Table of Contents
Entra Identity Secure Score Includes a Check for Expiring Application Credentials
In January, I wrote about a script to analyze the credentials (certificates and secrets) for Entra ID registered apps and report expired credentials. It’s a nice example of creating an automated process with the Microsoft Graph PowerShell SDK. In this case, to save busy administrators from having to check individual applications in the Entra admin center to make sure that their credentials don’t expire. Running a scheduled Azure Automation job to send email to administrators to draw their attention to apps whose credentials are about to expire (within 30 days) seems better than checking each application.
The Entra admin center is a complex place that hosts many features, some of which are only available to tenants with Entra P1 or P2 licenses. Fortunately, I have Microsoft 365 E5 licenses, and both Entra P1 and P2 are included in the E5 product, so I get to see the Entra admin center in its full glory.
What is Entra Identity Secure Score?
All of which brings me to the Identity Secure Score blade, which Microsoft has recently overhauled (Figure 1). To be honest, I had ignored Identity Secure Score to this point, mostly through sheer ignorance (here’s Microsoft’s documentation), so it was nice to see that the tenant’s score wasn’t disastrous.
Microsoft computes secure scores daily (around 1AM Pacific), so changes made in response to the set of recommendations listed for a tenant don’t impact the displayed score immediately. You need to wait, but patience is a virtue.
Updating Expired Credentials
One of the ways you can improve your tenant’s secure score is to renew expiring credentials for applications. Clicking the link in the secure score overview brings up details of applications flagged by Entra as having expired or expiring credentials (Figure 2). Based on the information I can see for my tenant, it seems like a 30-day window is used to detect expiring credentials.
You can select an application to see its details and update credentials (and remove expired credentials) to complete the recommended action. Updating a credential means that you add a new secret or certificate, and that action has consequences because anything that relies on a specific secret or certificate, like a PowerShell runbook that executes through Azure Automation will need to be updated. Then again, an expired or expiring credential must be renewed anyway and I’m sure those who look after the applications will be ready to swing into action and do whatever’s necessary.
Apps versus the Microsoft Graph PowerShell SDK
My recent focus on finding and reporting expired and expiring credentials made me think about my use of apps. Because I write exclusively in PowerShell, I use apps as a mechanism to authenticate and obtain an access token with the necessary permissions to do work with Graph APIs. Until the Microsoft Graph PowerShell SDK came along, an app was the only way for PowerShell developers to authenticate and get an access token, so we all learned the steps necessary to pass the app identifier, credentials, and tenant identifier to ask Entra ID for a token. This process soon became second nature.
The Microsoft Graph PowerShell SDK changed everything. For interactive access, the SDK has a service principal to hold delegated permissions. For non-interactive access, the SDK can use apps, much like we did before. However, it’s easier to authenticate, especially when using managed identities with Azure Automation. SDK cmdlets are available for almost every Graph API request you might want to make. After you learn their foibles, the SDK cmdlets are almost as easy to work with as standard PowerShell. And in terms of the Graph, many SDK cmdlets that fetch objects take care of pagination, so that’s another item developers don’t need to worry about.
The upshot is that I use the Microsoft Graph PowerShell SDK as the norm these days and only resort to an app when forced to, possibly because a new API hasn’t made its way into the SDK through Microsoft’s AutoRest process. The SDK is improving steadily. It has reduced the need to check for expiring credentials, but don’t expect the need to disappear anytime soon.
Learn how to exploit the data available to Microsoft 365 tenant administrators through the Office 365 for IT Pros eBook. We love figuring out how things work.