Outputs list of all Azure AD Apps along with their expiration date, display name, owner email, credentials (passwordcredentials or keycredentials), start date, key id and usage. Useful to know the apps that are expiring and take action (renew). Since Azure AD PowerShell is being deprecated in favor of Microsoft Graph PowerShell SDK, I created a …

Get-AzureADAppsInfo.ps1

# Requires Azure AD PowerShell Module
#Prompts user to login using Azure Credentials

Connect-AzureAD
$results = @()
Get-AzureADApplication -All $true | %{  
                             $app = $_

                             $owner = Get-AzureADApplicationOwner -ObjectId $_.ObjectID -Top 1

                             $app.PasswordCredentials | 
                                %{ 
                                    $results += [PSCustomObject] @{
                                            CredentialType = "PasswordCredentials"
                                            DisplayName = $app.DisplayName; 
                                            ExpiryDate = $_.EndDate;
                                            StartDate = $_.StartDate;
                                            KeyID = $_.KeyId;
                                            Type = 'NA';
                                            Usage = 'NA';
                                            Owners = $owner.UserPrincipalName;
                                        }
                                 } 
                                  
                             $app.KeyCredentials | 
                                %{ 
                                    $results += [PSCustomObject] @{
                                            CredentialType = "KeyCredentials"                                        
                                            DisplayName = $app.DisplayName; 
                                            ExpiryDate = $_.EndDate;
                                            StartDate = $_.StartDate;
                                            KeyID = $_.KeyId;
                                            Type = $_.Type;
                                            Usage = $_.Usage;
                                            Owners = $owner.UserPrincipalName;
                                        }
                                 }                            
                          }
$results | FT -AutoSize 

# Optionally export to a CSV file
#$results | Export-Csv -Path "AppsInventory.csv" -NoTypeInformation 

Try this cmdlet in shell. This gets expired ones and also those that will expire in 60days. You can change that number.

az ad sp list --all --query "[?passwordCredentials[0].endDate<='$(date -d "+60 days" +%Y-%m-%d)'||keyCredentials[0].endDate<='$(date -d "+60 days" +%Y-%m-%d)'].{"Display Name":appDisplayName,"SP AppId":appId,"Pwd Expiry Date":passwordCredentials[0].endDate, "Key Expiry Date":keyCredentials[0].endDate}" -o table

Hello everyone can someone help me in power shell script to check comparing the expired date with the current date so we can have a list of all of the expired ones.

Try this cmdlet in shell. This gets expired ones and also those that will expire in 60days. You can change that number.

az ad sp list --all --query "[?passwordCredentials[0].endDate<='$(date -d "+60 days" +%Y-%m-%d)'||keyCredentials[0].endDate<='$(date -d "+60 days" +%Y-%m-%d)'].{"Display Name":appDisplayName,"SP AppId":appId,"Pwd Expiry Date":passwordCredentials[0].endDate, "Key Expiry Date":keyCredentials[0].endDate}" -o table

Great! that helps - thank you!

Thank you @Raka74
I have tried using the same script as above with some modifications to get expired app's

$app.PasswordCredentials | where {$.enddate -notlike “” -and $.enddate -LE ((get-date).AddDays(0))} |
%{
$results += [PSCustomObject] @{
CredentialType = "PasswordCredentials"
DisplayName = $app.DisplayName;
EndDate = $_.enddate;

Try this cmdlet in shell. This gets expired ones and also those that will expire in 60days. You can change that number.

az ad sp list --all --query "[?passwordCredentials[0].endDate<='$(date -d "+60 days" +%Y-%m-%d)'||keyCredentials[0].endDate<='$(date -d "+60 days" +%Y-%m-%d)'].{"Display Name":appDisplayName,"SP AppId":appId,"Pwd Expiry Date":passwordCredentials[0].endDate, "Key Expiry Date":keyCredentials[0].endDate}" -o table

@svarukala
I get the below error when i run the query you had mentioned
//az ad sp list --all --query "[?passwordCredentials[0].endDate<='$(date -d "+60 days" +%Y-%m-%d)'||keyCredentials[0].endDate<='$(date -d "+60 days" +%Y-%m-%d)'].{"Display Name":appDisplayName,"SP AppId":appId,"Pwd Expiry Date":passwordCredentials[0].endDate, "Key Expiry Date":keyCredentials[0].endDate}" -o table
az ad sp list: error: argument --query: invalid jmespath_type value: "[?passwordCredentials[0].endDate<='2020-10-20'||keyCredentials[0].endDate<='2020-10-20'].{"
usage: az ad sp list [-h] [--verbose] [--debug] [--only-show-errors]
[--output {json,jsonc,yaml,yamlc,table,tsv,none}]
[--query JMESPATH] [--spn SPN]
[--display-name DISPLAY_NAME] [--filter QUERY_FILTER]
[--show-mine] [--all]
To learn more about [--query JMESPATH] usage in AzureCLI, visit https://aka.ms/CLIQuery//

