I have a lot of service principles that have not been maintained as well as they should have. They are used in different pipelines and god only knows what.

I am trying to figure out a way to get a list of the invalid service principles. I can get all service principles by using Get-AzADServicePrincipal, but that will only get me identifiable information, not certificate status.

It also does not seem like Azure Resource Graph is going to give me this information.

So i am wondering if there is a trick that i am not aware of to get this information.

edit: After looking at the answer to akb, the first part of the script would be something like

$value = Get-AzADServicePrincipal

$principleWithOutdatedCertList = [System.Collections.ArrayList]@()
$principlesWithNoCerts = [System.Collections.ArrayList]@()

for($num=1;$num -le $value.Count;$num++)
{
    $cert = Get-AzADSpCredential -ObjectId $value[$num].Id
    if ($cert.EndDate -lt (Get-Date)){
        $principleWithOutdatedCertList.Add($value[$num].Id)
        Write-Output $value[$num].Id
    }
    if($null -eq $cert)
    {
        $principlesWithNoCerts.Add($value[$num].Id)
    }
}

Now it is only to connect those service principles to their resource that is needed :)

1

There are 1 answers

3
akb On

This script will provide info whether the Service Prinicpal has certs or not

$value = Get-AzADServicePrincipal
$date = Get-Date -Format d
for($num=0;$num -le $value.Count;$num++)
{
    echo $value[$num].Id
    $cert = Get-AzADSpCredential -ObjectId $value[$num].Id
    if($cert -eq $null)
    {
        echo $value[$num].DisplayName "has no certs"
    }
    else
    {
        for($i=0;$i -le $cert.Count;$i++)
        {
            if($cert[$i].EndDate -gt $date)
            {
                echo $value[$num].DisplayName "has valid certs"
            }
        }
    }
    
}