Validate Microsoft Graph Application Credentials and Owners with Sign-In Data
Validate Microsoft Graph Application Credentials and Owners
Section titled “Validate Microsoft Graph Application Credentials and Owners”This script connects to Microsoft Graph using the scopes 'Application.ReadWrite.All' and 'AuditLog.Read.All', retrieves all applications in the tenant, and checks the status of each application’s credentials (passwords and certificates). It determines whether these credentials are valid by comparing their expiration dates to the current date. The script also retrieves the application’s owner details and checks for any recent sign-in activity. All the information is logged into a custom object, including details like secret and certificate validity, owner, and last sign-in date.
Script Overview
Section titled “Script Overview”Ideal for: Azure AD administrators managing application lifecycle and security
Key Features
Section titled “Key Features”| Feature | Capability | Business Value |
|---|---|---|
| Credential Validation | Checks secret and certificate expiration dates | Prevents application authentication failures |
| Owner Identification | Retrieves application owner information | Ensures proper accountability |
| Sign-In Tracking | Monitors recent application activity | Identifies unused or compromised apps |
| Comprehensive Reporting | Structured output for all application data | Simplifies audit and compliance processes |
Script Implementation
Section titled “Script Implementation”Connect-MgGraph -Scopes 'Application.ReadWrite.All','AuditLog.Read.All'
$Messages = @{ DurationNotice = @{ Info = @( 'The operation is running and will take longer the more applications the tenant has...' 'Please wait...' ) -join ' ' }}
Write-Host $Messages.DurationNotice.Info -ForegroundColor yellow
$Applications = Get-MgApplication -All
$Logs = @()
foreach ($App in $Applications) { $AppName = $App.DisplayName $AppID = $App.Id $ApplID = $App.AppId
Write-Output "Getting $AppName Data..."
$AppCreds = $Applications | Where-Object Id -EQ $AppID | Select-Object PasswordCredentials, KeyCredentials
$now = Get-Date # Secret validation
$SecretValid = $false $Secrets = $AppCreds.PasswordCredentials if ($Secrets) { $SecretEndDate = $Secrets | Sort-Object EndDateTime -Descending -Top 1 | Select-Object -ExpandProperty EndDateTime if($SecretEndDate -gt $now){ $SecretValid = $true } }
# Certificate validation
$CertValid = $false $Certs = $AppCreds.KeyCredentials if($Certs){ $CertEndDate = $Certs | Sort-Object EndDateTime -Descending -Top 1 | Select-Object -ExpandProperty EndDateTime if ($CertEndDate -gt $now) { $CertValid = $true } }
# Get Owner
Write-Output "Getting Owner Info" $Owner = Get-MgApplicationOwner -ApplicationId $App.Id $Username = $Owner.AdditionalProperties.userPrincipalName -join ';' $OwnerID = $Owner.Id -join ';' if ($null -eq $Owner.AdditionalProperties.userPrincipalName) { $Username = @( $Owner.AdditionalProperties.displayName '**<This is an Application>**' ) -join ' ' } if ($null -eq $Owner.AdditionalProperties.displayName) { $Username = '<<No Owner>>' }
Write-Output "Getting SignIn Info" $Signin = $false $SigninDate = Get-MgAuditLogSignIn -Filter "appId eq '$ApplID'" -Top 1 | Select-Object -ExpandProperty CreatedDateTime if($SigninDate){ $Signin = $true }
############################################
$Logs += [PSCustomObject]@{ 'ApplicationName' = $AppName 'ApplicationID' = $ApplID 'Secret Valid' = $SecretValid 'Secret End Date' = $SecretEndDate 'Certificate Valid' = $CertValid 'Certificate End Date' = $CertEndDate 'Owner' = $Username 'Owner_ObjectID' = $OwnerID 'Signin Present' = $Signin 'Last Sign-In Date' = $SigninDate } ############################################
}
$LogsConfiguration Requirements
Section titled “Configuration Requirements”Prerequisites
Section titled “Prerequisites”| Component | Requirement | Purpose |
|---|---|---|
| Microsoft Graph Module | Microsoft.Graph | API connectivity |
| Application Permissions | Application.ReadWrite.All, AuditLog.Read.All | Access application and audit data |
| Admin Rights | Global Administrator or Application Administrator | Sufficient permissions for all operations |
Validation Logic
Section titled “Validation Logic”Credential Assessment Process
Section titled “Credential Assessment Process”| Validation Type | Method | Success Criteria |
|---|---|---|
| Secret Validity | Compare end date with current date | End date > current date |
| Certificate Validity | Compare end date with current date | End date > current date |
| Owner Verification | Retrieve owner object properties | Valid owner object exists |
| Sign-In Activity | Query audit logs for recent activity | Sign-in record exists |
Output Data Structure
Section titled “Output Data Structure”| Field | Description | Business Value |
|---|---|---|
| ApplicationName | Display name of the application | Easy identification |
| ApplicationID | Unique application identifier | API reference |
| Secret Valid | Boolean indicating secret status | Quick health check |
| Certificate Valid | Boolean indicating certificate status | Quick health check |
| Owner | Owner display name or UPN | Accountability tracking |
| Signin Present | Boolean for recent activity | Usage monitoring |
| Last Sign-In Date | Timestamp of last authentication | Activity tracking |
Usage Scenarios
Section titled “Usage Scenarios”1. Application Audit
Section titled “1. Application Audit”- Review all application credentials
- Identify expired or soon-to-expire credentials
- Ensure proper owner assignment
2. Security Monitoring
Section titled “2. Security Monitoring”- Detect unused applications
- Monitor for suspicious sign-in patterns
- Validate credential security posture
3. Compliance Reporting
Section titled “3. Compliance Reporting”- Generate application inventory reports
- Document credential status for audits
- Track application ownership changes
Conclusion
Section titled “Conclusion”Key Takeaway: This script provides comprehensive visibility into application credential health, ownership, and usage patterns, enabling proactive security management and compliance reporting for Azure AD applications.