Audit SAML (SSO) Certs expired dates through Powershell.

[Ashok103606]

Is it possible to use PowerShell (AzureAD) to expose the expiration dates of SSO SAML certs? I would identify apps with expiring certs so they can be renewed in a timely fashion. Or is there a report or something else in Azure that can be run to expose this?

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 01f0813b-5ee7-62bc-d427-4b1783a1fa0a
• Version Independent ID: 61e41303-0118-1179-fc50-121c54ed4f34
• Content: SAML single sign-on - non-gallery applications - Microsoft identity platform
• Content Source: articles/active-directory/manage-apps/configure-single-sign-on-non-gallery-applications.md
• Service: active-directory
• Sub-service: app-mgmt
• GitHub Login: @msmimart
• Microsoft Alias: celested

[SaurabhSharma-MSFT]

@Ashok103606 Thanks for your feedback! We will investigate and update as appropriate.

[SaurabhSharma-MSFT]

@Ashok103606 This is not possible and I suggest you to please post this as a feedback at UserVoice. This will allow the community to upvote and for the product team to include into their plans. "This Product" button in at the bottom section of the document now to take you directly to the appropriate feedback page.

[Ashok103606]

@saurabhsharma. So, you mean it's not Possible with the Powershell or totally azure does not have this feature. If I want to see the SAML certificate expired date of each application should I navigate to each application in Azure UI, this is the only option which available.

[SaurabhSharma-MSFT]

@Ashok103606 sorry, my mistake. If you want to check for the certificate expiration associated with a particular SAML based application. Try using "Get-AzureADServicePrincipal" PowerShell cmdlet and then you can retrieve the certificate expiry dates using .KeyCredentials attribute.

$samlApplication = Get-AzureADServicePrincipal -ObjectId <<your saml application objectid>>
$samlApplication.KeyCredentials

I hope you are looking for this information.

[Ashok103606]

@saurabhsharma Thanks for your information. But, Is there anyway that I can expose them as a report like Application name, Object Id , Certificate Expired date for SAML non-gallery application. With the following cmdlets with you provide that I need to pass each ObjectID for every application.

$samlApplication = Get-AzureADServicePrincipal -ObjectId <>
$samlApplication.KeyCredentials

Like If I run the Get-AzureADApplication cmdlet how it gives objectId, AppId, Application name.

[SaurabhSharma-MSFT]

@Ashok103606 No, I do not think any cmdlet exists which displays the information like a report. You may try writing PowerShell script to go through all applications and display matched application objects.

[SaurabhSharma-MSFT]

@Ashok103606 We will now proceed to close this thread. If there are further questions regarding this matter, please reopen it and we will gladly continue the discussion.

[samspade21]

For anyone who is interested, I tossed together a quick script to show the expiring SAML certs in AzureAD Enterprise Applications. I hope this is of use to someone.

Import-Module AzureAD

Connect-AzureAD

#Change this to the number of days out you want to look
$daysOut = 30


#Main Script#
$doneID = ""
$countExpiring = 0

$allSAMLApps = Get-AzureADServicePrincipal -All $true | Where-Object {($_.Tags -contains "WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1") -or ($_.Tags -contains "WindowsAzureActiveDirectoryCustomSingleSignOnApplication")}

Write-Host "Looking for certs that expire by ((Get-Date).AddDays($daysOut))" -ForegroundColor Green
foreach ($singleApp in $allSAMLApps) {
    
    foreach ($KeyCredential in $singleApp.KeyCredentials) {
        
        if ( $KeyCredential.EndDate -lt (Get-Date).AddDays($daysOut) ) {
            if (($singleApp.ObjectId) -ne $doneID) {
                Write-Host " Name: " ($singleApp.DisplayName) " - Experation: " $KeyCredential.EndDate
                $doneID = ($singleApp.ObjectId)
                $countExpiring = $countExpiring + 1
            }
        }

    }

}

Write-Host "There are $countExpiring certs." -ForegroundColor Green 

[nnylear67]

I will have to try this out, I have been trying to find this information for a while, so it will be easier to manage our SAML SSO applications. Azure should of thought of something like this to prevent downtime. I will let you know my results and any modifications needed.

[helplessJ]

I think OP is trying to find out how to get a list of all SSO Enabled Enterprise Applications and the expiration date of the x509 certificate. I came upon this page looking for the same thing. My team needs a report of these:

[roszikg]

I could not find a way to pull this info via graph api, but the saml signing cert can be retrieved from the metadata URL which is public, via this method:

$sp = Get-AzureADServicePrincipal -ObjectId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
$tenantId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
$FedMetBaseUrl = "https://login.microsoftonline.com/$($tenantId)/federationmetadata/2007-06/federationmetadata.xml?appid="
$saml_certificate = if($sp.Tags -Contains "WindowsAzureActiveDirectoryCustomSingleSignOnApplication"){
	                            $SamlMetadata = New-Object -TypeName  System.Xml.XmlDocument
                                    $SamlMetadata.Load("$($FedMetBaseUrl+$sp.appid)")
	                            if($SamlMetadata.xml){
                                        $SamlCertificateBase64 = $SamlMetadata.EntityDescriptor.Signature.KeyInfo.X509Data.X509Certificate
                                        [System.Security.Cryptography.X509Certificates.X509Certificate2]([System.Convert]::FromBase64String($SamlCertificateBase64))
	                            }
                                    else{}
                            }
                            else{}

$saml_certificate.NotBefore and $saml_certificate.NotAfter will give you the signing cert start end expiry dates

[sktsjvs15]

$doneID = ""

@samspade21 thanks a lot. But could you tell me what I need to provide at $doneID. Thanks again.

[samspade21]

@sktsjvs15 shouldn't need to touch that. I was just using that as a placeholder to not show the same application multiple times. Sort of a cheater (and not good) way to get a unique list.

[sktsjvs15]

@sktsjvs15 shouldn't need to touch that. I was just using that as a placeholder to not show the same application multiple times. Sort of a cheater (and not good) way to get a unique list.

Hi @samspade21 I'm sorry I couldn't reply earlier. That script worked, absolute charm. Thanks a lot :) I am trying to schedule it to receive the report in an email. Thanks again.

[phunboy]

@sktsjvs15 Were you able to get the script to function as a scheduled task to email the Azure app cert expirations? Ig so, can you provide assistance on this? Thanks.

[sktsjvs15]

Hi @phunboy, Here are the steps I did to scheduling the PowerShell script in Azure Automation:

1. Create an Azure Automation account: If you haven't already, create an Azure Automation account in your Azure subscription.

2. Import your PowerShell script: Once you have the Azure Automation account set up, you need to import your PowerShell script. In the Azure portal, open your Automation account and navigate to the "Runbooks" section. Click on "Create a runbook" and select "Import an existing runbook." Upload your PowerShell script to Azure Automation.

3. Configure the runbook: After importing the runbook, you need to configure it. Open the runbook and provide the necessary information, such as the runbook name, description, and type (PowerShell in this case). You may also need to configure any input parameters required by your script.

4.Schedule the runbook: In the runbook page, click on the "Schedules" tab. Here, you can create a new schedule for your runbook. Click on "Add schedule" and define the schedule details, such as the start time, recurrence (weekly in my case), and any specific days or times when the script should run. Save the schedule.

5.Publish your runbook. Azure Automation will automatically trigger it based on the defined schedule after publishing.