Share via

Effect of MC792991 Disablement of Symmetric keys for Microsoft Entra first-party applications Service Principals

yulei0917 50 Reputation points
2024-05-20T14:08:33.86+00:00

Hello Team,

Greetings! This is Joni.

 

Due to the Microsoft post as follows, 

a partner need to address how this affects to end users' resources and workloads. 

Disablement of Symmetric keys for Microsoft Entra first-party applications Service Principals - M365 Admin (handsontek.net)

 

I used the "AZ AD SP List" to find the service principals, but the amount of the output is too large.

IMHO the affected apps would only be 3rd party apps and user's own apps which need to access the 1st party apps(which could be addressed by "AZ AD APP List"), 

but not 1st party apps as their credentials should be managed by Microsoft.

Is my understanding right?

 

If so, how can I check the key types of the target service principals as when I use 

"AZ AD APP List" and  "AZ AD SP Credential List --id", no key types of it showed.

image1

Could my understanding have been wrong from the beginning, 

how can I address the Apps which used the symmetric keys to access 1st party apps?

As the following doc showed that when adding a certificate to an app, the key type is required, 

but after the adding of it, how do I check it again?

image2

Ref:Add a certificate to an app or service principal using Microsoft Graph - Microsoft Graph | Microsoft Learn

 

Any advices or will be highly appreciated.

Thanks and best regards!

Joni

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,151 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,920 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,188 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,955 questions
Accepted answer
  1. Ben Cooper 90 Reputation points
    2024-05-22T01:51:38.82+00:00

    The KeyCredentials attribute should be listed when you run Get-MgServicePrincipal.

    Here is what I used to get the keys:

    Connect-MgGraph

$servicePrincipals = Get-MgServicePrincipal -All
$Result = @()

foreach ($sp in $servicePrincipals) {
    if ($sp.KeyCredentials) {
        foreach ($key in $sp.KeyCredentials) {
            $Result += New-Object PSObject -Property @{
                SPId = $sp.Id
                SPName = $sp.DisplayName
                SPAppId = $sp.AppId
                KeyName = $key.DisplayName
                KeyType = $key.Type
                Key = $key.Key
            }
        }
    }
}

Disconnect-MgGraph

$Result | Where-Object {$_.KeyType -eq "Symmetric"} | Export-CSV SymmetricKeys.csv -NoTypeInformation
    3 people found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. David Trevor 291 Reputation points
    2024-05-21T06:55:37.4766667+00:00

    From my understanding this does not affect the client secrets defined in the App Registration.

    Rather only keys added explicitly to the Service Principal, i.e. via Add-MgServicePrincipalKey or REST call. As described here: https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.applications/add-mgserviceprincipalkey?view=graph-powershell-1.0

    0 comments