Spring cleaning of Entra ID app registrations
Posted on: May 6, 2024I was browsing through my Entra ID app registrations and noticed something interesting:
If you look closely at the above list, you’ll notice that there is application which is
created already in 2017 and it still has Current secret (vs. Expired).
Given that this is one of my development tenants and I know that I don’t have automation in place to rotate secrets,
I decided to take a closer look at the situation.
I looked that the application and noticed that it has a secret which is valid until 12/31/2299:
Okay, that’s not good. I started looking at my other apps and noticed that there are actually many of them in the same situation:
And they shared very similar expiration dates for secret (notice the naming!):
I decided to write a PowerShell script to scan all my applications and list them if they have secrets which are valid for more than 2 years (or that can be overridden with parameter). Over the years I have written many scripts to scan Entra ID applications and I decided to use one of them as a base for this script:
JanneMattila/some-questions-and-some-answers/aad-scan-applications.ps1
I modified the script to scan only applications which have secrets that are valid for more than 2 years:
You can use the script like this:
# Scan all applications with secret valid more than 2 years
.\entra-scan-application-secrets.ps1
# Scan all applications with secret valid more than 5 years
.\entra-scan-application-secrets.ps1 -MaxDaysToFuture (365 * 5)
Here is my output:
I have to now go and fix these applications. Please go and check your applications as well!
I hope you find this useful!