question

MiloJames-2450 avatar image
0 Votes"
MiloJames-2450 asked SaurabhSharma-msft commented

Managed Identities to be filtered from app certificate/keys expiry list

Hi Team,

We have similar script being used to get the details of all app certificates and their key expiry before their actual end dates. So that we can have it renewed. I noticed that it also gathers Managed Identities along. As managed identity certs/keys are auto-renewed. we would like to exclude them.

Request you to let us know when we filter out using ($_.Type-ne <What should be managed identity type>) here.

I hope to have to the right team look into it and share the details. I was not getting it for Managed Idenity in Azure.


azure-active-directory
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @milojames-2450,
Thanks for using Microsoft Q&A !!.
I tried to use the code but I not getting any Managed Identities out this list and seeing only registered applications. Can you please share the type of resource (webapp, etc.) for which you are seeing a managed identity details? Also, could you please share the actual code if you have modified any part of the code from the shared link.

Thanks
Saurabh

0 Votes 0 ·

Hi,

We use the below script and it does pop up all the managed identities.


 $AzApps = Get-AzADServicePrincipal | Where-Object -FilterScript { ($_.DisplayName -notlike "*Microsoft*")

This way, we would like to filter out Managed identites.


0 Votes 0 ·

1 Answer

SaurabhSharma-msft avatar image
0 Votes"
SaurabhSharma-msft answered SaurabhSharma-msft commented

Hi @milojames-2450
Ok got it. You could use the below cmdlet to filter out Managed Identities as managed identities contain 'https://identity.azure.net' as part of Service Principal Names.

$AzApps = Get-AzADServicePrincipal | Where-Object -FilterScript { ($_.ServicePrincipalNames -notmatch "https://identity.azure.net") }

Please let me know if this helps to achieve your goal.

Thanks
Saurabh


Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Saurabh,

It still gathered all our AKS managed identities when I ran the above script as shared by you.

0 Votes 0 ·

@milojames-2450 ok, I am checking on the same and get back to you if we can filter those out.

Thanks
Saurabh

0 Votes 0 ·

Hi @milojames-2450, Instead of using Get-AzADServiceprincipal can you try using Get-AzureADServicePrincipal to get service principals as this cmdlet returns "ServicePrincipalType" as one of the properties and set as "ManagedIdentity" for a managed identities like your AKS. So you can use cmdlet something like below to exclude managed identities -

Get-AzureADServicePrincipal -All:$true | Where-Object { ($_.ServicePrincipalType -ne "ManagedIdentity" ) }

Thanks
Saurabh

0 Votes 0 ·
Show more comments