Share via

Disablement of Symmetric keys for Microsoft Entra first-party applications Service Principals

jpcapone 1,776 Reputation points
2024-06-05T15:19:33.4333333+00:00

Can anyone explain the remediation path for this process step by step?

Microsoft Security Microsoft Entra Microsoft Entra ID
Accepted answer
  1. Raja Pothuraju 23,465 Reputation points Microsoft External Staff Moderator
    2024-06-07T13:55:00.1066667+00:00

    Hello @jpcapone ,

    Thank you for posting your query with Microsoft Q&A.

    Please find the answer and step by step process below-

    Microsoft is planning to disable usage of symmetric keys for first party applications.

    Password credentials and Key credentials are available for all the applications. Key Credentials have two types called symmetric and asymmetric keys.

    There is no issue if the first party applications which are using Asymmetric Key Credentials.

    Microsoft has sent a universal message via message center to all the tenants.

    Please note-

    • Third party apps will not be affected.
    • The SPO scenario is not impacted.

    Legacy apps (servicePrincipalType:Legacy) will not be affected.

    Please find the below script which can be used to export list of all the service principal with the application type and these can be exported to excel.

    "First Party app" means the application with the appOwnerOrganizationId of f8cdef31-a31e-4b4a-93e4-5f571e91255a. Please filter the exported CSV from the script with given appOwnerOrganizationId to filter the first party applications.

    ===============================================================

    Install-Module Microsoft.Graph


Connect-MgGraph


$Sps = Get-MgServicePrincipal -All 


$credentials = @()


$Sps | %{ $aadSpsObjId = $_.Id $Sps = Get-MgServicePrincipal -ServicePrincipalId $aadSpsObjId
$Sps.KeyCredentials | %{
    #write-host $_.KeyId $_.DisplayName
    $credentials += [PSCustomObject] @{
        DisplayName = $Sps.DisplayName;
        SPId = $Sps.SPId;
        CredentialType = "KeyCredentials";
        Type = $_.Type;
        Usage = $_.Usage;
        OwnerOrganizationId = $_.appOwnerOrganizationId
        }
}




$Sps.PasswordCredentials | %{
    #write-host $_.KeyId $_.DisplayName
    $credentials += [PSCustomObject] @{
        DisplayName = $Sps.DisplayName;
        AppId = $Sps.AppId;
        CredentialType = "PasswordCredentials";
        Type = 'NA';
        Usage = 'NA';
        OwnerOrganizationId = $_.appOwnerOrganizationId
    }
  }
}


$credentials | Export-Csv $credentials c:\export.csv 
```>

    ===============================================================

    Please note that csv path can be changed based on your requirement.

    Hope this helps. Do let us know if you any further queries.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    Thanks and Regards,

    Raja Pothuraju.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.