Azure: Python SDK to list and calculate expired app registration client secrets

Question

I am looking for a method to connect to Azure SDK via Python to get a list of expired app registration secrets before the 30 day expiration limit. I know this can be done using Powershell, but how would we would go with plugging Python SDK into Azure and fetching this not using powershell but with Python instead.

If there is any sample to get, how would we go about getting it?

The output should be something like this:

app_id:aaaaaaaa-bbbb-cccc-dddd-eeeeeeee
app_display_name:yourspname  
password_expire:2021-08-29T18:30:00+00:00

Answer 1

To get the client secret details of Azure AD applications, you can use below graph query:

https://graph.microsoft.com/v1.0/applications?$select=appId,displayName,passwordCredentials

To get same response using Python, you can make use of below code:

from azure.identity import ClientSecretCredential
from msgraph.core import GraphClient

credential = ClientSecretCredential(tenant_id=<tenantID>,client_secret=<secret>,client_id=<appID>)
client = GraphClient(credential=credential)
result = client.get('/applications?$select=id,displayName,passwordCredentials')

print(result.json())

I tried to reproduce the same in my environment and got below results:

I registered one Azure AD application and granted API permission like below:

When I ran the below Python code, I got the same response as below:

from azure.identity import ClientSecretCredential
from msgraph.core import GraphClient

credential = ClientSecretCredential(tenant_id=<tenantID>,client_secret=<secret>,client_id=<appID>)
client = GraphClient(credential=credential)
result = client.get('/applications?$select=id,displayName,passwordCredentials')

print(result.json())

Response:

Alternatively, you can use urllib3 library to get token to call Microsoft Graph like below:

import  urllib3
uri = "https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token"
payload= {
'Content-Type': 'application/x-www-form-urlencoded',
'Host': 'login.microsoftonline.com',
'client_id':  <Your AppID>,
'scope': 'https://graph.microsoft.com/.default',
'client_secret': <Your client secret>,
'grant_type': 'client_credentials'
 }

http = urllib3.PoolManager()
response = http.request('POST', uri, payload)
my_dict = eval(response.data)
token = f"{my_dict['token_type']}  {my_dict['access_token']}"
print(token)

Response:

Now, run the below Python code to get the output in desired format:

uri = 'https://graph.microsoft.com/v1.0/applications?$select=id,displayName,passwordCredentials'
payload = {'Authorization':token,'Host':'graph.microsoft.com'}
https = urllib3.PoolManager()
response = http.request('GET', uri, headers=payload)
#print(response.data)

mydict = json.loads(response.data)
app_id=f"{mydict['value'][0]['id']}"
app_name=f"{mydict['value'][0]['displayName']}"
endDateTime = f"{mydict['value'][0]['passwordCredentials'][0]['endDateTime']}"
print("App_ID:",app_id)
print("App_Display_Name:",app_name)
print("Password_Expires:",password_expire)

Response: