azureazure-active-directoryazure-ad-graph-api

How to get client secret expiry date using the azure AD graph API


I am trying to get the expiry date of the client secrets for our AAD application. However when I use the following graph request, the passwordCredential and keyCredential fields is blank.

https://graph.windows.net/myorganization/directoryObjects/{ServicePrincipalObjectId}/?api-version=1.6

Is there a way to get this data? I see it in the manifest if I download that, just not in the Odata object

Thank you for your help!


Solution

  • Use this AAD Graph API below:

    https://graph.windows.net/{org_domain}/applications/{obj_id}/passwordCredentials
    

    The response will show the list of keys used by your specific AAD Application.

    You can derive the expiration date of your key from the endDate field.

    {
      "odata.metadata": "https://graph.windows.net/{org_domain}/$metadata#Collection(Microsoft.DirectoryServices.PasswordCredential)",
      "value": [
        {
          "customKeyIdentifier": null,
          "endDate": "2018-05-07T09:12:13.2177408Z",
          "keyId": "{your_key_id}",
          "startDate": "2016-05-07T09:12:13.2177408Z",
          "value": null
        }
      ]
    }