Caluculating expiration of Azure secrets

Question

What my script does is get a list of Azure app registrations and then calculate how many days left until the secret expires. It works fine in the main, except that if an app registration has 2 secrets it falls over. Having 2 secretes isn't common, but we introduced a 2nd secret on one app registration just for a short period of testing.

After obtaining the list of app registrations (there are 10 in total), my script then goes through each of them to obtain the expiration date date and then calculate the number of days left. Below is a snippet ...

 foreach ($app in $applications) {
    $Appname = $app.displayName 
    $AppID = $app.Id
    $ApplID = $app.AppId
    $AppCreds = Get-AzADAppCredential -ObjectId $AppID | select StartDateTime, EndDateTime, Hint
    $today = get-date
    $StartDate = $AppCreds.StartDateTime
    $EndDate = $AppCreds.EndDateTime
    $operation = $EndDate - $today
    $ODays = $operation.Days

            # Check how many days are remaining for secret expiration
            if ($ODays -le $Days -and $ODays -ge 0)

Once obtained it sends an e-mail if a secret is going to expire within 60 days.

When the script hits the app registration with two secrets it fails with ...

"Problem occurred: Method invocation failed because [System.Object[]] does not contain a method named 'op_Subtraction'."

Any ideas why this is happening?

Answer 1

The $AppCreds is array in case if you have more than app secret. Here is fully re-worked script to build the report:

function Get-AzADAppCredentialExpiration(){
    $retArray = @()
    $applications = Get-AzADApplication
    $today = get-date
    foreach($app in $applications){
        $AppCreds = @(Get-AzADAppCredential -ObjectId $app.Id)
        $AppCreds | %{
           $retArray += [PSCustomObject]@{
                AppName = $app.DisplayName;
                ClientSecretId = $_.KeyId
                SecretHint = $_.Hint
                DaysLeft = ($_.EndDateTime - $today).Days
            }
        }
    }

    return $retArray
}

$report = Get-AzADAppCredentialExpiration 

$report  | ? {$_.DaysLeft -le 30 -and $_.DaysLeft -gt 0} | Group-Object -Property AppName | %{
    Write-Host "Key for application $($_.Name) will be expired soon:" -ForegroundColor Yellow
    $_.Group | %{
        Write-Host "`t$($_.SecretHint) ($($_.ClientSecretId))" -ForegroundColor Yellow
    }
}

$report  | ? {$_.DaysLeft -le 0} | Group-Object -Property AppName | %{
    Write-Host "Key for application $($_.Name) are expired:" -ForegroundColor Red
    $_.Group | %{
        Write-Host "`t$($_.SecretHint) ($($_.ClientSecretId))" -ForegroundColor Red
    }
}

Old answer

The $AppCreds is array in case if you have more than app secret. So you should check if it array and then calculate accordingly:

foreach ($app in $applications) {
    $Appname = $app.displayName 
    $AppID = $app.Id
    $ApplID = $app.AppId
    $AppCreds = Get-AzADAppCredential -ObjectId $AppID | select StartDateTime, EndDateTime, Hint
    $today = get-date
    if($AppCreds -is [Array]){
      $AppCreds | %{
      $StartDate = $_.StartDateTime
      $EndDate = $_.EndDateTime
      $operation = $EndDate - $today
      #....
    }
  }
  else{
    $StartDate = $AppCreds.StartDateTime
    $EndDate = $AppCreds.EndDateTime
    $operation = $EndDate - $today
  }