App Registrations with Secret or Certificate Expiration Date GT 100 Days

appreport.ps1

class AppRegistration {
    [string] $DisplayName
    [guid] $AppId
    [guid] $Id
    $CreatedDateTime

    AppRegistration([hashtable] $app) {
        $this.DisplayName = $app['DisplayName']
        $this.AppId = $app['AppId']
        $this.Id = $app['Id']
        $this.CreatedDateTime = $app['CreatedDateTime']
    }
}

class AppRegistrationWithSecret : AppRegistration {
    [datetime] $SecretStartDate
    [datetime] $SecretEndDate
    [int] $SecretValidForDays

    AppRegistrationWithSecret([hashtable] $app, [hashtable] $secreinfo) : base($app) {
        $this.SecretStartDate = $secreinfo['startDateTime']
        $this.SecretEndDate = $secreinfo['endDateTime']
        $this.SecretValidForDays = ($this.SecretEndDate - $this.SecretStartDate).Days
    }
}

class AppRegistrationWithCertificate : AppRegistration {
    [datetime] $CertificateStartDate
    [datetime] $CertificateEndDate
    [int] $CertificateValidForDays

    AppRegistrationWithCertificate([hashtable] $app, [hashtable] $certinfo) : base($app) {
        $this.CertificateStartDate = $certinfo['startDateTime']
        $this.CertificateEndDate = $certinfo['endDateTime']
        $this.CertificateValidForDays = ($this.CertificateEndDate - $this.CertificateStartDate).Days
    }
}

$select = @(
    'appId'
    'id'
    'displayName'
    'createdDateTime'
    'passwordCredentials'
    'keyCredentials'
    'appRoles'
) -join ','

$uri = 'v1.0/applications?$select={0}' -f $select
$date = [datetime]::UtcNow

$toCleanUp = [System.Collections.Generic.List[AppRegistration]]::new()
$secretRisk = [System.Collections.Generic.List[AppRegistrationWithSecret]]::new()
$certificateRisk = [System.Collections.Generic.List[AppRegistrationWithCertificate]]::new()

do {
    $req = Invoke-MgGraphRequest GET $uri
    $uri = $req.'@odata.nextLink'
    if (-not $req.value) {
        continue
    }

    foreach ($app in $req.value) {
        if (-not $app.passwordCredentials -and -not $app.keyCredentials) {
            if (-not $app.appRoles) {
                $toCleanUp.Add($app)
            }
            continue
        }

        foreach ($secret in $app.passwordCredentials) {
            if ($secret.endDateTime -lt $date) {
                continue
            }

            $secretRisk.Add([AppRegistrationWithSecret]::new($app, $secret))
        }

        foreach ($key in $app.keyCredentials) {
            if ($key.endDateTime -lt $date) {
                continue
            }

            $certificateRisk.Add([AppRegistrationWithCertificate]::new($app, $key))
        }
    }
}
while ($uri)

$path = [System.IO.Path]::Combine(
    $PSScriptRoot,
    'export',
    $date.ToString('yyyy-MM-dd'))

$dir = New-Item $path -ItemType Directory -Force
$pkg = Open-ExcelPackage -Path (Join-Path $dir.FullName appsReport.xlsx) -Create

$excelParams = @{
    WorksheetName = $name
    BoldTopRow    = $true
    TableStyle    = 'Medium11'
    ExcelPackage  = $pkg
    PassThru      = $true
}

$excelParams['ExcelPackage'] = $secretRisk |
    Where-Object SecretValidForDays -GT 100 |
    Sort-Object SecretValidForDays -Descending |
    Export-Excel -WorksheetName SecretRisk @excelParams

$excelParams['ExcelPackage'] = $certificateRisk |
    Where-Object CertificateValidForDays -GT 100 |
    Sort-Object CertificateValidForDays -Descending |
    Export-Excel -WorksheetName CertificateRisk @excelParams

$excelParams['ExcelPackage'] = $toCleanUp |
    Export-Excel -WorksheetName NoSecretNoCertNoAppRoles @excelParams

Close-ExcelPackage $excelParams['ExcelPackage']