Azure: Python SDK to list and calculate expired app registration client secrets

powerlordx1
December 5, 2022
263 views
0 votes
2 Answers

I am looking for a method to connect to Azure SDK via Python to get a list of expired app registration secrets before the 30 day expiration limit. I know this can be done using Powershell, but how would we would go with plugging Python SDK into Azure and fetching this not using powershell but with Python instead.

If there is any sample to get, how would we go about getting it?

The output should be something like this:

app_id:aaaaaaaa-bbbb-cccc-dddd-eeeeeeee
app_display_name:yourspname  
password_expire:2021-08-29T18:30:00+00:00

Answers

- Empty
- December 5, 2022 at 5:30 am
- 0 votes
0
I found the following a might pose helpful.

You can use the Azure Active Directory (AAD) Graph API to fetch the list of expired app registration secrets. The following is the request URI you can use to get this information:

https://graph.windows.net/<your_tenant_id>/applications?$filter=passwordCredentials/endDate lt <current_date>&$select=displayName,passwordCredentials

You can also refer to this article for more information on how to use the Graph API in Python: https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-python

Login or Signup to reply.

To get the client secret details of Azure AD applications, you can use below graph query:

https://graph.microsoft.com/v1.0/applications?$select=appId,displayName,passwordCredentials

To get same response using Python, you can make use of below code:

from azure.identity import ClientSecretCredential
from msgraph.core import GraphClient

credential = ClientSecretCredential(tenant_id=<tenantID>,client_secret=<secret>,client_id=<appID>)
client = GraphClient(credential=credential)
result = client.get('/applications?$select=id,displayName,passwordCredentials')

print(result.json())

I tried to reproduce the same in my environment and got below results:

I registered one Azure AD application and granted API permission like below:

When I ran the below Python code, I got the same response as below:

from azure.identity import ClientSecretCredential
from msgraph.core import GraphClient

credential = ClientSecretCredential(tenant_id=<tenantID>,client_secret=<secret>,client_id=<appID>)
client = GraphClient(credential=credential)
result = client.get('/applications?$select=id,displayName,passwordCredentials')

print(result.json())

Response:

Alternatively, you can use urllib3 library to get token to call Microsoft Graph like below:

import  urllib3
uri = "https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token"
payload= {
'Content-Type': 'application/x-www-form-urlencoded',
'Host': 'login.microsoftonline.com',
'client_id':  <Your AppID>,
'scope': 'https://graph.microsoft.com/.default',
'client_secret': <Your client secret>,
'grant_type': 'client_credentials'
 }

http = urllib3.PoolManager()
response = http.request('POST', uri, payload)
my_dict = eval(response.data)
token = f"{my_dict['token_type']}  {my_dict['access_token']}"
print(token)

Response:

Now, run the below Python code to get the output in desired format:

uri = 'https://graph.microsoft.com/v1.0/applications?$select=id,displayName,passwordCredentials'
payload = {'Authorization':token,'Host':'graph.microsoft.com'}
https = urllib3.PoolManager()
response = http.request('GET', uri, headers=payload)
#print(response.data)

mydict = json.loads(response.data)
app_id=f"{mydict['value'][0]['id']}"
app_name=f"{mydict['value'][0]['displayName']}"
endDateTime = f"{mydict['value'][0]['passwordCredentials'][0]['endDateTime']}"
print("App_ID:",app_id)
print("App_Display_Name:",app_name)
print("Password_Expires:",password_expire)

Response:

Please signup or login to give your own answer.

Click here to cancel reply.