I'm looking for a reliable way to remove expired client secrets from all app registrations in Entra ID without having to check them individually in the portal. I'm open to using PowerShell or Microsoft Graph to accomplish this. Ideally, I want something that I can run once or even set up on a schedule if necessary. Has anyone tackled this issue at scale? Any advice or example scripts would be greatly appreciated!
As a side note, we're also working on a project to alert us about app registrations with credentials nearing expiration, and to create tickets in ServiceNow. We've run into a lot of false positives from old expired secrets or unused apps during testing. If there's a better approach for this, I'm totally open to suggestions!
4 Answers
Here's a straightforward script I used to track down expired and soon-to-expire app secrets. You could tweak it to send emails to ServiceNow for ticket creation as well. It connects to Graph, fetches all app secrets, and sends a report via email. Check it out!
I just handled this for over 5,000 app registrations and cleaned up around 2,000 expired secrets in no time. You can get it done in under ten lines of PowerShell using the Microsoft.Graph module!
Thanks for the tip!
Agreed! There's a great Learn article on reporting it with PowerShell, and it should be a simple step from there to remove them.
I created a script to find secrets and certs expiring in the next 30 days. It lists the secret/cert name along with creation and expiration dates. You can take a look at it on GitHub: [GitHub Link].
Thanks for sharing!
We have a system in place where app owners get email alerts at 60, 30, and 7 days before expiration. When an app is created, we assign a project owner to manage the app secrets. We also create a Jira ticket as a reminder to help them if needed. Moving to OIDC can help avoid managing passwords altogether, and using something like Key Vault can further secure your secrets. It might require some changes from the devs, but keeping secrets out of their hands is worth it in the long run, especially with upcoming changes to certificate expiration dates.
That's an interesting approach with Key Vaults. I'm definitely going to look into that.
Yeah, it's not too difficult with either Graph or Az.