Entra App Registrations : Secret Key Expiry HTML Report

When using Entra and you create a oAuth registration this unlike SAML creates a secret key that expires, usually if you are progressive after 72 months.

When they expire they can cause issues with applications, so lets get some PowerShell out of the toolbox and combine it with some simple HTML to  get a report, this report will be ordered by date expiring.

This is the script

# Connect to Azure AD
Connect-AzureAD

# Start HTML output
$html = @"
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Application Registrations with Secrets</title>
<style>
table {
  border-collapse: collapse;  width: 100%;
}

th, td {
  border: 1px solid #dddddd;
  text-align: left;
  padding: 8px;
}

th {
  background-color: #f2f2f2;
}
</style>
</head>
<body>
<h1>Application Registrations with Secrets</h1>
<table>
<tr>
<th>Application Name</th>
<th>Object ID</th>
<th>Secret Expiry</th>
</tr>
"@

# Get all application registrations with secrets
$apps = Get-AzureADApplication -All $true | Where-Object { $_.PasswordCredentials.Count -gt 0 }

# Iterate through each application registration
foreach ($app in $apps) {
    $html += "<tr>"
    $html += "<td>$($app.DisplayName)</td>"
    $html += "<td>$($app.ObjectId)</td>"
    $secretExpiry = ""

# Get expiry date for each secret

    foreach ($secret in $app.PasswordCredentials) {
        $expiryDate = $secret.EndDate
        if ($expiryDate -ne $null) {
            $secretExpiry += "$($expiryDate.ToString())<br>"
        } else {
            $secretExpiry += "Never<br>"
        }
    }

$html += "<td>$secretExpiry</td>"
$html += "</tr>"
}

# End HTML output
$html += @"
</table>
</body>
</html>
"@


# Disconnect from Azure AD
Disconnect-AzureAD

# Save HTML content to a file
$html | Out-File -FilePath "c:\temp\application_registrations.html" -Encoding UTF8

Write-Host "HTML output generated: application_registrations.html"

This is what the output looks like, you can see here that "Death to He-Man tomorrow" expired quite a few years ago, but the operational apps for Skeletor are all valid :)


They key for me is this action is red below, these are not in order as they have been modified for the Internet.

Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„