您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

导出具有即将过期的机密和证书的应用

此 PowerShell 脚本示例从目录中将包含指定应用的即将过期机密、证书及其所有者的所有应用注册信息导出到一个 CSV 文件中。

如果还没有 Azure 订阅,可以在开始前创建一个免费帐户

此示例需要适用于 Graph 的 AzureAD V2 PowerShell 模块 (AzureAD) 或适用于 Graph 的 AzureAD V2 PowerShell 模块预览版 (AzureADPreview)。

示例脚本

#################################################################################
#DISCLAIMER: This is not an official PowerShell Script. We designed it specifically for the situation you have encountered right now.
#Please do not modify or change any preset parameters. 
#Please note that we will not be able to support the script if it is changed or altered in any way or used in a different situation for other means.

#This code-sample is provided "AS IT IS" without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
#This sample is not supported under any Microsoft standard support program or service.. 
#Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. 
#The entire risk arising out of the use or performance of the sample and documentation remains with you. 
#In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the script be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of  the use of or inability to use the sample or documentation, even if Microsoft has been advised of the possibility of such damages.
#################################################################################

Connect-AzureAD
$Applications = Get-AzureADApplication -all $true
$Logs = @()
Write-host "I would like to see the Applications with the Secrets and Certificates that expire in the next X amount of Days? <<Replace X with the number of days. The answer should be ONLY in Numbers>>" -ForegroundColor Green
$Days = Read-Host

Write-host "Would you like to see Applications with already expired secrets or certificates as well? <<Answer with [Yes] [No]>>" -ForegroundColor Green
$AlreadyExpired = Read-Host

$now = get-date

foreach ($app in $Applications) {
    $AppName = $app.DisplayName
    $AppID = $app.objectid
    $ApplID = $app.AppId
    $AppCreds = Get-AzureADApplication -ObjectId $AppID | select PasswordCredentials, KeyCredentials
    $secret = $AppCreds.PasswordCredentials
    $cert = $AppCreds.KeyCredentials

    foreach ($s in $secret) {
        $StartDate = $s.StartDate
        $EndDate = $s.EndDate
        $operation = $EndDate - $now
        $ODays = $operation.Days

        if ($AlreadyExpired -eq "No") {
            if ($ODays -le $Days -and $ODays -ge 0) {

                $Owner = Get-AzureADApplicationOwner -ObjectId $app.ObjectId
                $Username = $Owner.UserPrincipalName -join ";"
                $OwnerID = $Owner.ObjectID -join ";"
                if ($owner.UserPrincipalName -eq $Null) {
                    $Username = $Owner.DisplayName + " **<This is an Application>**"
                }
                if ($Owner.DisplayName -eq $null) {
                    $Username = "<<No Owner>>"
                }

                $Log = New-Object System.Object

                $Log | Add-Member -MemberType NoteProperty -Name "ApplicationName" -Value $AppName
                $Log | Add-Member -MemberType NoteProperty -Name "ApplicationID" -Value $ApplID
                $Log | Add-Member -MemberType NoteProperty -Name "Secret Start Date" -Value $StartDate
                $Log | Add-Member -MemberType NoteProperty -Name "Secret End Date" -value $EndDate
                $Log | Add-Member -MemberType NoteProperty -Name "Certificate Start Date" -Value $Null
                $Log | Add-Member -MemberType NoteProperty -Name "Certificate End Date" -value $Null
                $Log | Add-Member -MemberType NoteProperty -Name "Owner" -Value $Username
                $Log | Add-Member -MemberType NoteProperty -Name "Owner_ObjectID" -value $OwnerID

                $Logs += $Log
            }
        }
        elseif ($AlreadyExpired -eq "Yes") {
            if ($ODays -le $Days) {
                $Owner = Get-AzureADApplicationOwner -ObjectId $app.ObjectId
                $Username = $Owner.UserPrincipalName -join ";"
                $OwnerID = $Owner.ObjectID -join ";"
                if ($owner.UserPrincipalName -eq $Null) {
                    $Username = $Owner.DisplayName + " **<This is an Application>**"
                }
                if ($Owner.DisplayName -eq $null) {
                    $Username = "<<No Owner>>"
                }

