How to Connect-AzureAD with Service Principal or Manager ID to query App Reg certificates status?

Question

HI Everyone,

I need to report on the expiration state of the App Reg Certificates and Secrets.

I found this great script that lists them all fine - however I need to Connect-AzureAD with my creds.

Connect-AzureAD

$LimitExpirationDays = 31 #secret expiration date filter

#Retrieving the list of secrets that expires in the above days
$SecretsToExpire = Get-AzureADApplication -All:$true | ForEach-Object {
    $app = $_
    @(
        Get-AzureADApplicationPasswordCredential -ObjectId $_.ObjectId
        Get-AzureADApplicationKeyCredential -ObjectId $_.ObjectId
    ) | Where-Object {
        $_.EndDate -lt (Get-Date).AddDays($LimitExpirationDays)
    } | ForEach-Object {
        $id = "Not set"
        if($_.CustomKeyIdentifier) {
            $id = [System.Text.Encoding]::UTF8.GetString($_.CustomKeyIdentifier)
        }
        [PSCustomObject] @{
            App = $app.DisplayName
            ObjectID = $app.ObjectId
            AppId = $app.AppId
            Type = $_.GetType().name
            KeyIdentifier = $id
            EndDate = $_.EndDate
        }
    }
}
 
#Gridview list
$SecretsToExpire | Out-GridView

#Printing the list of secrets that are near to expire
if($SecretsToExpire.Count -EQ 0) {
    Write-Output "No secrets found that will expire in this range"
}
else {
    Write-Output "Secrets that will expire in this range:"
    Write-Output $SecretsToExpire.Count
    Write-Output $SecretsToExpire
}

There must be a way to automate the script using a Managed Identity or SPO I just can't find a way to create and assign the proper permissions....

Any help please

Thanks, M

Answer 1

Hi

Finally I was able to authenticate using:

Connect-AzureAD -CertificateThumbprint $thumbprint -ApplicationId $applicationId  -TenantId $tenantId -Confirm

However when running a get-AzureADApplication I get:

Get-AzureADApplication
Get-AzureADApplication : Error occurred while executing GetApplications 
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
RequestId:
DateTimeStamp: xxxxxxxxxxxxx
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At line:1 char:1
+ Get-AzureADApplication
+ ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-AzureADApplication], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetApplication

On the App Reg I granted API Permissions as:

That should suffice no?

Thanks, M

Answer 2

Using an Azure automation account you can use a Managed Identity to run your PowerShell scripts. More details here https://learn.microsoft.com/en-us/azure/automation/automation-security-overview#managed-identities.

As for the permissions you need. It would be possible to create a role that only has access to this exact data however the simple solution would be to assign the Managed Identity the directory reader role which should give it access to this data.

I don't believe that directory roles can be given to managed identities directly so you'll need to follow this guide which is for SQL managed instances to assign the role: https://learn.microsoft.com/en-us/azure/azure-sql/database/authentication-aad-directory-readers-role-tutorial?view=azuresql#directory-readers-role-assignment-using-the-azure-portal