Home > Net >  Azure: Python SDK to list and calculate expired app registration client secrets
Azure: Python SDK to list and calculate expired app registration client secrets

Time:12-06

I am looking for a method to connect to Azure SDK via Python to get a list of expired app registration secrets before the 30 day expiration limit. I know this can be done using Powershell, but how would we would go with plugging Python SDK into Azure and fetching this not using powershell but with Python instead.

If there is any sample to get, how would we go about getting it?

The output should be something like this:

app_id:aaaaaaaa-bbbb-cccc-dddd-eeeeeeee
app_display_name:yourspname  
password_expire:2021-08-29T18:30:00 00:00

CodePudding user response:

I found the following a might pose helpful.

You can use the Azure Active Directory (AAD) Graph API to fetch the list of expired app registration secrets. The following is the request URI you can use to get this information:

https://graph.windows.net/<your_tenant_id>/applications?$filter=passwordCredentials/endDate lt <current_date>&$select=displayName,passwordCredentials

You can also refer to this article for more information on how to use the Graph API in Python: https://docs.microsoft.com/en-us/azure/active-directory/develop/tutorial-v2-python

CodePudding user response:

To get the client secret details of Azure AD applications, you can use below graph query:

https://graph.microsoft.com/v1.0/applications?$select=appId,displayName,passwordCredentials

enter image description here

To get same response using Python, you can make use of below code:

from azure.identity import ClientSecretCredential
from msgraph.core import GraphClient

credential = ClientSecretCredential(tenant_id=<tenantID>,client_secret=<secret>,client_id=<appID>)
client = GraphClient(credential=credential)
result = client.get('/applications?$select=id,displayName,passwordCredentials')

print(result.json())

I tried to reproduce the same in my environment and got below results:

I registered one Azure AD application and granted API permission like below:

enter image description here

When I ran the below Python code, I got the same response as below:

from azure.identity import ClientSecretCredential
from msgraph.core import GraphClient

credential = ClientSecretCredential(tenant_id=<tenantID>,client_secret=<secret>,client_id=<appID>)
client = GraphClient(credential=credential)
result = client.get('/applications?$select=id,displayName,passwordCredentials')

print(result.json())

Response:

enter image description here

Alternatively, you can use urllib3 library to get token to call Microsoft Graph like below:

import  urllib3
uri = "https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token"
payload= {
'Content-Type': 'application/x-www-form-urlencoded',
'Host': 'login.microsoftonline.com',
'client_id':  <Your AppID>,
'scope': 'https://graph.microsoft.com/.default',
'client_secret': <Your client secret>,
'grant_type': 'client_credentials'
 }

http = urllib3.PoolManager()
response = http.request('POST', uri, payload)
my_dict = eval(response.data)
token = f"{my_dict['token_type']}  {my_dict['access_token']}"
print(token)

Response:

enter image description here

Now, run the below Python code to get the output in desired format:

uri = 'https://graph.microsoft.com/v1.0/applications?$select=id,displayName,passwordCredentials'
payload = {'Authorization':token,'Host':'graph.microsoft.com'}
https = urllib3.PoolManager()
response = http.request('GET', uri, headers=payload)
#print(response.data)

mydict = json.loads(response.data)
app_id=f"{mydict['value'][0]['id']}"
app_name=f"{mydict['value'][0]['displayName']}"
endDateTime = f"{mydict['value'][0]['passwordCredentials'][0]['endDateTime']}"
print("App_ID:",app_id)
print("App_Display_Name:",app_name)
print("Password_Expires:",password_expire)

Response:

enter image description here

  • Related