Try this cmdlet in shell. This gets expired ones and also those that will expire in 60days. You can change that number.
az ad sp list --all --query "[?passwordCredentials[0].endDate<='$(date -d "+60 days" +%Y-%m-%d)'||keyCredentials[0].endDate<='$(date -d "+60 days" +%Y-%m-%d)'].{"Display Name":appDisplayName,"SP AppId":appId,"Pwd Expiry Date":passwordCredentials[0].endDate, "Key Expiry Date":keyCredentials[0].endDate}" -o table

@svarukala
I get the below error when i run the query you had mentioned
//az ad sp list --all --query "[?passwordCredentials[0].endDate<='$(date -d "+60 days" +%Y-%m-%d)'||keyCredentials[0].endDate<='$(date -d "+60 days" +%Y-%m-%d)'].{"Display Name":appDisplayName,"SP AppId":appId,"Pwd Expiry Date":passwordCredentials[0].endDate, "Key Expiry Date":keyCredentials[0].endDate}" -o table
az ad sp list: error: argument --query: invalid jmespath_type value: "[?passwordCredentials[0].endDate<='2020-10-20'||keyCredentials[0].endDate<='2020-10-20'].{"
usage: az ad sp list [-h] [--verbose] [--debug] [--only-show-errors]
[--output {json,jsonc,yaml,yamlc,table,tsv,none}]
[--query JMESPATH] [--spn SPN]
[--display-name DISPLAY_NAME] [--filter QUERY_FILTER]
[--show-mine] [--all]
To learn more about [--query JMESPATH] usage in AzureCLI, visit https://aka.ms/CLIQuery//

This works in unix shell. Not in PS. To make it work in PS, change the way the dates are created using $(Get-Date).

@svarukala Is there any method to get the provisioning details via powershell for an application.
Example:
1.When is the last provisioning cycle happened?
2.steady state achieved or not.
3.No.of.errors ocuured during auto provisioning.

@svarukala Is there any method to get the provisioning details via powershell for an application.
Example:
1.When is the last provisioning cycle happened?
2.steady state achieved or not.
3.No.of.errors ocuured during auto provisioning.

Can you elaborate what do you mean by last provisioning cycle? Is it the app creation date that you are talking abt?
I am not aware of a 'steady state' property associated with an AAD app.

@svarukala Is it possible to also list the Apps that do not have Key/PasswordCredentials? Thanks

Hi @svarukala i was trying to run this script( only part of the code) and it seems the keycredentials are not getting any value
`# Check service principal expiry dates.

Get-AzureADApplication -All $:true | ForEach-Object {
$name = $.displayname
$BodyTemplate = @"
{
"channel": "$CHANNELNAME",
"username": "SPN is expired",
"text": "$name is Expired $PassCredExpiry.",
"icon_emoji":":crossed_flags:"
}
"@
$BodyTemplate2 = @"
{
"channel": "$CHANNELNAME",
"username": "SPN is Almost expired",
"text": "$name Almost Expired $PassCredExpiry.",
"icon_emoji":":crossed_flags:"
}
"@
$AppID = $.AppId
$KeyCredExpiry = ($).keycredentials.enddate
$PassCredExpiry = ($).passwordcredentials.enddate
write-output "Today Date $todaysdate"
write-output "Future Date $futureCHeck"
write-output "Checkign KeyCredExpiry date $KeyCredExpiry and PassCredExpiry $PassCredExpiry"
If($KeyCredExpiry -ne $null)
{
write-output "checking $name"
If ($todaysdate -gt $KeyCredExpiry )
{
write-output "$name has expired at $KeyCredExpiry"
Invoke-RestMethod -uri $SlackChannelUri -Method Post -body $BodyTemplate -ContentType 'application/json'
$json3+= @([PSCustomObject]@{
AppDisplayName = $name;
AppID = $AppID;
CertificateExpireyDate = $KeyCredExpiry;
PasswordExpireyDate = $PassCredExpiry;
Reason = "Expired"
})
} `

when i run this piece i print the values as well with write-output, as you can see but it seems i am not getting any value for this " $KeyCredExpiry = ($_).keycredentials.enddate" any idea why?

In your script I am seeing ($).keycredentials.enddate instead of $_.keycredentials.enddate. The underscore is missing. Could that be the issue?
@Divyesh85. How abt using the script I provided above as is? Is it working in that case?

Since Azure AD PowerShell is being deprecated in favor of Microsoft Graph PowerShell SDK, I created a new MS Graph script that is equivalent to this script. You can find it here:
https://pnp.github.io/script-samples/aad-apps-expired-keys/README.html?tabs=graphps

//az ad sp list --all

az ad sp list --all --query "[?passwordCredentials[0].endDate<='$(date -d "+60 days" +%Y-%m-%d)'||keyCredentials[0].endDate<='$(date -d "+300 days" +%Y-%m-%d)'].{SP_AppId:appId,PwdExpiryDate:passwordCredentials[0].endDate, Key_Expiry_Date:keyCredentials[0].endDate,Display_Name:displayName,Account_Type: objectType}" -o table

Another option that leverages the newer Az.Resources module is available here:
https://gist.github.com/GuyPaddock/c3e0fbb1e3724822c77e35a83160af52