I am looking for a method to connect to Azure SDK via Python to get a list of expired app registration secrets before the 30 day expiration limit. I know this can be done using Powershell, but how would we would go with plugging Python SDK into Azure and fetching this not using powershell but with Python instead.
If there is any sample to get, how would we go about getting it?
The output should be something like this:
app_id:aaaaaaaa-bbbb-cccc-dddd-eeeeeeee
app_display_name:yourspname
password_expire:2021-08-29T18:30:00 00:00
CodePudding user response:
I found the following a might pose helpful.
You can use the Azure Active Directory (AAD) Graph API to fetch the list of expired app registration secrets. The following is the request URI you can use to get this information:
https://graph.windows.net/<your_tenant_id>/applications?$filter=passwordCredentials/endDate lt <current_date>&$select=displayName,passwordCredentials
You can also refer to this article for more information on how to use the Graph API in Python: https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-python
CodePudding user response:
To get the client secret details of Azure AD applications, you can use below graph query:
https://graph.microsoft.com/v1.0/applications?$select=appId,displayName,passwordCredentials
To get same response using Python, you can make use of below code:
from azure.identity import ClientSecretCredential
from msgraph.core import GraphClient
credential = ClientSecretCredential(tenant_id=<tenantID>,client_secret=<secret>,client_id=<appID>)
client = GraphClient(credential=credential)
result = client.get('/applications?$select=id,displayName,passwordCredentials')
print(result.json())
I tried to reproduce the same in my environment and got below results:
I registered one Azure AD application and granted API permission like below:
When I ran the below Python code, I got the same response as below:
from azure.identity import ClientSecretCredential
from msgraph.core import GraphClient
credential = ClientSecretCredential(tenant_id=<tenantID>,client_secret=<secret>,client_id=<appID>)
client = GraphClient(credential=credential)
result = client.get('/applications?$select=id,displayName,passwordCredentials')
print(result.json())
Response:
Alternatively, you can use urllib3
library to get token to call Microsoft Graph like below:
import urllib3
uri = "https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token"
payload= {
'Content-Type': 'application/x-www-form-urlencoded',
'Host': 'login.microsoftonline.com',
'client_id': <Your AppID>,
'scope': 'https://graph.microsoft.com/.default',
'client_secret': <Your client secret>,
'grant_type': 'client_credentials'
}
http = urllib3.PoolManager()
response = http.request('POST', uri, payload)
my_dict = eval(response.data)
token = f"{my_dict['token_type']} {my_dict['access_token']}"
print(token)
Response:
Now, run the below Python code to get the output in desired format:
uri = 'https://graph.microsoft.com/v1.0/applications?$select=id,displayName,passwordCredentials'
payload = {'Authorization':token,'Host':'graph.microsoft.com'}
https = urllib3.PoolManager()
response = http.request('GET', uri, headers=payload)
#print(response.data)
mydict = json.loads(response.data)
app_id=f"{mydict['value'][0]['id']}"
app_name=f"{mydict['value'][0]['displayName']}"
endDateTime = f"{mydict['value'][0]['passwordCredentials'][0]['endDateTime']}"
print("App_ID:",app_id)
print("App_Display_Name:",app_name)
print("Password_Expires:",password_expire)
Response: