이 PowerShell 스크립트 예제에서는 비밀 및 인증서가 다음 X일 이내에 만료되는 모든 엔터프라이즈 애플리케이션을 내보냅니다. 또한 선택한 경우 만료된 항목도 포함됩니다. 스크립트는 소유자와 함께 엔터프라이즈 애플리케이션을 내보냅니다. 디렉터리에서 지정된 엔터프라이즈 앱에 대해 이 작업을 수행합니다. 출력은 CSV 파일에 저장됩니다.
Azure 구독없는 경우 시작하기 전에 Azure 체험 계정 만듭니다.
이 샘플에는 Microsoft Graph PowerShell SDK 모듈이 필요합니다.
샘플 스크립트
<#################################################################################
DISCLAIMER:
This is not an official PowerShell Script. We designed it specifically for the situation you have
encountered right now.
Please do not modify or change any preset parameters.
Please note that we will not be able to support the script if it's changed or altered in any way
or used in a different situation for other means.
This code-sample is provided "AS IS" without warranty of any kind, either expressed or implied,
including but not limited to the implied warranties of merchantability and/or fitness for a
particular purpose.
This sample is not supported under any Microsoft standard support program or service.
Microsoft further disclaims all implied warranties including, without limitation, any implied
warranties of merchantability or of fitness for a particular purpose.
The entire risk arising out of the use or performance of the sample and documentation remains with
you.
In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or
delivery of the script be liable for any damages whatsoever (including, without limitation, damages
for loss of business profits, business interruption, loss of business information, or other
pecuniary loss) arising out of the use of or inability to use the sample or documentation, even if
Microsoft has been advised of the possibility of such damages.
#################################################################################>
Connect-MgGraph -Scopes 'Application.Read.All'
$Applications = Get-MgServicePrincipal -all
$Logs = @()
$Messages = @{
ExpirationDays = @{
Info = 'Filter the applications to log by the number of days until their secrets expire.'
Prompt = 'Enter the number of days until the secrets expire as an integer.'
}
AlreadyExpired = @{
Info = 'Would you like to see Applications with already expired secrets as well?'
Prompt = 'Enter Yes or No'
}
DurationNotice = @{
Info = @(
'The operation is running and will take longer the more applications the tenant has...'
'Please wait...'
) -join ' '
}
Export = @{
Info = 'Where should the CSV file export to?'
Prompt = 'Enter the full path in the format of <C:\Users\<USER>\Desktop\Users.csv>'
}
}
Write-Host $Messages.ExpirationDays.Info -ForegroundColor Green
$DaysUntilExpiration = Read-Host -Prompt $Messages.ExpirationDays.Prompt
Write-Host $Messages.AlreadyExpired.Info -ForegroundColor Green
$IncludeAlreadyExpired = Read-Host -Prompt $Messages.AlreadyExpired.Prompt
$Now = Get-Date
Write-Host $Messages.DurationNotice.Info -ForegroundColor yellow
foreach ($App in $Applications) {
$AppName = $App.DisplayName
$AppID = $App.Id
$ApplID = $App.AppId
$AppCreds = Get-MgServicePrincipal -ServicePrincipalId $AppID |
Select-Object PasswordCredentials, KeyCredentials
$Secrets = $AppCreds.PasswordCredentials
$Certs = $AppCreds.KeyCredentials
foreach ($Secret in $Secrets) {
$StartDate = $Secret.StartDateTime
$EndDate = $Secret.EndDateTime
$SecretName = $Secret.DisplayName
$Owner = Get-MgServicePrincipalOwner -ServicePrincipalId $App.Id
$Username = $Owner.AdditionalProperties.userPrincipalName -join ';'
