Enterprise Applications: With SAML Expiry Status
Finding SAML application token signing key expiry dates.
Note: Requires Microsoft.Graph.Beta for the ‘preferredTokenSigningKeyEndDateTime’ attribute.
PowerShell
Connect-MgGraph -Scopes @('Application.Read.All')
$filter = 'accountEnabled eq true and '
$filter += 'preferredTokenSigningKeyEndDateTime ge 2021-01-02T12:00:00Z'
$params = @{
'All' = $true;
'Filter' = $filter;
'PageSize' = '999';
'Select' = 'preferredTokenSigningKeyEndDateTime,appDisplayName,id'
}
$samlPrincipals = Get-MgBetaServicePrincipal @params
$samlPrincipals = $samlPrincipals | Sort-Object PreferredTokenSigningKeyEndDateTime `
| Select-Object AppDisplayName,
@{
Name = 'PrincipalId';
Expression = { $_.Id; }
},
@{
Name = 'Kind';
Expression = { 'SAML Token Signing'; }
},
@{
Name = 'Expiry Date Time';
Expression = { $_.PreferredTokenSigningKeyEndDateTime.ToLocalTime(); }
},
@{
Name = 'Expiry Status';
Expression = {
$expiry = $_.PreferredTokenSigningKeyEndDateTime.ToLocalTime()
$dateSoon = (Get-Date).AddMonths(1)
if ($expiry -gt (Get-Date) -and $expiry -lt $dateSoon) {
'Expires Soon'
}
elseif ($expiry -lt (Get-Date)) {
'Expired'
}
else {
'Current'
}
}
}
$samlPrincipals | Format-List
Dependencies
Microsoft Graph SDK for PowerShell
Install-Module Microsoft.Graph.Beta -AllowClobber -Force
Connect-MgGraph
Using the Microsoft Graph Command Line Tools Enterprise Application:
Connect-MgGraph -Scopes @('')
Using an existing Access Token:
Connect-MgGraph -AccessToken (ConvertTo-SecureString 'ey..' -AsPlainText -Force)
Using an Application Registration (Platform: Mobile and desktop applications, redirect http://localhost):
Connect-MgGraph -ClientId 'abc..' -TenantId 'abc..'
Using a ClientId and Secret (Password):
$tenantId = ''
$clientId = ''
$secret = ConvertTo-SecureString '' -AsPlainText -Force
$secretCredential = New-Object System.Management.Automation.PSCredential ($clientId, $secret)
$params = @{
'SecretCredential' = $secretCredential
'TenantId' = $tenantId
}
Connect-MgGraph @params