TechQA.

Azure Service Principal - force expiration on purpose?

1.9k views Asked by At

Azure Service Principals have an expiration date by default and have the need to be rotated.

But is there a way to invalidate or force expiry of a service principal?

azure azure-active-directory service-principal
Original Q&A
1

There are 1 answers

4
Philippe Signoret On BEST ANSWER

The credentials used when a service principal authenticates can be stored either on the service principal itself, or on the backing application object (i.e. the "app registration").

Changing the expiration date of an existing credential is not currently supported. If you wish to disable a credential, you should delete it. (If you wish to re-enable it, you can simply add it back in as an authorized credential.)

Remove a credential from an application (app registration)

Using the Azure portal

  1. Navigate to Azure Active Directory > App registrations > (choose the app) > Certificates & secrets

  2. Next to any certificate or client secret, choose the "Delete" icon (️)

    Certificates & secrets in the Azure portal

Using Azure AD PowerShell

To remove a key credential (certificate):

Remove-AzureADApplicationKeyCredential -ObjectId "{id}" -KeyId "{key-id}"

To remove a password credential (client secret):

Remove-AzureADApplicationPasswordCredentia -ObjectId "{id}" -KeyId "{key-id}"

Using Microsoft Graph

To remove a key credential (certificate):

POST https://graph.microsoft.com/v1.0/applications/{id}/removePassword
Content-type: application/json

{
    "keyId": "{key-id}"
}

To remove a password credential (client secret):

POST https://graph.microsoft.com/v1.0/applications/{id}/removePassword
Content-type: application/json

{
    "keyId": "{key-id}"
}

Remove a credential from a service principal

Using the Azure portal

It is not currently possible to use the Azure portal to manage credentials stored directly on the service principal.

Using Azure AD PowerShell

To remove a key credential (certificate):

Remove-AzureADServicePrincipalKeyCredential -ObjectId "{id}" -KeyId "{key-id}"

To remove a password credential (client secret):

Remove-AzureADMSApplicationPassword -ObjectId "{id}" -KeyId "{key-id}"

Using Microsoft Graph

To remove a key credential (certificate):

POST https://graph.microsoft.com/v1.0/servicePrincipals/{id}/removeKey
Content-type: application/json

{
    "keyId": "{key-id}"
}

To remove a password credential (client secret):

POST https://graph.microsoft.com/v1.0/servicePrincipals/{id}/removePassword
Content-type: application/json

{
    "keyId": "{key-id}"
}

Related Questions in AZURE

Related Questions in AZURE-ACTIVE-DIRECTORY

Related Questions in SERVICE-PRINCIPAL

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions