Error when exectuing a powershell script aganist Azure

Sharath chandra Gajjela 1 Reputation point
2022-08-19T14:37:30.213+00:00

Hi,

I've following the script, which gives me the output App name, Expires date, etc of App registration secrets that are expiring in 1 year. It is working fine for Azure Playgrounds, this playground is provided by Kodekloud. But when i execute the same script against my Azure free Trial account, I'm getting the error "Authentication_Unauthorized". I'm not sure what I'm missing here.
I did try by passing the tenant Id but had no success

Powershell Script:

 Connect-AzureAD  
  
$LimitExpirationDays = 365 #secret expiration date filter  
#Retrieving the list of secrets that expires in the above days  
$SecretsToExpire = Get-AzureADApplication -All:$true | ForEach-Object {  
    $app = $_  
    @(  
        Get-AzureADApplicationPasswordCredential -ObjectId $_.ObjectId  
        Get-AzureADApplicationKeyCredential -ObjectId $_.ObjectId  
    ) | Where-Object {  
        $_.EndDate -lt (Get-Date).AddDays($LimitExpirationDays)  
    } | ForEach-Object {  
        $id = "Not set"  
        if($_.CustomKeyIdentifier) {  
            $id = [System.Text.Encoding]::UTF8.GetString($_.CustomKeyIdentifier)  
        }  
        [PSCustomObject] @{  
            App = $app.DisplayName  
            ObjectID = $app.ObjectId  
            AppId = $app.AppId  
            Type = $_.GetType().name  
            KeyIdentifier = $id  
            EndDate = $_.EndDate  
        }  
    }  
}  
   
#Gridview list  
#$SecretsToExpire | Out-GridView  
  
#Printing the list of secrets that are near to expire  
if($SecretsToExpire.Count -EQ 0) {  
    Write-Output "No secrets found that will expire in this range"  
}  
else {  
    Write-Output "Secrets that will expire in this range:"  
    Write-Output $SecretsToExpire.Count  
    Write-Output $SecretsToExpirecls  
      
}  

Below Screenshot shows, I was able to connect to Azure but it throws an error when executing function Get-AzureADApplication
232981-image.png

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
661 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,355 questions
0 comments No comments
{count} votes

6 answers

Sort by: Most helpful
  1. Olga Os - MSFT 5,831 Reputation points Microsoft Employee
    2022-08-19T20:13:12.923+00:00

    Hello @Sharath chandra Gajjela ,

    Welcome to the MS Q&A forum.

    Failure you are facing most likely related what you are connecting to Azure AD without privileges or you are connecting to the wrong Tenant ID.

    To resolve this issue:

    1) Make sure you have the most recent AzureAD PS modules.

    2) Please try adding the global admin role to the user account used to connect. Steps to assign the role outlined here.
    233003-image.png

    3) Screenshot shows the empty return for "TenantDomain". It could be the indication as well. To ensure connection to the expected Azure AD Domain, the tenant ID must be specified:

    Connect-AzureAD -TenantId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

    4) Sign-in logs in Azure AD could contain the reason on why access was restricted. As example, you may have CA Policy restricting access to PowerShell. Search for the application "Azure Active Directory PowerShell". More details on how to find and review Sign-in logs could be found here.
    232989-image.png


    I hope above steps should help you resolve the issue. Please contact me if you have any further questions with the troubleshooting.


    Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.

    0 comments No comments

  2. Sharath chandra Gajjela 1 Reputation point
    2022-08-20T06:19:42.377+00:00

    Thanks for the reply @Olga Os - MSFT . Unfortunately, I still face the same issue. Please find below my comments

    1) I've updated all the modules using the command "Update-Module" in Powershell

    2) I already have the global administrator role, also two other roles under Eligible Assignments. Find below screenshots
    233073-image.png

    233028-image.png

    3) I'm passing the tenant ID now
    233101-image.png

    4) I don't see any records after filtering under interactive and Non-Interactive User Sign-ins
    233054-image.png

    0 comments No comments

  3. Sharath chandra Gajjela 1 Reputation point
    2022-08-20T11:42:07.457+00:00

    Finally, I found the issue, it's related to Tenant ID, Point#3. I'm using a different Tenant ID. Reference: https://learn.microsoft.com/en-us/answers/questions/196425/connect-to-azuread.html

    Now, I get a plane output, not sure what I'm missing.
    233122-image.png

    0 comments No comments

  4. Olga Os - MSFT 5,831 Reputation points Microsoft Employee
    2022-08-22T16:33:21.387+00:00

    Hello @Sharath chandra Gajjela ,

    From what I see, the script itself has few syntax errors.

    As example, in the else statement, you output parameter $SecretsToExpirecls which wasn't defined before:

    233548-image.png

    Second what I noticed, is how you count the object: $SecretsToExpire.Count. ".Count" is not always reliable for every situation. In your case you are trying to count PSCustomObject.
    233549-image.png

    "Measure-Object" command may be the solution in your case or you could count AppIds $SecretsToExpire.AppId.Count:
    Examples below:

    Write-Output "Just Count:" $SecretsToExpire.Count

    Write-Output "Measure-Object Count:" ($SecretsToExpire | Measure-Object).Count

    Write-Output "Count AppIds:" $SecretsToExpire.AppId.Count

    Output:

    Just Count:

    Measure-Object Count: 1

    Count AppIds: 1

    I hope above steps should help you resolve the issue. Please contact me if you have any further questions with the troubleshooting.

    --------------------------------------------------------

    Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.

    0 comments No comments

  5. Sharath chandra Gajjela 1 Reputation point
    2022-08-23T06:01:41.647+00:00

    Thanks For the detailed explanation, I'll check and update.
    One last question: Is there any way to get the output of Owned applications? I mean when I connect to Azure and execute Function "Get-AzureADApplication", the result will show all the applications of that tenant but I want to see only the applications which I've access. The reason I'm asking is that I've hundreds of applications but I need results where I've access.
    I know I can filter by Object ID , name but is there any way to filter by Owner?

    233860-image.png

    233898-image.png