$OwnerID = $Owner.Id -join ';'
if ($null -eq $Owner.AdditionalProperties.userPrincipalName) {
$Username = @(
$Owner.AdditionalProperties.displayName
'**<This is an Application>**'
) -join ' '
}
if ($null -eq $Owner.AdditionalProperties.displayName) {
$Username = '<<No Owner>>'
}
$RemainingDaysCount = $EndDate - $Now |
Select-Object -ExpandProperty Days
if ($IncludeAlreadyExpired -eq 'No') {
if ($RemainingDaysCount -le $DaysUntilExpiration -and $RemainingDaysCount -ge 0) {
$Logs += [PSCustomObject]@{
'ApplicationName' = $AppName
'ApplicationID' = $ApplID
'Secret Name' = $SecretName
'Secret Start Date' = $StartDate
'Secret End Date' = $EndDate
'Certificate Name' = $Null
'Certificate Start Date' = $Null
'Certificate End Date' = $Null
'Owner' = $Username
'Owner_ObjectID' = $OwnerID
}
}
} elseif ($IncludeAlreadyExpired -eq 'Yes') {
if ($RemainingDaysCount -le $DaysUntilExpiration) {
$Logs += [pscustomobject]@{
'ApplicationName' = $AppName
'ApplicationID' = $ApplID
'Secret Name' = $SecretName
'Secret Start Date' = $StartDate
'Secret End Date' = $EndDate
'Certificate Name' = $Null
'Certificate Start Date' = $Null
'Certificate End Date' = $Null
'Owner' = $Username
'Owner_ObjectID' = $OwnerID
}
}
}
}
foreach ($Cert in $Certs) {
$StartDate = $Cert.StartDateTime
$EndDate = $Cert.EndDateTime
$CertName = $Cert.DisplayName
$RemainingDaysCount = $EndDate - $Now |
Select-Object -ExpandProperty Days
$Owner = Get-MgServicePrincipalOwner -ServicePrincipalId $App.Id
$Username = $Owner.AdditionalProperties.userPrincipalName -join ';'
$OwnerID = $Owner.Id -join ';'
if ($null -eq $Owner.AdditionalProperties.userPrincipalName) {
$Username = @(
$Owner.AdditionalProperties.displayName
'**<This is an Application>**'
) -join ' '
}
if ($null -eq $Owner.AdditionalProperties.displayName) {
$Username = '<<No Owner>>'
}
if ($IncludeAlreadyExpired -eq 'No') {
if ($RemainingDaysCount -le $DaysUntilExpiration -and $RemainingDaysCount -ge 0) {
$Logs += [pscustomobject]@{
'ApplicationName' = $AppName
'ApplicationID' = $ApplID
'Secret Name' = $Null
'Certificate Name' = $CertName
'Certificate Start Date' = $StartDate
'Certificate End Date' = $EndDate
'Owner' = $Username
'Owner_ObjectID' = $OwnerID
'Secret Start Date' = $Null
'Secret End Date' = $Null
}
}
} elseif ($IncludeAlreadyExpired -eq 'Yes') {
if ($RemainingDaysCount -le $DaysUntilExpiration) {
$Logs += [pscustomobject]@{
'ApplicationName' = $AppName
'ApplicationID' = $ApplID
'Certificate Name' = $CertName
'Certificate Start Date' = $StartDate
'Certificate End Date' = $EndDate
'Owner' = $Username
'Owner_ObjectID' = $OwnerID
'Secret Start Date' = $Null
'Secret End Date' = $Null
}
}
}
}
}
Write-Host $Messages.Export.Info -ForegroundColor Green
$Path = Read-Host -Prompt $Messages.Export.Prompt
$Logs | Export-Csv $Path -NoTypeInformation -Encoding UTF8
스크립트 설명
스크립트는 수정 없이 직접 사용할 수 있습니다. 관리자에게 만료 날짜 및 만료된 비밀 또는 인증서를 보려는지 여부를 묻는 메시지가 표시됩니다.
"Add-Member" 명령은 CSV 파일에서 열을 만드는 역할을 합니다. "New-Object" 명령은 CSV 파일 내보내기에서 열에 사용할 개체를 만듭니다. 내보내기가 대화형이 아닌 경우 CSV 파일 경로를 사용하여 PowerShell에서 직접 "$Path" 변수를 수정할 수 있습니다.
| 명령 | 노트 |
|---|---|
| Get-MgServicePrincipal |
디렉터리에서 엔터프라이즈 애플리케이션을 검색합니다. |
| get-MgServicePrincipalOwner (서비스 주체 소유자 가져오기) |
디렉터리에서 엔터프라이즈 애플리케이션의 소유자를 검색합니다. |
다음 단계
Microsoft Graph PowerShell 모듈에 대한 자세한 내용은 Microsoft Graph PowerShell 모듈 개요참조하세요.
애플리케이션 관리에 대한 다른 PowerShell 예제는 애플리케이션 관리대한 Azure Microsoft Graph PowerShell 예제