Home
Check Azure AD for expiring SSO certificates
Office 365 (AAD) Wednesday, 28 July 2021 by paul

The following PowerShell script will check Azure AD Applications to see if any, using SSO, have a certificate that has expired or will do so within a specific period.

# List expired (or will expire within 30 days) AzureAD application certificates
Import-Module AzureAD

try { 
    $var = Get-AzureADTenantDetail 
   } 
   catch [Microsoft.Open.Azure.AD.CommonLibrary.AadNeedAuthenticationException] { 
    Connect-AzureAD
   }

#Change this to the number of days out you want to look
$days = 30

# Get list of Azure AD apps that use single sign-on
$SAMLApps = Get-AzureADServicePrincipal -All $true | Where-Object {($_.Tags -contains "WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1") -or ($_.Tags -contains "WindowsAzureActiveDirectoryCustomSingleSignOnApplication")}

Write-Host "Checking for certificates that expire within $days days"
$count = 0
$expiredcount = 0
foreach ($App in $SAMLApps) {
    $AppID = ""
    foreach ($KeyCredential in $App.KeyCredentials) {
        if ( $KeyCredential.EndDate -lt (Get-Date).AddDays($days) ) {
            if (($App.ObjectId) -ne $AppID) {
                # Expired/expiring crtificate
                Write-Host " Certificate Name: " ($App.DisplayName) " - Expiration Date: " $KeyCredential.EndDate -Foreground red
                $AppID = ($App.ObjectId)
                $expiredcount = $expiredcount + 1
            }
        }
        else {
            # Valid certificate
            Write-Host " Certificate Name: " ($App.DisplayName) " - Expiration Date: " $KeyCredential.EndDate -Foreground green
        }
        $count = $count + 1
    }
}

# Output summary
Write-Host "There are $expiredcount certificates (of $count checked) due to expire or expired."

 


Add Comment
Thursday, 14 July 2022 by Paul
Thanks, PS Wannabee. I have updated the script.
Thursday, 14 July 2022 by PS Wannabee
There's a slight error in the script- if ( $KeyCredential.EndDate -lt (Get-Date).AddDays($daysOut) ) { should be if ( $KeyCredential.EndDate -lt (Get-Date).AddDays($days) ) { ...otherwise the script does not check for expiring certificates since the variable daysOut does not have a value Altering that makes this script work very nicely. Thanks for your work!
Wednesday, 20 October 2021 by Prince Pruthi
Thank you so much for this script. Do you have any script for App registration also? If i am correct, it will only pull Enteprise apps?