The following requests can be used to retrieve the recommendation and the impacted resources using the Microsoft Graph API. To use the Microsoft Graph API, you need the DirectoryRecommendations.Read.All
and DirectoryRecommendations.ReadWrite.All
permissions. For more information, see How to use Identity Recommendations.
When renewing service principal credentials using Microsoft Graph, you need to run a query to get the password credentials on a service principal, add a new password credential, then remove the old credentials.
- Sign in to Graph Explorer.
- Select GET as the HTTP method from the dropdown.
To retrieve all recommendations for your tenant:
GET https://graph.microsoft.com/beta/directory/recommendations
From the response, find the ID of the recommendation that matches the following pattern: {tenantId}_Microsoft.Identity.IAM.Insights.servicePrincipalKeyExpiry
.
To identify impacted resources:
GET https://graph.microsoft.com/beta/directory/recommendations/{tenantId}_Microsoft.Identity.IAM.Insights.servicePrincipalKeyExpiry
To filter the list of resources based on their status, for example only resources that are marked as active
:
https://graph.microsoft.com/beta/directory/recommendations/{tenantId}_Microsoft.Identity.IAM.Insights. servicePrincipalKeyExpiry/impactedResources?$filter=status eq Microsoft.Graph.recommendationStatus'active'
- Take note of the
AppId
, CredentialId
, and the origin of the credential you want to remove.
- Use these Microsoft Graph APIs to add a new password or key credential:
- Use these Microsoft Graph APIs to remove the old credential:
{
"id": "536279f6-15cc-45f2-be2d-61e352b51eef_Microsoft.Identity.IAM.Insights.ServicePrincipalKeyExpiry",
"recommendationType": "servicePrincipalKeyExpiry",
"createdDateTime": "2022-05-29T00:11:17Z",
"impactStartDateTime": "2022-05-29T00:11:17Z",
"postponeUntilDateTime": null,
"lastModifiedDateTime": "2024-07-26T12:31:58Z",
"lastModifiedBy": "System",
"displayName": "Renew expiring service principal credentials",
"featureAreas": [
"applications"
],
"insights": "Your tenant has service principals with credentials that will expire soon.",
"benefits": "Renewing the service principal credential(s) before expiration ensures the application continues to function and reduces the possibility of downtime due to an expired credential.",
"category": "identityBestPractice",
"status": "completedBySystem",
"priority": "high",
"requiredLicenses": "microsoftEntraWorkloadId",
"impactType": "apps",
"actionSteps": [
{
"stepNumber": 1,
"text": "1. Navigate to the Enterprise applications section and locate the Enterprise application for which the credential needs to be rotated."
},
{
"stepNumber": 2,
"text": "2. Navigate to the “Single sign-on” blade."
},
{
"stepNumber": 3,
"text": "3. Edit the 'SAML signing certificate' section and follow prompts to add a new certificate."
},
{
"stepNumber": 4,
"text": "4. After adding the certificate, change its properties to make certificate active. This will make the previous certificate inactive."
},
{
"stepNumber": 5,
"text": "5. Once the certificate is successfully added and activated, validate that your service is working with the new credential, and remove the old credential."
},
{
"stepNumber": 6,
"text": "6. If the service principal does not show any credentials after navigating to the enterprise apps blade, we recommend checking the 'passwordCredentials' and 'keyCredentials' property of the service principal object using PowerShell or Microsoft Graph service principal API and use the Microsoft Graph API to rotate credentials."
}
]
}