Get M365 App Registrations with Expiring Client Secrets & Certificates

On Day 23 of Cybersecurity Awareness Month, learn how to get a list of Entra ID applications with expiring client secrets and certificates effectively. Stay tuned for more blogs in our M365 Cybersecurity Blog Series.

In Microsoft 365 organizations, various applications, including third-party apps, are integrated and used for completing various tasks, projects, etc. Developers also have the option to register their own applications in Entra ID for organizational use. These applications use app client secrets and certificates to authenticate their identity when requesting a token. However, for all registered applications, these client secrets and certificates will expire after a certain period. So, it is essential for admins to identify applications with expiring client secrets & certificates and take actions accordingly for efficient and seamless usage of applications in M365.

Let’s explore how to get all Azure applications with expiring client secrets and certificates in Microsoft 365.

How to Get All Entra ID Applications with Expiring Client Secrets & Certificates?

To find out the expiry details of client secrets and certificates for an application, admins can use either the Microsoft Entra Admin Center or Microsoft Graph PowerShell.

Find expiration date of app client secrets and certificates using Entra admin center
Export app registrations with expiring client secrets and certificates using PowerShell

Note: Admins can also implement secure score recommendations to secure third-party apps.

Find Expiration Date of App Client Secrets and Certificates Using Entra Admin Center

Navigate to the Microsoft Entra Admin Center.
Go to Applications –> App registrations –> All applications tab.
Select a specific application for which you want to find out the expiry details.
Select ‘Certificates & Secrets’.
In the ‘Client secrets’ tab, you will find the expiry date of the app’s client secret as shown below.

Click on ‘Certificates’ tab to find the expiry date of the app certificate as shown below.

Note: To avoid app security risks, admins can manage user consents and remove unused credentials.

Export App Registrations with Expiring Client Secrets and Certificates Using PowerShell

In the Entra admin center, obtaining expiry details for client secrets and certificates might be challenging as you must navigate to each application individually. To efficiently identify the expiration details, you can go with the Microsoft Graph PowerShell method. For achieving this, we have developed a script to solve different use cases and minimize your hurdle!

Download Script: AppRegistrationsWithExpiringCertAndSecrets.ps1

Let’s see the use cases that this PowerShell script solve effectively in detail.

Get all Azure AD apps with expiring client secrets and certificates
Retrieve all Entra ID apps with expiring client secrets
Find a list of all Azure AD apps with expiring certificates
Retrieve a list of all Azure AD apps with certificates and secrets expiring in 30 days

1. Get All Azure AD Apps with Expiring Client Secrets and Certificates

Verifying the expiry date of client secrets and certificates for all the applications helps to take actions for seamless app usage. Running this script will export all the applications in Entra ID with expiry details of their client secrets and certificates.

.\AppRegistrationsWithExpiringCertAndSecrets.ps1

1	.\AppRegistrationsWithExpiringCertAndSecrets.ps1

This report will contain the list of all apps with expiring certificates and client secrets along with app name, owner, creation time, etc., as shown below.

2. Retrieve All Entra ID Apps with Expiring Client Secrets

Some of the app registrations contain only client secrets. In such cases, if you want to retrieve apps with client secret expiration details alone, run the script with the ‘-ClientSecretsOnly’ parameter as below.

.\AppRegistrationsWithExpiringCertAndSecrets.ps1 -ClientSecretsOnly

1	.\AppRegistrationsWithExpiringCertAndSecrets.ps1 -ClientSecretsOnly

The above cmdlet exports the apps with their client secret expiry details in your Entra ID environment.

3. Find a List of All Azure AD Apps with Expiring Certificates

If you want to find out only the expiration details of the app certificates, you can run the script with the ‘-CertificatesOnly’ parameter as shown below.

.\AppRegistrationsWithExpiringCertandSecrets -CertificatesOnly

1	.\AppRegistrationsWithExpiringCertandSecrets -CertificatesOnly

This shows the list of Entra ID apps with their certificate expiration details.

4. Retrieve a List of All Azure AD Apps with Certificates and Secrets Expiring in 30 Days

To get a more granular report like apps with certificates and secrets expiring in n days (i.e., 30, 90, etc.), you can run the script as below.

.\AppRegistrationsWithExpiringCertAndSecrets -SoonToExpireInDays “30”

1	.\AppRegistrationsWithExpiringCertAndSecrets -SoonToExpireInDays “30”

The above cmdlet retrieves a list of all applications with certificates and secrets expiring in 30 days.

You can also use the parameter ‘SoonToExpireInDays’ with ‘-ClientSecretsOnly’ or ‘-CertificatesOnly’ parameter to get detailed reports like apps with client secrets expiring in n days or apps with certificates expiring in n days.

I hope this blog helps with the PS script to retrieve the Entra ID applications with their certificates and secrets expiry details efficiently. Utilize this script to avoid downtime and secure your M365 applications. For more queries, feel free to reach us through the comment section. Happy scripting!