Effect of MC792991 Disablement of Symmetric keys for Microsoft Entra first-party applications Service Principals

yulei0917 50 Reputation points

Hello Team,

Greetings! This is Joni.


Due to the Microsoft post as follows, 

a partner need to address how this affects to end users' resources and workloads. 

Disablement of Symmetric keys for Microsoft Entra first-party applications Service Principals - M365 Admin (handsontek.net)


I used the "AZ AD SP List" to find the service principals, but the amount of the output is too large.

IMHO the affected apps would only be 3rd party apps and user's own apps which need to access the 1st party apps(which could be addressed by "AZ AD APP List"), 

but not 1st party apps as their credentials should be managed by Microsoft.

Is my understanding right?


If so, how can I check the key types of the target service principals as when I use 

"AZ AD APP List" and  "AZ AD SP Credential List --id", no key types of it showed.


Could my understanding have been wrong from the beginning, 

how can I address the Apps which used the symmetric keys to access 1st party apps?

As the following doc showed that when adding a certificate to an app, the key type is required, 

but after the adding of it, how do I check it again?


Ref:Add a certificate to an app or service principal using Microsoft Graph - Microsoft Graph | Microsoft Learn


Any advices or will be highly appreciated.

Thanks and best regards!


Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,159 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,052 questions
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,219 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,095 questions
{count} votes

Accepted answer
  1. Ben Cooper 95 Reputation points

    The KeyCredentials attribute should be listed when you run Get-MgServicePrincipal.

    Here is what I used to get the keys:

    $servicePrincipals = Get-MgServicePrincipal -All
    $Result = @()
    foreach ($sp in $servicePrincipals) {
        if ($sp.KeyCredentials) {
            foreach ($key in $sp.KeyCredentials) {
                $Result += New-Object PSObject -Property @{
                    SPId = $sp.Id
                    SPName = $sp.DisplayName
                    SPAppId = $sp.AppId
                    KeyName = $key.DisplayName
                    KeyType = $key.Type
                    Key = $key.Key
    $Result | Where-Object {$_.KeyType -eq "Symmetric"} | Export-CSV SymmetricKeys.csv -NoTypeInformation
    4 people found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. David Trevor 296 Reputation points

    From my understanding this does not affect the client secrets defined in the App Registration.

    Rather only keys added explicitly to the Service Principal, i.e. via Add-MgServicePrincipalKey or REST call. As described here: https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.applications/add-mgserviceprincipalkey?view=graph-powershell-1.0

    1 person found this answer helpful.
    0 comments No comments