Azure AD is a cloud-based directory and identity management service that helps you manage users, groups, and applications in your organization. One important aspect of managing applications in Azure AD is keeping track of application secrets, which are used to authenticate and authorize access to resources.

Background

Application secrets have an expiration date, after which they need to be renewed. If you have multiple applications in Azure AD, it can be time-consuming to manually check the expiration dates of all the secrets and send reminders to renew them.

Sending the reminder notifications

Fortunately, you can use PowerShell to automate this process. In this article, I will show you how to write a PowerShell script that sends a reminder notification to the owner of an Azure AD application for any secrets that will expire within a specified number of days.

Here is the PowerShell script that does this:

Note: Replace $smtpServer, $smtpFrom, and $smtpCredential with your SMTP server details and credentials.

# SMTP server configuration
$smtpServer = "your.smtp.server"
$smtpFrom = "from@example.com"
$smtpCredential = Get-Credential

# Set the number of days before expiration to send the reminder notification 
$reminderDays = 30

# Get the current date and time 
$now = Get-Date

# Get all Azure AD applications
$applications = Get-AzureADApplication -all $true

# Loop through each application
foreach ($application in $applications) {
    $appName = $application.DisplayName
    $appObjectID = $application.ObjectId
    $appID = $application.AppId

    # Get the application secrets
    $secrets = Get-AzureADApplicationPasswordCredential -ObjectId $appObjectID

    # Check if any secret for the application will expire within the reminder period
    if ($secrets -and ($null -ne $secrets.EndDate) -and (($secrets.EndDate - $now).TotalDays -lt $reminderDays)) {
        # Get the application owners
        $applicationOwners = Get-AzureADApplicationOwner -ObjectId $appObjectID | Where-Object { $_.Mail -ne $null }
        $emailRecipients = $applicationOwners.Mail -join ";"

        # Send the reminder notification to the owners
        $emailSubject = "Azure AD Application Secret Expiration - $appName - $appID"
        $emailMessage = @"
Hi Owner,

Please find the expiring secret details for your app below:

| Secret Display Name | Key ID               | Start Date Time        | End Date Time         |
|---------------------|----------------------|------------------------|-----------------------|
$($secrets | ForEach-Object { "| $($_.DisplayName) | $($_.KeyId) | $($_.StartDate) | $($_.EndDate) |" } | Out-String)

Regards,
Automation Team
"@
        Send-MailMessage -From $smtpFrom -To $emailRecipients -Subject $emailSubject -Body $emailMessage -SmtpServer $smtpServer -Credential $smtpCredential
    }
}

This script does the following:

  • Sets the number of days before expiration to send the reminder notification (in this case, 30 days). You can customize this by modifying the $reminderDays variable.
  • Gets the current date and time using the Get-Date cmdlet.
  • Gets all Azure AD applications using the Get-AzureADApplication cmdlet.
  • Loops through each application and gets the application secrets using the Get-AzureADApplicationPasswordCredential cmdlet.
  • If the secret has an expiration date, the script calculates the number of days until the secret expires.
  • If the secret will expire within the reminder period (determined by the $reminderDays variable), the script gets the owner of the application using the Get-AzureADApplicationOwner cmdlet and sends a reminder notification to the owner’s email address using the Send-MailMessage function. You can customize this function to suit your needs (e.g., by sending an email or creating a task in a task management system).

To use this script, you will need to install the Azure AD PowerShell module. You can do this by running the following command:

Install-Module AzureAD

Once you have installed the module, you can run the script by opening a PowerShell window and navigating to the location where you saved the script, then typing the name of the script and pressing Enter. For example:

.\Remind-AzureADApplicationSecretExpiration.ps1

Scheduling the script to run automatically

To schedule the script to run automatically, you can use the Windows Task Scheduler. Here is how to do this:

  • Open the Task Scheduler by typing “Task Scheduler” in the Start menu search bar.
  • In the Task Scheduler window, click the “Create Basic Task” link in the Actions pane on the right.
  • In the Create Basic Task Wizard, enter a name and description for the task, then click the “Next” button.
  • In the Trigger page, select a frequency for the task (e.g., daily, weekly, monthly). You can also specify a start date and time and an end date if desired. Click the “Next” button when you are done.
  • In the Action page, select the “Start a program” action, then click the “Next” button.
  • In the Start a Program page, click the “Browse” button and navigate to the location of the PowerShell executable (usually C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe).
  • In the “Add arguments” field, enter the path to the script file (e.g., “C:\Scripts\Remind-AzureADApplicationSecretExpiration.ps1”).
  • Click the “Next” button to proceed to the Finish page, then click the “Finish” button to create the task.

The script will now run automatically at the specified frequency and send reminder notifications for any Azure AD application secrets that will expire within the specified number of days.

Wrap-Up

In summary, using a PowerShell script to automate the reminder notification process for Azure AD application secrets can save time and ensure that you don’t miss any expiration dates. With the script provided in this article, you can easily customize the number of days before expiration to send the reminders and the method of notification to suit your needs.

By running the script on a regular basis (e.g., daily, weekly, monthly), you can be confident that you will receive timely reminders to renew your application secrets before they expire. This can help to prevent disruptions to your applications and ensure that you are able to continue accessing the resources that they protect.

I encourage you to try out the script and customize it to meet your specific requirements. If you have any questions or need further assistance, don’t hesitate to reach out.

Tips and resources

In addition to using the script, there are a few other tips and resources that can help you manage your Azure AD application secrets effectively:

  • Use strong and unique passwords for your application secrets. You can use a password manager to generate and store passwords securely.
  • Enable multi-factor authentication (MFA) for your Azure AD account to provide an extra layer of security.
  • Consider using certificates instead of passwords for application secrets, especially for long-lived applications.
  • Use the Azure AD application audit logs to track changes to application secrets and other events.
  • Follow Azure AD best practices for managing applications and secrets.

By following these best practices and using tools like the PowerShell script provided in this article, you can effectively manage your Azure AD application secrets and ensure that they are secure and up to date.