Monitor Azure App registration secret / certificate expiry with PowerShell

by

I came across a need to know when a certificates and secrets are about to expire on Azure app registrations, but there was no native way for me do this, expect to just scroll down the application registration list and look for “Expirer soon”, and that didn’t really do it for me.
So, I decided to look for way to get notified a number of days before a secret or a certificate will expire using PowerShell. I ended up writing this script and then running it using an Automation Account in Azure, but you can run this script everywhere, if you have the Microsoft Graph PowerShell module installed on the platform of your choice.

Before reading too much into this you should be familiar with how Azure application registration works. I will not go into details about what an Azure app reg. is and what a secret and a certificate is used in a Azure app reg.

Pre-requisites:

  • PowerShell 5.1+
  • Microsoft Graph PowerShell module

Script
The script will loop through all app. registrations in your Azure AD tenant and check if a secret or a certificate will expire within 30 days or has already expired, if there is a hit the script will added to list and when it’s done, it will send an email to the persons (or group) of your choosing. The mail will contain the following information: 

  • Display name of the app reg. 
  • The owner(s) 
  • Secret name or certificate 
  • Expiry date 
  • Link to app reg in Azure 

The information mentioned will make it easier for people that are recipients of the email to quickly identify and act accordingly. 

To get started using the script you need to use an app reg. for authentication and API permissions. If you need assistance for this read more here: https://www.christianfrohn.dk/2022/04/23/connect-to-microsoft-graph-with-powershell-using-a-certificate-and-an-azure-service-principal/

You’ll need to add the following permissions to your app reg in order to get information about all your app regs. In Azure plus be able to send an email containing the information 

  • Application.Read.All 
  • User.Read.All 
  • Mail.Send 

The next and last part is a bit easier, all you need to do is type in the email address of the sender (needs to be a real user (Hint: use a shared mailbox), the recipients and finally if you want to, you can change colors of text in the email if you like using HEX. 
It’s entirely up to you how often you want to run it on a schedule. 

Picture is showing a sample of the email containing the described information

Happy cleaning! 

Post Views: 2,009