How to get client secret expiry date using the azure AD graph API

3
votes

I am trying to get the expiry date of the client secrets for our AAD application. However when I use the following graph request, the passwordCredential and keyCredential fields is blank.

https://graph.windows.net/myorganization/directoryObjects/{ServicePrincipalObjectId}/?api-version=1.6

Is there a way to get this data? I see it in the manifest if I download that, just not in the Odata object

Thank you for your help!

2
azureazure-active-directoryazure-ad-graph-api
Does my answer work for you? - juvchan
I get an empty collection when I query for that. I was able to use this nuget package and get the collection of password credentials nuget.org/packages/Microsoft.Azure.ActiveDirectory.GraphClient - Aditya Kaul

2 Answers

4
votes

Use this AAD Graph API below: 

https://graph.windows.net/{org_domain}/applications/{obj_id}/passwordCredentials

The response will show the list of keys used by your specific AAD Application.

You can derive the expiration date of your key from the endDate field.

{
  "odata.metadata": "https://graph.windows.net/{org_domain}/$metadata#Collection(Microsoft.DirectoryServices.PasswordCredential)",
  "value": [
    {
      "customKeyIdentifier": null,
      "endDate": "2018-05-07T09:12:13.2177408Z",
      "keyId": "{your_key_id}",
      "startDate": "2016-05-07T09:12:13.2177408Z",
      "value": null
    }
  ]
}
0
votes

As an alternative to using Graph API you might also consider using Get-AzAdApplication cmdlet together with Get-AzAdAppCredential, which are part of Az PowerShell

https://docs.microsoft.com/en-us/powershell/module/az.resources/get-azadappcredential?view=azps-5.5.0

enter image description here