Skip to main content

You need a quick way that shows you all the Entra ID app registrations certificates or secrets and their expiration date. If you don’t renew before that time, the connection to the app will not work anymore. So it’s important not to let the certificates or secrets for the app registrations expire. In this article, you will learn how to export Entra ID app registrations with their certificates and client secrets expiry dates to a report using Microsoft Graph PowerShell.

  1. OwnerID

Step 1. Prepare Get-AppCertSecStatus PowerShell script

Create two folders on the (C:) drive:

  • Temp
  • Scripts

Download the Get-AppCertSecStatus.ps1 PowerShell script and place it in C:\scripts folder. The script will export the CSV file to the C:\temp folder.

Ensure the file is unblocked to prevent errors when running the script.

Another option is to copy and paste the below code into Notepad. Give it the name Get-AppCertSecStatus.ps1 and place it in the C:\scripts folder.

<#
    .SYNOPSIS
    Get-AppCertSecStatus.ps1

    .DESCRIPTION
    Export Entra ID app registrations certificates and secrets expiration date.

    .LINK
    www.traceroute.net/export-entra-id-app-registrations-certificates-secrets/

    .NOTES
    Written by: ALI TAJRAN
    Website:    www.traceroute.net
    LinkedIn:   linkedin.com/in/traceroute

    .CHANGELOG
    V1.00, 01/14/2024 - Initial version
#>

# CSV file path to export
$CsvPath = "C:\temp\AppRegistrationsReport.csv"

# Connect to MgGraph with necessary scopes
Connect-MgGraph "Directory.Read.All", "Application.Read.All"

# Create an array
$Results = @()

# Get properties
$Properties = @(
    'AppId',
    'DisplayName',
    'PasswordCredentials',
    'KeyCredentials',
    'Id',
    'SignInAudience',
    'CreatedDateTime'
)

# Get Applications
$Apps = Get-MgApplication -All -Property $Properties | Select-Object $Properties

foreach ($App in $Apps) {

    # Get Owner information
    $Owner = Get-MgApplicationOwner -All -ApplicationId $App.Id
    $Username = if ($Owner) { $Owner.AdditionalProperties.userPrincipalName -join ';' } else { "N/A" }
    $OwnerID = if ($Owner) { $Owner.Id -join ';' } else { "N/A" }

    # Check application for client secret
    if ($null -ne $App.PasswordCredentials) {

        foreach ($Creds in $App.PasswordCredentials) {

            # Calculate days left until expiration
            $DaysLeft = ($Creds.EndDateTime - (Get-Date)).Days

            # Create custom object for client secret results
            $AppObject = [PSCustomObject]@{
                ApplicationName = $App.DisplayName
                CredentialName  = $Creds.DisplayName
                SignInType      = $App.SignInAudience
                CreatedDateTime = $App.CreatedDateTime
                StartDateTime   = $Creds.StartDateTime
                EndDateTime     = $Creds.EndDateTime
                ExpireStatus    = if ($Creds.EndDateTime -lt (Get-Date)) { "Expired" } else { "Not expired" }
                AuthType        = "Client_Secret"
                DaysLeft        = $DaysLeft
                Owner           = $Username
                OwnerID         = $OwnerID
            }

            # Output results to array
            $Results += $AppObject
        }
    }

    # Check application for certificate
    if ($null -ne $App.KeyCredentials) {

        foreach ($Cert in $App.KeyCredentials) {

            # Calculate days left until expiration
            $DaysLeft = ($Cert.EndDateTime - (Get-Date)).Days

            # Create custom object for certificate results
            $AppObject = [PSCustomObject]@{
                ApplicationName = $App.DisplayName
                CredentialName  = $Cert.DisplayName
                SignInType      = $App.SignInAudience
                CreatedDateTime = $App.CreatedDateTime
                StartDateTime   = $Cert.StartDateTime
                EndDateTime     = $Cert.EndDateTime
                ExpireStatus    = if ($Cert.EndDateTime -lt (Get-Date)) { "Expired" } else { "Not expired" }
                AuthType        = "Certificate"
                DaysLeft        = $DaysLeft
                Owner           = $Username
                OwnerID         = $OwnerID
            }

            # Output results to array
            $Results += $AppObject
        }
    }
}

# Sort the results based on DaysLeft
$Results = $Results | Sort-Object -Property DaysLeft

# Export to CSV file
$Results | Export-Csv $CsvPath -Encoding utf8 -NoTypeInformation

# Out-GridView
$Results | Out-GridView -Title "Microsoft Entra ID app registrations report"
  • Line 21: Edit the CSV file path

Step 2. Install Microsoft Graph PowerShell

Run Windows PowerShell as administrator and Install Microsoft Graph PowerShell .

Install-Module Microsoft.Graph -Force
Install-Module Microsoft.Graph.Beta -AllowClobber -Force

Important: Always install the Microsoft Graph PowerShell and Microsoft Graph Beta PowerShell modules. That’s because some cmdlets are not yet available in the final version, and they will not work. Update both modules to the latest version before you run a cmdlet or script to prevent errors and incorrect results.

Step 3. Run Get-AppCertSecStatus PowerShell script

Get all the Entra ID app registrations certificates and secrets expiry dates, including their status, with PowerShell.

Run the below command to run the script Get-AppCertSecStatus.ps1.

c:\scripts\.\Get-AppCertSecStatus.ps1

An Out-GridView will show all the information you need.

Out-GridView app registrations certificates and client secrets

Step 4. Open Entra ID app registrations report

The Get-AppCertSecStatus.ps1  PowerShell script exports all app registrations with their certificate and client secret expiration status to CSV file.

Find the file AppRegistrationsReport.csv in the path C:\temp.

CSV file export in temp folder

Open the CSV file with your favorite application. In our example, it’s Microsoft Excel.

Microsoft Excel app registrations certificates and client secrets report

The Entra ID app registrations certificates and client secrets expiry report looks great.

Leave a Reply