Azure AD service Principal Audit

%3CLINGO-SUB%20id%3D%22lingo-sub-1532474%22%20slang%3D%22en-US%22%3EAzure%20AD%20service%20Principal%20Audit%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1532474%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20requirement%20for%20service%20principal%20audit%26nbsp%3Bto%20detect%20if%20there%20is%20an%20inactive%20owner%20or%20an%20expired%20key%2FService%20Principal%20within%20Azure%20for%20the%20Service%20Principal.%3C%2FP%3E%0A%3CP%3EThe%20remediation%20of%20that%20resource%20will%20execute%20as%20follows%3A%20%3CBR%20%2F%3EService%20Principal%20Status%20%3CBR%20%2F%3E1.%20Detect%20if%20service%20principal%20is%20Inactive%3CBR%20%2F%3E2.%20Detect%20an%20inactive%20owner%20(utilizing%20API)%3CBR%20%2F%3E3.%20(Future%20Remediation)%20If%20there%20is%20multiple%20owners%20on%20a%20Service%20Principal%2C%20remove%20the%20Inactive%20Owner%3CBR%20%2F%3Eii.%20Key%20credentials%3CBR%20%2F%3E1.%20Detect%20if%20the%20service%20principal%20key%20is%20expired%3CBR%20%2F%3E2.%20(Future%20Remediation)%20Delete%20expired%20key%3CBR%20%2F%3Eb.%20Generates%20a%20report%20of%20Active%2FInactive%20Service%20Principals%20within%20the%20Tenant%20that%20is%20output%20to%20a%20Teams%20channel%20or%20as%20a%20email%20report.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26gt%3B%26gt%3B%20I%20am%20trying%20below%20commands%20to%20get%20list%20of%20all%20Service%20principal%20along%20with%20expiration%20date%20but%20i%20also%20needed%20owner%20details%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CP%3E%24apps%20%3D%20Get-AzureADApplication%20-All%20%24true%20%7C%20Select-Object%20ObjectId%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Eforeach(%24app%20in%20%24apps)%3CBR%20%2F%3E%7B%20%24temp%20%3D%20Get-AzureADApplication%20-ObjectId%20%24app.ObjectId%3CBR%20%2F%3E%24temp.DisplayName%3CBR%20%2F%3E%24temp.PasswordCredentials%20%7C%20Format-list%20EndDate%3CBR%20%2F%3EWrite-Host%20%22%22%3CBR%20%2F%3E%7D%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECan%20anyone%20help%20me%20with%20the%20above%20requirement%3F%3C%2FP%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1532474%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1532771%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20service%20Principal%20Audit%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1532771%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F733486%22%20target%3D%22_blank%22%3E%40Sahitya95%3C%2FA%3E%26nbsp%3BI%20would%20use%20Logic%20Apps%20for%20this.%20I've%20send%20you%20a%20DM%20with%20additional%20questions.%20I%20think%20a%20lot%20of%20organizations%20have%20the%20same%20need%2C%20so%20let's%20see%20if%20I%20can%20build%20such%20flow%20and%20make%20a%20step-by-step%20tutorial%20on%20this.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1532790%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20service%20Principal%20Audit%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1532790%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F470541%22%20target%3D%22_blank%22%3E%40JanBakker330%3C%2FA%3E%26nbsp%3B%20Replied%20you%20my%20requirement%20and%20along%20with%20the%20script%20that%20I%20am%20using%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

I have requirement for service principal audit to detect if there is an inactive owner or an expired key/Service Principal within Azure for the Service Principal.

The remediation of that resource will execute as follows:
Service Principal Status
1. Detect if service principal is Inactive
2. Detect an inactive owner (utilizing API)
3. (Future Remediation) If there is multiple owners on a Service Principal, remove the Inactive Owner
ii. Key credentials
1. Detect if the service principal key is expired
2. (Future Remediation) Delete expired key
b. Generates a report of Active/Inactive Service Principals within the Tenant that is output to a Teams channel or as a email report.

 

>> I am trying below commands to get list of all Service principal along with expiration date but i also needed owner details

 

$apps = Get-AzureADApplication -All $true | Select-Object ObjectId

 

foreach($app in $apps)
{ $temp = Get-AzureADApplication -ObjectId $app.ObjectId
$temp.DisplayName
$temp.PasswordCredentials | Format-list EndDate
Write-Host ""
}

 

Can anyone help me with the above requirement?

2 Replies

@Sahitya95 I would use Logic Apps for this. I've send you a DM with additional questions. I think a lot of organizations have the same need, so let's see if I can build such flow and make a step-by-step tutorial on this. 

@JanBakkerOrphaned  Replied you my requirement and along with the script that I am using