DEV Community

Cover image for Find Expired Service Principal
Tsuyoshi Ushio
Tsuyoshi Ushio

Posted on

Find Expired Service Principal

#azure #azurecli

My tenant seems to have a quota limit of the Service Principal.

$ az ad sp create-for-rbac
The directory object quota limit for the Principal has been exceeded. Please ask your administrator to increase the quota limit or delete objects to reduce the used quota.

Since I'm a DevOps guy, I frequently create a service principal. I'd like to find expired service principals on my tenant.

I struggled for a while with OData and JMESPath that is supported with az command. I eventually use jq instead.

Get the current date with the Azure CLI format.

We can use %N for nanosecond, however, it doesn't match the style of the Azure CLI output. I eventually use this command.

CURRENT_TIME=`date -u +'%Y-%m-%dT%H:%M:%S.024000+00:00'`

Get Expired Service Principal

The query is only list the service principal that you create with password credentials.

$ az ad sp list --show-mine | jq ".[] | select(.passwordCredentials[].endDate < \"$CURRENT_TIME\") | { objectId : .objectId, appId: .appId, passwordCredentials : .passwordCredentials, displayName: .displayName, tenantId : .appOwnerTenantId }"

az ad sp list --show-mine will show the service principals that you created. select will filter the json. The json start with array that has no name. so start with .[]. .[] returns each element of the array. After filter the result, it project some values.

The original structure of the az ad sp list --show-time 

[{
  "appId": "YOUR_APP_ID_HERE",
  "appOwnerTenantId": "YOUR_TENANT_ID_HERE",
  "displayName": "procohapp10",
  "objectId": "YOUR_OBJECT_ID_HERE",
  "passwordCredentials": [
    {
      "additionalProperties": null,
      "customKeyIdentifier": null,
      "endDate": "2019-05-02T20:32:27.908964+00:00",
      "keyId": "YOUR_KEY_ID",
      "startDate": "2018-05-02T20:32:27.908964+00:00",
      "value": null
    }
  ],
             :
},
  :
}

Result 

{
  "objectId": "YOUR_OBJECT_ID",
  "appId": "YOUR_APP_ID",
  "passwordCredentials": [
    {
      "additionalProperties": null,
      "customKeyIdentifier": null,
      "endDate": "2019-05-02T20:32:27.908964+00:00",
      "keyId": "YOUR_KEY_ID",
      "startDate": "2018-05-02T20:32:27.908964+00:00",
      "value": null
    }
  ],
  "displayName": "procohapp10",
  "tenantId": "YOUR_TENANT_ID"
}

Remove the expired service principal

Please double check if your script works before execute the second last line.

$ az ad sp list --show-mine | jq ".[] | select(.passwordCredentials[].endDate < \"$CURRENT_TIME\") | .objectId" > sp_list.txt
$ lines=`cat sp_list.txt`
$ for item in $lines; do  echo $item | xargs az ad sp delete --id ; done
$ rm sp_list.txt

Confirm removed

It returns zero result.

$ az ad sp list --show-mine | jq ".[] | select(.passwordCredentials[].endDate < \"$CURRENT_TIME\") | .objectId"

Resource

Top comments (0)

Read next

jaisuryaprabu profile image

If you are starting in AI field ...

Jaisurya -

hosseinmobarakian profile image

Using Map, Filter, and Reduce Effectively in JavaScript🔥

Hossein Mobarakian -

shanikr profile image

Git stash comprehensive guide

Shani Kumar -

pains_arch profile image

Hydration error when installing NextJS 15

Md Shykat -