How to Connect-AzureAD with Service Principal or Manager ID to query App Reg certificates status?

SenhorDolas 1,326 Reputation points
2023-09-01T15:24:07.28+00:00

HI Everyone,

I need to report on the expiration state of the App Reg Certificates and Secrets.

I found this great script that lists them all fine - however I need to Connect-AzureAD with my creds.

Connect-AzureAD

$LimitExpirationDays = 31 #secret expiration date filter

#Retrieving the list of secrets that expires in the above days
$SecretsToExpire = Get-AzureADApplication -All:$true | ForEach-Object {
    $app = $_
    @(
        Get-AzureADApplicationPasswordCredential -ObjectId $_.ObjectId
        Get-AzureADApplicationKeyCredential -ObjectId $_.ObjectId
    ) | Where-Object {
        $_.EndDate -lt (Get-Date).AddDays($LimitExpirationDays)
    } | ForEach-Object {
        $id = "Not set"
        if($_.CustomKeyIdentifier) {
            $id = [System.Text.Encoding]::UTF8.GetString($_.CustomKeyIdentifier)
        }
        [PSCustomObject] @{
            App = $app.DisplayName
            ObjectID = $app.ObjectId
            AppId = $app.AppId
            Type = $_.GetType().name
            KeyIdentifier = $id
            EndDate = $_.EndDate
        }
    }
}
 
#Gridview list
$SecretsToExpire | Out-GridView

#Printing the list of secrets that are near to expire
if($SecretsToExpire.Count -EQ 0) {
    Write-Output "No secrets found that will expire in this range"
}
else {
    Write-Output "Secrets that will expire in this range:"
    Write-Output $SecretsToExpire.Count
    Write-Output $SecretsToExpire
}

There must be a way to automate the script using a Managed Identity or SPO I just can't find a way to create and assign the proper permissions....

Any help please

Thanks, M

Azure Automation
Azure Automation
An Azure service that is used to automate, configure, and install updates across hybrid environments.
1,368 questions
Windows for business | Windows Server | User experience | PowerShell
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Thomas Meads 1,586 Reputation points
    2023-09-01T17:40:36.9+00:00

    Using an Azure automation account you can use a Managed Identity to run your PowerShell scripts. More details here https://learn.microsoft.com/en-us/azure/automation/automation-security-overview#managed-identities.

    As for the permissions you need. It would be possible to create a role that only has access to this exact data however the simple solution would be to assign the Managed Identity the directory reader role which should give it access to this data.

    I don't believe that directory roles can be given to managed identities directly so you'll need to follow this guide which is for SQL managed instances to assign the role: https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-directory-readers-role-tutorial?view=azuresql#directory-readers-role-assignment-using-the-azure-portal


  2. SenhorDolas 1,326 Reputation points
    2023-09-04T16:52:11.2533333+00:00

    Hi

    Finally I was able to authenticate using:

    Connect-AzureAD -CertificateThumbprint $thumbprint -ApplicationId $applicationId  -TenantId $tenantId -Confirm
    

    However when running a get-AzureADApplication I get:

    Get-AzureADApplication
    Get-AzureADApplication : Error occurred while executing GetApplications 
    Code: Authorization_RequestDenied
    Message: Insufficient privileges to complete the operation.
    RequestId:
    DateTimeStamp: xxxxxxxxxxxxx
    HttpStatusCode: Forbidden
    HttpStatusDescription: Forbidden
    HttpResponseStatus: Completed
    At line:1 char:1
    + Get-AzureADApplication
    + ~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Get-AzureADApplication], ApiException
        + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetApplication
    

    On the App Reg I granted API Permissions as:

    User's image

    That should suffice no?

    Thanks, M

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.