Applications: Certificate or Secret Expiry Status

Finding Application Registration Certificates & Secrets expiry status.

PowerShell

Connect-MgGraph -Scopes @('Application.Read.All')

$params = @{
    'All'      = $true;
    'PageSize' = '999';
    'Select'   = 'DisplayName, AppId, KeyCredentials, PasswordCredentials';
}
$applications = Get-MgApplication @params `
| Where-Object { $_.KeyCredentials -ne $null -or $_.PasswordCredentials -ne $null }
$appCredentials = @()
foreach ($application in $applications) {
    foreach ($certificate in $application.KeyCredentials) {
        $expiry = $certificate.EndDateTime.ToLocalTime()
        $dateSoon = (Get-Date).AddMonths(1)
        $expiryStatus = $null
        if ($expiry -gt (Get-Date) -and $expiry -lt $dateSoon) {
            $expiryStatus = 'Expires Soon'
        }
        elseif ($expiry -lt (Get-Date)) {
            $expiryStatus = 'Expired'
        }
        else {
            $expiryStatus = 'Current'
        }
        $certificate | Add-Member 'ExpiryStatus' $expiryStatus
        $certificate | Add-Member 'AppDisplayName' $application.DisplayName
        $certificate | Add-Member 'AppId' $application.AppId
        $certificate | Add-Member 'Kind' 'Certificate'
        $appCredentials += $certificate
    }
    foreach ($secret in $application.PasswordCredentials) {
        $expiry = $secret.EndDateTime.ToLocalTime()
        $dateSoon = (Get-Date).AddMonths(1)
        $expiryStatus = $null
        if ($expiry -gt (Get-Date) -and $expiry -lt $dateSoon) {
            $expiryStatus = 'Expires Soon'
        }
        elseif ($expiry -lt (Get-Date)) {
            $expiryStatus = 'Expired'
        }
        else {
            $expiryStatus = 'Current'
        }
        $secret | Add-Member 'ExpiryStatus' $expiryStatus
        $secret | Add-Member 'AppDisplayName' $application.DisplayName
        $secret | Add-Member 'AppId' $application.AppId
        $secret | Add-Member 'Kind' 'Client Secret'
        $appCredentials += $secret
    }
}
$appCredentials | Sort-Object EndDateTime `
| Select-Object AppDisplayName, AppId, KeyId, Kind, ExpiryStatus,
@{
    Name       = 'ExpiryDateTime'; 
    Expression = { $_.EndDateTime.ToLocalTime(); }
} `
| Format-List

Dependencies

Microsoft Graph SDK for PowerShell

Install-Module Microsoft.Graph -AllowClobber -Force

Connect-MgGraph

Using the Microsoft Graph Command Line Tools Enterprise Application:

Connect-MgGraph -Scopes @('')

Using an existing Access Token:

Connect-MgGraph -AccessToken (ConvertTo-SecureString 'ey..' -AsPlainText -Force)

Using an Application Registration (Platform: Mobile and desktop applications, redirect http://localhost):

Connect-MgGraph -ClientId 'abc..' -TenantId 'abc..'

Using a ClientId and Secret (Password):

$tenantId = ''
$clientId = ''
$secret = ConvertTo-SecureString '' -AsPlainText -Force
$secretCredential = New-Object System.Management.Automation.PSCredential ($clientId, $secret)
$params = @{
    'SecretCredential' = $secretCredential
    'TenantId'         = $tenantId
}
Connect-MgGraph @params