iterate through each secret
    foreach ($secret in $appSecrets.value) {
        $expiryDate = $secret.endDateTime
    
        # Check if the secret has expired
        if ($expiryDate -lt $currentDateTime) {
            # Delete the expired secret using Microsoft Graph API
            Invoke-RestMethod -Uri "https://graph.microsoft.com/v1.0/applications/$appObjectId/passwordCredentials/$($secret.id)" -Method DELETE -Headers @{
                Authorization = "Bearer $((Get-AzureADAccessToken -ResourceId 'https://graph.microsoft.com').AccessToken)"
            }
    
            Write-Host "Expired secret $($secret.displayName) deleted."
        }
    }
    
    
    
    

    Replace "YOUR_APPLICATION_OBJECT_ID" with the object ID of the P2P Server application. This script retrieves the secrets of the application and checks if any of them have expired. If an expired secret is found, it is deleted using the Microsoft Graph API.

    1. Clear markers for auto-created/managed apps: Currently, Azure AD does not provide clear markers or attributes to distinguish auto-created/managed apps like the P2P Server application from user-created applications. One possible approach is to maintain a whitelist of known auto-created/managed app names and exclude them from your scanning/notification process. However, this approach requires manual maintenance of the whitelist.

    You could also consider providing feedback or feature requests to the Azure AD product team through the Azure feedback portal (https://feedback.azure.com/forums/169401-azure-active-directory).

    I hope this helps! Let me know if you have further questions.

    0 comments No comments