                $Log = New-Object System.Object
    
                $Log | Add-Member -MemberType NoteProperty -Name "ApplicationName" -Value $AppName
                $Log | Add-Member -MemberType NoteProperty -Name "ApplicationID" -Value $ApplID
                $Log | Add-Member -MemberType NoteProperty -Name "Secret Start Date" -Value $StartDate
                $Log | Add-Member -MemberType NoteProperty -Name "Secret End Date" -value $EndDate
                $Log | Add-Member -MemberType NoteProperty -Name "Certificate Start Date" -Value $Null
                $Log | Add-Member -MemberType NoteProperty -Name "Certificate End Date" -value $Null
                $Log | Add-Member -MemberType NoteProperty -Name "Owner" -Value $Username
                $Log | Add-Member -MemberType NoteProperty -Name "Owner_ObjectID" -value $OwnerID

                $Logs += $Log
            }
        }
    }

    foreach ($c in $cert) {
        $CStartDate = $c.StartDate
        $CEndDate = $c.EndDate
        $COperation = $CEndDate - $now
        $CODays = $COperation.Days

        if ($AlreadyExpired -eq "No") {
            if ($CODays -le $Days -and $CODays -ge 0) {

                $Owner = Get-AzureADApplicationOwner -ObjectId $app.ObjectId
                $Username = $Owner.UserPrincipalName -join ";"
                $OwnerID = $Owner.ObjectID -join ";"
                if ($owner.UserPrincipalName -eq $Null) {
                    $Username = $Owner.DisplayName + " **<This is an Application>**"
                }
                if ($Owner.DisplayName -eq $null) {
                    $Username = "<<No Owner>>"
                }

                $Log = New-Object System.Object

                $Log | Add-Member -MemberType NoteProperty -Name "ApplicationName" -Value $AppName
                $Log | Add-Member -MemberType NoteProperty -Name "ApplicationID" -Value $ApplID
                $Log | Add-Member -MemberType NoteProperty -Name "Certificate Start Date" -Value $CStartDate
                $Log | Add-Member -MemberType NoteProperty -Name "Certificate End Date" -value $CEndDate
                $Log | Add-Member -MemberType NoteProperty -Name "Owner" -Value $Username
                $Log | Add-Member -MemberType NoteProperty -Name "Owner_ObjectID" -value $OwnerID

                $Logs += $Log
            }
        }
        elseif ($AlreadyExpired -eq "Yes") {
            if ($CODays -le $Days) {

                $Owner = Get-AzureADApplicationOwner -ObjectId $app.ObjectId
                $Username = $Owner.UserPrincipalName -join ";"
                $OwnerID = $Owner.ObjectID -join ";"
                if ($owner.UserPrincipalName -eq $Null) {
                    $Username = $Owner.DisplayName + " **<This is an Application>**"
                }
                if ($Owner.DisplayName -eq $null) {
                    $Username = "<<No Owner>>"
                }

                $Log = New-Object System.Object

                $Log | Add-Member -MemberType NoteProperty -Name "ApplicationName" -Value $AppName
                $Log | Add-Member -MemberType NoteProperty -Name "ApplicationID" -Value $ApplID
                $Log | Add-Member -MemberType NoteProperty -Name "Certificate Start Date" -Value $CStartDate
                $Log | Add-Member -MemberType NoteProperty -Name "Certificate End Date" -value $CEndDate
                $Log | Add-Member -MemberType NoteProperty -Name "Owner" -Value $Username
                $Log | Add-Member -MemberType NoteProperty -Name "Owner_ObjectID" -value $OwnerID

                $Logs += $Log
            }
        }
    }
}

Write-host "Add the Path you'd like us to export the CSV file to, in the format of <C:\Users\<USER>\Desktop\Users.csv>" -ForegroundColor Green
$Path = Read-Host
$Logs | Export-CSV $Path -NoTypeInformation -Encoding UTF8

脚本说明

此脚本无需修改即可直接使用。 系统会询问管理员到期日期,以及他们是否希望看到已过期的机密或证书。

“Add-Member”命令负责在 CSV 文件中创建列。 “New-Object”命令创建一个对象,用于 CSV 文件导出内容中的列。 如果希望导出为非交互式,则可以在 PowerShell 中使用 CSV 文件路径直接修改“$Path”变量。

命令 说明
Get-AzureADApplication 从目录中检索应用程序。
Get-AzureADApplicationOwner 从目录中检索应用程序的所有者。

后续步骤

要详细了解 Azure AD PowerShell 模块,请参阅 Azure AD PowerShell 模块概述

有关应用程序管理的其他 PowerShell 示例,请参阅应用程序管理的 Azure AD PowerShell 示例