Error when exectuing a powershell script aganist Azure

Question

Hi,

I've following the script, which gives me the output App name, Expires date, etc of App registration secrets that are expiring in 1 year. It is working fine for Azure Playgrounds, this playground is provided by Kodekloud. But when i execute the same script against my Azure free Trial account, I'm getting the error "Authentication_Unauthorized". I'm not sure what I'm missing here.
I did try by passing the tenant Id but had no success

Powershell Script:

 Connect-AzureAD  
  
$LimitExpirationDays = 365 #secret expiration date filter  
#Retrieving the list of secrets that expires in the above days  
$SecretsToExpire = Get-AzureADApplication -All:$true | ForEach-Object {  
    $app = $_  
    @(  
        Get-AzureADApplicationPasswordCredential -ObjectId $_.ObjectId  
        Get-AzureADApplicationKeyCredential -ObjectId $_.ObjectId  
    ) | Where-Object {  
        $_.EndDate -lt (Get-Date).AddDays($LimitExpirationDays)  
    } | ForEach-Object {  
        $id = "Not set"  
        if($_.CustomKeyIdentifier) {  
            $id = [System.Text.Encoding]::UTF8.GetString($_.CustomKeyIdentifier)  
        }  
        [PSCustomObject] @{  
            App = $app.DisplayName  
            ObjectID = $app.ObjectId  
            AppId = $app.AppId  
            Type = $_.GetType().name  
            KeyIdentifier = $id  
            EndDate = $_.EndDate  
        }  
    }  
}  
   
#Gridview list  
#$SecretsToExpire | Out-GridView  
  
#Printing the list of secrets that are near to expire  
if($SecretsToExpire.Count -EQ 0) {  
    Write-Output "No secrets found that will expire in this range"  
}  
else {  
    Write-Output "Secrets that will expire in this range:"  
    Write-Output $SecretsToExpire.Count  
    Write-Output $SecretsToExpirecls  
      
}  

Below Screenshot shows, I was able to connect to Azure but it throws an error when executing function Get-AzureADApplication

Answer 1

Hello @Sharath chandra Gajjela ,

Welcome to the MS Q&A forum.

Failure you are facing most likely related what you are connecting to Azure AD without privileges or you are connecting to the wrong Tenant ID.

To resolve this issue:

1) Make sure you have the most recent AzureAD PS modules.

2) Please try adding the global admin role to the user account used to connect. Steps to assign the role outlined here.

3) Screenshot shows the empty return for "TenantDomain". It could be the indication as well. To ensure connection to the expected Azure AD Domain, the tenant ID must be specified:

Connect-AzureAD -TenantId xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

4) Sign-in logs in Azure AD could contain the reason on why access was restricted. As example, you may have CA Policy restricting access to PowerShell. Search for the application "Azure Active Directory PowerShell". More details on how to find and review Sign-in logs could be found here.

---

I hope above steps should help you resolve the issue. Please contact me if you have any further questions with the troubleshooting.

---

Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.

Answer 2

Thanks for the reply @Olga Os - MSFT . Unfortunately, I still face the same issue. Please find below my comments

1) I've updated all the modules using the command "Update-Module" in Powershell

2) I already have the global administrator role, also two other roles under Eligible Assignments. Find below screenshots

3) I'm passing the tenant ID now

4) I don't see any records after filtering under interactive and Non-Interactive User Sign-ins

Answer 3

Finally, I found the issue, it's related to Tenant ID, Point#3. I'm using a different Tenant ID. Reference: https://learn.microsoft.com/en-us/answers/questions/196425/connect-to-azuread.html

Now, I get a plane output, not sure what I'm missing.

Answer 4

Hello @Sharath chandra Gajjela ,

From what I see, the script itself has few syntax errors.

As example, in the else statement, you output parameter $SecretsToExpirecls which wasn't defined before:

Second what I noticed, is how you count the object: $SecretsToExpire.Count. ".Count" is not always reliable for every situation. In your case you are trying to count PSCustomObject.

"Measure-Object" command may be the solution in your case or you could count AppIds $SecretsToExpire.AppId.Count:
Examples below:

Write-Output "Just Count:" $SecretsToExpire.Count

Write-Output "Measure-Object Count:" ($SecretsToExpire | Measure-Object).Count

Write-Output "Count AppIds:" $SecretsToExpire.AppId.Count

Output:

Just Count:

Measure-Object Count: 1

Count AppIds: 1

I hope above steps should help you resolve the issue. Please contact me if you have any further questions with the troubleshooting.

--------------------------------------------------------

Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.

Answer 5

Thanks For the detailed explanation, I'll check and update.
One last question: Is there any way to get the output of Owned applications? I mean when I connect to Azure and execute Function "Get-AzureADApplication", the result will show all the applications of that tenant but I want to see only the applications which I've access. The reason I'm asking is that I've hundreds of applications but I need results where I've access.
I know I can filter by Object ID , name but is there any way to filter by Owner?