0

My customer is building a ton of applications using Azure AD as the IdP for their tenant. Managing at a scale is going to be a challenge for them as they have different keys expiring at different times.
How can they monitor the keys that are being generated at a scale?

Note: My initial thought was to pull the data via Graph and put into a monitoring tool like Splunk/PowerBi – but couldn’t locate the graph information via https://graphexplorer.azurewebsites.net/#. Is this exposed via aad.portal.azure.com from a list view by date?

Chad Hasbrook
  • 206
  • 1
  • 6

1 Answers1

0

One option would be to use Graph API (https://graph.windows.net/myorganization/applications) to query the applications entity and then read the keyCredentials (certificates) and passwordCredentials (secrets) attributes.

Another option would be to use Powershell:

$apps=Get-AzureADApplication
foreach ($app in $apps)
{
    foreach ($pw in $app.passwordcredentials)
    {
        write-output "$($app.displayname),$($pw.enddate)"
    }
    foreach ($ky in $app.keycredentials)
    {
        write-output "$($app.displayname),$($ky.enddate)"
    }
}

In either case take into account that not only applications can have secrets/certificates configured, but also service principals.

andresm53
  • 1,913
  • 6
  • 15
  • Thanks andresm53. This is exactly what I was looking for. I figured this would be under keycredentials but the keys created for the apps are under passwordcredentials. The naming convention confused me. – Chad Hasbrook May 31 '17 at 00:07
  • @ChadHasbrook If you want Azure to support this feature you can vote the feedback at [this link](https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/9392007-need-email-alert-option-when-keys-are-about-to-exp). – Fei Xue May 31 '17 at 02:01