I'm trying to find the best method to remove expired client secrets from all app registrations in Entra ID without having to check each one individually in the portal. I'm considering using PowerShell or Microsoft Graph for this task. I'd like it to be a reliable way to identify and delete only the expired secrets across the tenant, ideally something that could either be run once or scheduled for regular clean-ups. Has anyone tackled this on a larger scale? Any advice or script snippets would be greatly appreciated!
As a side note, we're also working on a project to alert us about app registrations where credentials are nearing expiration and create tickets in ServiceNow. However, during our tests, we encountered a lot of false positives, mainly due to old expired secrets or old apps that aren't in use anymore. We're open to rethinking our approach if there's something better out there!
3 Answers
I recently tackled this and got a nice script generated by ChatGPT that worked for my needs. Just remember to test it thoroughly before going live. An engineer could probably set it up for you in a day max!
Why are you looking to clean up the expired secrets? If it's just for maintenance, there might be simpler ways to manage alerts without deleting things right away. If the alerts are generating a lot of noise because of old secrets, re-evaluating your approach might be worth considering.
You can definitely handle this with PowerShell or Microsoft Graph. It should be straightforward if you're comfortable with PowerShell. You can pull the app registrations and filter out the expired client secrets. If you need, I can share a sample script that could help you get started!
That sounds promising! Share away, I'd love to see an example script!
We're focusing on cleanup because those old secrets can clutter our alerts and make it harder to manage active credentials, but I'm open to any better solutions!