How to get client secret expiry date using the azure AD graph API

Asked 4/2, 2017 at 0:55 Answered 11/7, 2024 at 17:28

Solved azure azure-active-directory azure-ad-graph-api

I am trying to get the expiry date of the client secrets for our AAD application. However when I use the following graph request, the passwordCredential and keyCredential fields is blank.

https://graph.windows.net/myorganization/directoryObjects/{ServicePrincipalObjectId}/?api-version=1.6

Is there a way to get this data? I see it in the manifest if I download that, just not in the Odata object

Thank you for your help!

Tolyl answered 4/2, 2017 at 0:55 Comment(2)

Does my answer work for you? – Wagoner 6/2, 2017 at 7:2

I get an empty collection when I query for that. I was able to use this nuget package and get the collection of password credentials nuget.org/packages/Microsoft.Azure.ActiveDirectory.GraphClient – Tolyl 14/2, 2017 at 19:7

Use this AAD Graph API below:

https://graph.windows.net/{org_domain}/applications/{obj_id}/passwordCredentials

The response will show the list of keys used by your specific AAD Application.

You can derive the expiration date of your key from the endDate field.

{
  "odata.metadata": "https://graph.windows.net/{org_domain}/$metadata#Collection(Microsoft.DirectoryServices.PasswordCredential)",
  "value": [
    {
      "customKeyIdentifier": null,
      "endDate": "2018-05-07T09:12:13.2177408Z",
      "keyId": "{your_key_id}",
      "startDate": "2016-05-07T09:12:13.2177408Z",
      "value": null
    }
  ]
}

Wagoner answered 4/2, 2017 at 1:25 Comment(3)

I tried that, however I got an empty collection for Password Credentials. I was able to use the nuget package below to get the password credentials. Still confused as to why the API would not return it. nuget.org/packages/Microsoft.Azure.ActiveDirectory.GraphClient – Tolyl 14/2, 2017 at 19:9

Hi @AdityaKaul, could you expand on how you were able to get the credentials using that NuGet? Thanks! – Steffens 14/8, 2019 at 20:20

More specifically, were you able to get the secret values using the NuGet? Thanks – Steffens 15/8, 2019 at 19:34

As an alternative to using Graph API you might also consider using Get-AzAdApplication cmdlet together with Get-AzAdAppCredential, which are part of Az PowerShell

https://learn.microsoft.com/en-us/powershell/module/az.resources/get-azadappcredential?view=azps-5.5.0

Haply answered 27/2, 2021 at 20:48 Comment(0)

Also, here's how one might do it using the SDK:

Private Async Function ShowExpiringSecrets() As Task
  Dim oGraphClient As GraphServiceClient
  Dim oCredential As DefaultAzureCredential
  Dim oResponse As ApplicationCollectionResponse
  Dim oSecret As PasswordCredential
  Dim oApps As List(Of Application)
  Dim oApp As Application

  oCredential = New DefaultAzureCredential
  oGraphClient = New GraphServiceClient(oCredential)
  oResponse = Await oGraphClient.Applications.GetAsync
  oApps = oResponse.Value.OrderBy(Function(Application) Application.DisplayName).ToList

  For Each oApp In oApps
    For Each oSecret In oApp.PasswordCredentials
      Console.WriteLine($"{oApp.DisplayName} - {oSecret.EndDateTime}")
    Next
  Next
End Function

Cadaver answered 11/7, 2024 at 17:28 Comment(0)

Recommended topics

Hot tags