SOLVED

ServicePrincipal StartDate and EndDate not displaying Using Graph API In Power Shell

%3CLINGO-SUB%20id%3D%22lingo-sub-1811280%22%20slang%3D%22en-US%22%3EServicePrincipal%20StartDate%20and%20EndDate%20not%20displaying%20Using%20Graph%20API%20In%20Power%20Shell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1811280%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20get%20list%20of%20SPNs%20that%20are%20going%20to%20expire%20soon.%20Using%20Graph%20API%26nbsp%3B%20I%20am%20executing%20below%20powershell%20script.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20getting%20output%20appid%20and%20name%20always%20but%20StartDate%20and%20EndDate%20are%20not%20displaying%20for%20few%20of%20SPN.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20please%20help%20how%20to%20get%20it%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBelow%20is%20Power%20shell%20script%20I%20am%20using%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E%24TenantId%20%3D%20%22*************%22%0A%24ClientId%20%3D%20%22*************%22%0A%24ClientSecret%20%3D%20%22*************%22%0A%0A%24Body%20%3D%20%40%7B%0A%20%20%20%20'tenant'%20%3D%20%24TenantId%0A%20%20%20%20'client_id'%20%3D%20%24ClientId%0A%20%20%20%20'scope'%20%3D%20'https%3A%2F%2Fgraph.microsoft.com%2F.default'%0A%20%20%20%20'client_secret'%20%3D%20%24ClientSecret%0A%20%20%20%20'grant_type'%20%3D%20'client_credentials'%0A%7D%0A%0A%0A%24Params%20%3D%20%40%7B%0A%20%20%20%20'Uri'%20%3D%20%22https%3A%2F%2Flogin.microsoftonline.com%2F%24TenantId%2Foauth2%2Fv2.0%2Ftoken%22%0A%20%20%20%20'Method'%20%3D%20'Post'%0A%20%20%20%20'Body'%20%3D%20%24Body%0A%20%20%20%20'ContentType'%20%3D%20'application%2Fx-www-form-urlencoded'%0A%7D%0A%0A%24AuthResponse%20%3D%20Invoke-RestMethod%20%40Params%0A%0A%24Headers%20%3D%20%40%7B'Authorization'%20%3D%20%22Bearer%20%24(%24AuthResponse.access_token)%22%7D%0A%0A%24method%20%3D%20%22GET%22%0A%0A%24uri2%20%3D%20%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2Fapplications%2F%7BId%7D%22%0A%0A%24query2%20%3D%20Invoke-WebRequest%20-Method%20%24method%20-Uri%20%24uri2%20%20-ContentType%20%22application%2Fjson%22%20-Headers%20%24Headers%20-ErrorAction%20Stop%0A%0A%0A%24query2.content%20%7C%20ConvertFrom-Json%20%7C%20select%20appId%2CdisplayName%2C%40%7Bl%3D%22SecretExpiryDate%22%3Be%3D%7B%24pwdcreds2.passwordCredentials.endDateTime%7D%7D%0A%0A%24pwdcreds2.passwordCredentials%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20another%20Powershell%20script%20it%20is%20giving%20startdate%20and%20enddate%20for%20same%20SPN%20but%20the%20problem%20is%20my%20Org%20is%20not%20allowed%20to%20fetch%20APP%20details%20from%20Azure%20AD%20due%20to%20security%20guidelines.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E%24ServicePrincipalIds%20%3D%20Get-AzADServicePrincipal%20%7C%20Where%20%7B%24_.DisplayName%20-like%20'*'%7D%0A%0Aforeach(%24ServicePrincipalId%20in%20%24ServicePrincipalIds)%0A%7B%0A%24ServicePrincipalInfo%20%3D%20Get-AzADSpCredential%20-ObjectId%20%24ServicePrincipalId.Id%0A%24ServicePrincipalInfo%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1811280%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1812979%22%20slang%3D%22en-US%22%3ERe%3A%20ServicePrincipal%20StartDate%20and%20EndDate%20not%20displaying%20Using%20Graph%20API%20In%20Power%20Shell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1812979%22%20slang%3D%22en-US%22%3E%3CP%3EWell%20what%20exactly%20is%3A%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20%20language-powershell%22%3E%3CCODE%3E%24pwdcreds2%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3Eas%20that's%20what%20you%20are%20using%20to%20parse%20for%26nbsp%3BpasswordCredentials.%20For%20the%20record%2C%20I%20can%20see%20them%20just%20fine%20in%20Graph%20explorer%20or%20calling%20the%20Graph%20API%20directly%20via%20PowerShell.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%24result%20%3D%20(%24test.Content%20%7C%20ConvertFrom-Json).passwordCredentials.startDateTime%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi,

 

I am trying to get list of SPNs that are going to expire soon. Using Graph API  I am executing below powershell script.

 

I am getting output appid and name always but StartDate and EndDate are not displaying for few of SPN.

 

Can you please help how to get it ?

 

Below is Power shell script I am using:

$TenantId = "*************"
$ClientId = "*************"
$ClientSecret = "*************"

$Body = @{
    'tenant' = $TenantId
    'client_id' = $ClientId
    'scope' = 'https://graph.microsoft.com/.default'
    'client_secret' = $ClientSecret
    'grant_type' = 'client_credentials'
}


$Params = @{
    'Uri' = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"
    'Method' = 'Post'
    'Body' = $Body
    'ContentType' = 'application/x-www-form-urlencoded'
}

$AuthResponse = Invoke-RestMethod @Params

$Headers = @{'Authorization' = "Bearer $($AuthResponse.access_token)"}

$method = "GET"

$uri2 = "https://graph.microsoft.com/v1.0/applications/{Id}"

$query2 = Invoke-WebRequest -Method $method -Uri $uri2  -ContentType "application/json" -Headers $Headers -ErrorAction Stop


$query2.content | ConvertFrom-Json | select appId,displayName,@{l="SecretExpiryDate";e={$pwdcreds2.passwordCredentials.endDateTime}}

$pwdcreds2.passwordCredentials

 

I have another Powershell script it is giving startdate and enddate for same SPN but the problem is my Org is not allowed to fetch APP details from Azure AD due to security guidelines.

 

 

$ServicePrincipalIds = Get-AzADServicePrincipal | Where {$_.DisplayName -like '*'}

foreach($ServicePrincipalId in $ServicePrincipalIds)
{
$ServicePrincipalInfo = Get-AzADSpCredential -ObjectId $ServicePrincipalId.Id
$ServicePrincipalInfo
}

 

2 Replies
Best Response confirmed by Brahmaiah (Contributor)
Solution

Well what exactly is:

$pwdcreds2

as that's what you are using to parse for passwordCredentials. For the record, I can see them just fine in Graph explorer or calling the Graph API directly via PowerShell.

 

$result = ($test.Content | ConvertFrom-Json).passwordCredentials.startDateTime

@Vasil Michev thank you so much for reply.

 

I execute my powershell script by adding your command but it is not resulting anything. I guess if servicePrincipal has too many start and end date it is failing to convertfrom json.

 

Another powershell script resulting all list of start and end dates. Below is screen shot.

SPN_Date_List.png

 

Can you please check sample data from your end :) and suggest me how to get result from API.

 

Thanks again for your help and support so far.

 

Regards,

Brahma