Paul Farris's Blog

Home

Check Azure AD for expiring SSO certificates
Office 365 (AAD) Wednesday, 28 July 2021 by paul

The following PowerShell script will check Azure AD Applications to see if any, using SSO, have a certificate that has expired or will do so within a specific period.

# List expired (or will expire within 30 days) AzureAD application certificates
Import-Module AzureAD

try { 
    $var = Get-AzureADTenantDetail 
   } 
   catch [Microsoft.Open.Azure.AD.CommonLibrary.AadNeedAuthenticationException] { 
    Connect-AzureAD
   }

#Change this to the number of days out you want to look
$days = 30

# Get list of Azure AD apps that use single sign-on
$SAMLApps = Get-AzureADServicePrincipal -All $true | Where-Object {($_.Tags -contains "WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1") -or ($_.Tags -contains "WindowsAzureActiveDirectoryCustomSingleSignOnApplication")}

Write-Host "Checking for certificates that expire within $days days"
$count = 0
$expiredcount = 0
foreach ($App in $SAMLApps) {
    $AppID = ""
    foreach ($KeyCredential in $App.KeyCredentials) {
        if ( $KeyCredential.EndDate -lt (Get-Date).AddDays($days) ) {
            if (($App.ObjectId) -ne $AppID) {
                # Expired/expiring crtificate
                Write-Host " Certificate Name: " ($App.DisplayName) " - Expiration Date: " $KeyCredential.EndDate -Foreground red
                $AppID = ($App.ObjectId)
                $expiredcount = $expiredcount + 1
            }
        }
        else {
            # Valid certificate
            Write-Host " Certificate Name: " ($App.DisplayName) " - Expiration Date: " $KeyCredential.EndDate -Foreground green
        }
        $count = $count + 1
    }
}

# Output summary
Write-Host "There are $expiredcount certificates (of $count checked) due to expire or expired."

Add Comment

Wednesday, 12 July 2023 by kong

Thank you so much!

Thursday, 01 June 2023 by Benoit

in the Get-AzureADServicePrincipal you should add : -or ($_.Tags -contains "WindowsAzureActiveDirectoryIntegratedApp") or you miss some apps

Thursday, 23 March 2023 by Dirmax

This is what I used to export a CSV: # List expired (or will expire within 30 days) AzureAD application certificates Import-Module AzureAD try { $var = Get-AzureADTenantDetail } catch [Microsoft.Open.Azure.AD.CommonLibrary.AadNeedAuthenticationException] { Connect-AzureAD } #Change this to the number of days out you want to look $days = 30 # Get list of Azure AD apps that use single sign-on $SAMLApps = Get-AzureADServicePrincipal -All $true | Where-Object {($_.Tags -contains "WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1") -or ($_.Tags -contains "WindowsAzureActiveDirectoryCustomSingleSignOnApplication")} Write-Host "Checking for certificates that expire within $days days" $count = 0 $expiredcount = 0 $CSVfile = "Certificate Name, Expiration Date`n" foreach ($App in $SAMLApps) { $AppID = "" foreach ($KeyCredential in $App.KeyCredentials) { if ( $KeyCredential.EndDate -lt (Get-Date).AddDays($days) ) { if (($App.ObjectId) -ne $AppID) { # Expired/expiring crtificate Write-Host " Certificate Name: " ($App.DisplayName) " - Expiration Date: " $KeyCredential.EndDate -Foreground red $AppID = ($App.ObjectId) $expiredcount = $expiredcount + 1 $CSVfile += ($App.DisplayName) +", "+ $KeyCredential.EndDate +"`n" } } else { # Valid certificate Write-Host " Certificate Name: " ($App.DisplayName) " - Expiration Date: " $KeyCredential.EndDate -Foreground green $CSVfile += ($App.DisplayName) +", "+ $KeyCredential.EndDate +"`n" } $count = $count + 1 } } # Output summary Write-Host "There are $expiredcount certificates (of $count checked) due to expire or expired." $CSVfile | Out-File "$($env:USERPROFILE)\Desktop\CertsAboutToExpire.csv"

Tuesday, 16 August 2022 by Siva

Thank you so much for the SCRIPT, I’m trying to save the results into a csv file and i’m NOT able to, what command should i add to import this in to a csv file?

Tuesday, 16 August 2022 by Siva

Thank you so much for the SCRIPT, I’m trying to save the results into a csv file and i’m able to, what command should i add to import this in to a csv file?

Thursday, 14 July 2022 by Paul

Thanks, PS Wannabee. I have updated the script.

Thursday, 14 July 2022 by PS Wannabee

There's a slight error in the script- if ( $KeyCredential.EndDate -lt (Get-Date).AddDays($daysOut) ) { should be if ( $KeyCredential.EndDate -lt (Get-Date).AddDays($days) ) { ...otherwise the script does not check for expiring certificates since the variable daysOut does not have a value Altering that makes this script work very nicely. Thanks for your work!

Wednesday, 20 October 2021 by Prince Pruthi

Thank you so much for this script. Do you have any script for App registration also? If i am correct, it will only pull Enteprise apps?