Home
Check Azure AD for expiring SSO certificates
Office 365 (AAD) Wednesday, 28 July 2021 by paul

The following PowerShell script will check Azure AD Applications to see if any, using SSO, have a certificate that has expired or will do so within a specific period.

# List expired (or will expire within 30 days) AzureAD application certificates
Import-Module AzureAD

try { 
    $var = Get-AzureADTenantDetail 
   } 
   catch [Microsoft.Open.Azure.AD.CommonLibrary.AadNeedAuthenticationException] { 
    Connect-AzureAD
   }

#Change this to the number of days out you want to look
$days = 30

# Get list of Azure AD apps that use single sign-on
$SAMLApps = Get-AzureADServicePrincipal -All $true | Where-Object {($_.Tags -contains "WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1") -or ($_.Tags -contains "WindowsAzureActiveDirectoryCustomSingleSignOnApplication")}

Write-Host "Checking for certificates that expire within $days days"
$count = 0
$expiredcount = 0
foreach ($App in $SAMLApps) {
    $AppID = ""
    foreach ($KeyCredential in $App.KeyCredentials) {
        if ( $KeyCredential.EndDate -lt (Get-Date).AddDays($daysOut) ) {
            if (($App.ObjectId) -ne $AppID) {
                # Expired/expiring crtificate
                Write-Host " Certificate Name: " ($App.DisplayName) " - Expiration Date: " $KeyCredential.EndDate -Foreground red
                $AppID = ($App.ObjectId)
                $expiredcount = $expiredcount + 1
            }
        }
        else {
            # Valid certificate
            Write-Host " Certificate Name: " ($App.DisplayName) " - Expiration Date: " $KeyCredential.EndDate -Foreground green
        }
        $count = $count + 1
    }
}

# Output summary
Write-Host "There are $expiredcount certificates (of $count checked) due to expire or expired."

 


Add Comment
Wednesday, 20 October 2021 by Prince Pruthi
Thank you so much for this script. Do you have any script for App registration also? If i am correct, it will only pull Enteprise apps?