1

I recently had an issue that turned out to be caused by an expired service principal credential. I would like to have a simple way to get a list of all the expiration dates/expired sp credentials to avoid this problem in the future. I've been looking at the odata and jsonpath documentation but it keeps getting errors.
Currently I can run this command in AZ CLI:

az ad sp list --all --query "[*].[appId]" -o tsv | xargs -I 1 az ad sp credential list --id 1 --query "[].endDate" > end.txt

This generates a json array or all the endDates, however it does not save the appId that corresponds to the endDate and for service principals that do not have any credentials an error message like this is printed in the terminal:

ERROR: Can't find associated application id from '00000000-0000-0000-0000-000000000000'

There are 2 things I would like to solve.
1: To avoid the ERROR messages described above by only getting the appIds that have oauth2Permissions. I've tried adding an any() filter to achieve this:

az ad sp list --all --filter "oauth2permissions/any()" --query "[*].[appId]" -o tsv | xargs -I 1 az ad sp credential list --id 1 --query "[].endDate" > end.txt

But this and other variations I've tried all cause errors or state Collection open properties are not supported in this release. What is the correct/best way of doing this?

2: To make use of the output end dates I would like the endDate to be accompanied by some information about the SP, at least the appId. So rather than just having a list element like ["2021-05-27T15:39:26.667907+00:00"] I would like the elements to be dictionaries similar to:

[
  {
    "appId": "00000000-0000-0000-0000-000000000000"
    "endDate": "2021-05-27T15:39:26.667907+00:00"
  }
]

This would be simple if the credential itself had the appId field but it does not. How can I add information to the output?

Alternatively to addressing these 2 issues separately, is there a different tool/solution that will provide a similar final output in a single command?

Hemanth Kumar
  • 314
  • 2
  • 7
Kajsa
  • 111
  • 1
  • 3

2 Answers2

1

Microsoft recently released some PS scripts that can assist in finding expired creds/certs. Link as follows: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/app-management-powershell-samples

user628016
  • 11
  • 1
1

I recently had an issue that turned out to be caused by an expired service principal credential.

I had a similar problem a few days ago and solved it in a different way, but very similar to the solution you was trying to achieve (I think).

To fix the two issues you described, I ended up with this (not the most elegant, but has been working fine):

az ad sp list --all --output tsv \
  --query "[? publisherName=='<COMPANY_DOMAIN>' && oauth2Permissions[0]!=null].[appId]" \
  | xargs -I 1 bash -c "eval az ad sp credential list \
    --id 1 --output json --query "[].\{endDate:endDate\}" \
    | jq '. | select(. | . != []) | .[] += {\"appId\": \"1\"}'"
  1. The [? publisherName=='<COMPANY_DOMAIN>' && oauth2Permissions[0]!=null] should workaround those can't find associated application id and collection open properties are not supported in this release errors.
  2. The += {\"appId\": \"1\"} will append the appId to the list, replacing that 1 (from xargs) with the correct value.

I hope this helps.

Mário Queiroz
  • 13
  • 3
  • Interesting. But my `az ad sp list --all` results do not have any mention of either `publisherName` or `oauth2Permissions` so adding that query just gives an empty input to the xargs command. – Kajsa Aug 15 '22 at 15:47