List App Principle Expiry in SharePoint Online

Posted by

In a recent scenario with a client, we started to notice that some apps created over a year ago have started to expire. After investigating the cause, the default lifetime for an Client ID and Secret is 1 year, Yikes!

Once this has expired your apps will stop working!  It is worth knowing when these principles expire, so from the Microsoft articles we have extracted the PowerShell used to list when these apps could expire.

Prerequisites before running the script

  • Microsoft Online Services Sign-In Assistant is installed on the development computer.
  • Microsoft Online Services PowerShell Module (32-bit; 64-bit) is installed on the development computer.
  • You need to be a tenant administrator for the Office 365 tenant where the add-in was registered with.

 Code

The code for listing apps and their expiry is fairly straight forward and much of it is provided on MSDN, we have made a few tweaks to output to CSV, for tenants with large amounts of apps.

[code language=”powershell”]

# Connect to SharePoint Online
Connect-MsolService

# File containing details of the app expiry status
$outputFile = (Resolve-Path .\).Path + “\ListOfApps.csv”

# Collect the app principles from the tenancy and output to file
$listOfApps = Get-MsolServicePrincipal | Where-Object -FilterScript { ($_.DisplayName -notlike “*Microsoft*”) -and ($_.DisplayName -notlike “autohost*”) -and ($_.ServicePrincipalNames -notlike “*localhost*”) }

# Array of the app details
$appDetails = @()

foreach ($app in $listOfApps) {
$principalId = $app.AppPrincipalId
$principalName = $app.DisplayName

# Collect details about the app
Get-MsolServicePrincipalCredential -AppPrincipalId $principalId -ReturnKeyValues $true | Where-Object { ($_.Type -ne “Other”) -and ($_.Type -ne “Asymmetric”) } | ForEach-Object {
$date = $_.EndDate.ToShortDateString()

$appDetail = New-Object PSObject
$appDetail | Add-Member -MemberType NoteProperty -Name “PrincpleName” -Value “$($principalName)”
$appDetail | Add-Member -MemberType NoteProperty -Name “PrincipleId” -Value “$($principalId)”
$appDetail | Add-Member -MemberType NoteProperty -Name “Key” -Value “$($_.KeyId)”
$appDetail | Add-Member -MemberType NoteProperty -Name “Type” -Value “$($_.type)”
$appDetail | Add-Member -MemberType NoteProperty -Name “ExpiryDate” -Value “$($date)”
$appDetail | Add-Member -MemberType NoteProperty -Name “Usage” -Value “$($_.Usage)”
$appDetail | Add-Member -MemberType NoteProperty -Name “Value” -Value “$($_.Value)”

$appDetails += $appDetail

$appDetail
}
}

$appDetails | Export-Csv -Path $outputFile -NoTypeInformation

Write-Host “File created: ” $outputFile
[/code]

Full source code can be found on GitHub at: SharePoint-PowerShell / List App Principles / ListAppPrinciples.ps1

Replacing the Client Secret

For full details on the process for replacing the secret, see this article on MSDN  which details this process. With this process you can increase the expiry date up to 3 years.

References

  • MSDN: https://msdn.microsoft.com/en-us/library/office/dn726681.aspx