Azure App Registrations Cert / Client Secret MS Graph Report

In this post we will be looking at creating a report to show what Azure App registrations have expiring client secret / certificate in the specified amount of days.

There is currently no in built way to report on expiring App registrations in the Azure portal other than checking the app registration, so we will be using Microsoft Graph SDK to automate the reporting.

First to automate the report we need to create an app registration to use for the Microsoft Graph connection. I have gone through this in a previous post.

The specific Microsoft GraphApi application permission required is Application.Read.All, this needs to be added to the App Registration that we use for Microsoft Graph.

App Registration API Permission

Next we need to connect to Microsoft Graph using.


To list the app registration use

Microsoft Graph Applications

Once we have the list of apps we can use PasswordCredentials to view client secret details

Application Secrets Properties

and KeyCredentials to view the certificates details

Application Certificate Properties

Once we have the required properties, we can create the script to export the app registration details.

App Registration Report

There are two parameters Reportonly which returns just the result to PowerShell window and ReportExport which will export the report to the specific folder specified.

Below is what the Reportonly should look like.

.\Get-AppRegistrationDetails.ps1 -CertificateThumbprint Thumprint -ClientId ClientID -TenantId TenantID -ReportOnly -ExpiryDate 200
Report results

When using the Reportexport

.\Get-AppRegistrationDetails.ps1 -CertificateThumbprint thumbprint -ClientId ClientID -TenantId TenantID -ReportExport C:\temp\Graph\ -ExpiryDate 200

The full script can be downloaded from the below GitHub link.

3 thoughts on “Azure App Registrations Cert / Client Secret MS Graph Report

  1. Great Script, but only gets the certs and certificates for app registrations.
    How do we get the same info for enterprise apps?


    1. Hi Kim

      From what I know there are no certs in Enterprise Apps, the apps connect back to app registrations for client secrets and certs from what I have seen. do you have an example that I could check, and I could update the script if needed.


      1. Hello, certs in enterprise apps are used for example when you want single sign on.

        I managed to use your script as a template and create a separate script that creates a report for the certs used in the enterprise apps and the expiration dates.
        Sorry for the late reply, I had some trouble with getting the correct data in the script.

        The script uses the cmdlet called “Get-MgServicePrincipal” to get all enterprise apps along with the certinfo as well. I posted the portion of the script that gets the info below.

        $EnterpriseApps = Get-MgServicePrincipal -All

        $EnterpriseApps_ExportInfo = $EnterpriseApps | ForEach-Object {

        [PSCustomObject] @{
        AppDisplayName = $_.DisplayName
        EndDateTime = $_.PasswordCredentials.EndDateTime
        CertName = $_.PasswordCredentials.DisplayName
        AppEnabled = $_.AccountEnabled
        ObjectID = $_.Id
        AppId = $_.AppId
        Type = $_.GetType().name
        Ägare = $_.Owners
        Notes = $_.Notes
        AppCreatedTime = $_.AdditionalProperties.createdDateTime
        NotificationEmailAddresses = $_.NotificationEmailAddresses
        LoginUrl = $_.LoginUrl
        ReplyUrls = $_.ReplyUrls
        Description = $_.Description


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s