Skip to content

Instantly share code, notes, and snippets.

@torumakabe

torumakabe/README.md

Last active December 7, 2023 10:26
Show Gist options
  • Save torumakabe/779490238f238d0bece355daddb37b05 to your computer and use it in GitHub Desktop.
Save torumakabe/779490238f238d0bece355daddb37b05 to your computer and use it in GitHub Desktop.
Download ZIP
Script to check password and certificate expiration of Azure Service Principal
Raw
README.md

About

Script to check password and certificate expiration of Azure Service Principal.Target is all principal IDs assigned roles to the resources under the subscription set in the Azure CLI.

You can get information about IDs(Azure AD App) that have expired or will expire after a specified days as LTSV like followings.

app_id:aaaaaaaa-bbbb-cccc-dddd-eeeeeeee     app_display_name:yourspname  password_expire:2021-08-29T18:30:00+00:00

Prerequisites & Tested

  • Azure CLI: 2.27.2
  • jq: 1.6
Raw
check.sh
#!/bin/bash
set -eo pipefail
# Threshold number of days for expiration check
DAYS_FOR_EXPIRATION_CHECK=30
IFS=$'\n'
today=$(date +"%s")
tenant_id=$(az account show --query tenantId -o tsv)
# Get all principal IDs assigned roles to the resources under the subscription set in the CLI
# https://docs.microsoft.com/en-us/cli/azure/role/assignment?view=azure-cli-latest#az_role_assignment_list
principal_ids=$(az role assignment list --all --query "[?principalType=='ServicePrincipal'].principalId" -o tsv)
unique_principal_ids=$(echo "$principal_ids" | sort -u)
function check_expire() {
diff=$((($1 - $2)/86400))
if [ $diff -lt $DAYS_FOR_EXPIRATION_CHECK ]; then
echo true
else
echo false
fi
}
for pid in $unique_principal_ids; do
sp=$(az ad sp show --id "$pid" -o json)
app_owner_tenant_id=$(echo "$sp" | jq -r '.appOwnerTenantId')
# Skip if the service principal is not owned by the tenant or Managed ID (appOwnerTenantId: null)
if [[ "$app_owner_tenant_id" != "$tenant_id" ]]; then
continue
fi
app_id=$(echo "$sp" | jq -r '.appId')
app=$(az ad app show --id "$app_id" -o json)
app_name=$(echo "$app" | jq -r '.displayName')
# Check password expiration
len=$(echo "$app" | jq -r '.passwordCredentials' | jq length)
if [[ "$len" -ne 0 ]]; then
for i in $( seq 0 $((len - 1)) ); do
end_date=$(echo "$app" | jq -r .passwordCredentials["$i"].endDate)
end_date_s=$(date -d "$end_date" +"%s")
is_near_expire=$(check_expire "$end_date_s" "$today")
if [[ "$is_near_expire" = 'true' ]]; then
printf "app_id:%s\tapp_display_name:%s\tpassword_expire:%s\n" "$app_id" "$app_name" "$end_date"
fi
done
fi
# Check key(certificate) expiration
len=$(echo "$app" | jq -r '.keyCredentials' | jq length)
if [[ "$len" -ne 0 ]]; then
for i in $( seq 0 $((len - 1)) ); do
end_date=$(echo "$app" | jq -r .keyCredentials["$i"].endDate)
end_date_s=$(date -d "$end_date" +"%s")
is_near_expire=$(check_expire "$end_date_s" "$today")
if [[ "$is_near_expire" = 'true' ]]; then
printf "app_id:%s\tapp_display_name:%s\tkey_expire:%s\n" "$app_id" "$app_name" "$end_date"
fi
done
fi
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment