此 PowerShell 脚本示例导出所有应用注册中将在指定时间段后过期的机密和证书。 它为目录中的指定应用执行此任务。 该脚本以非交互方式运行。 输出保存在 CSV 文件中。
如果没有 Azure 订阅,可在开始前创建一个 Azure 试用版。
<#################################################################################
DISCLAIMER:
This is not an official PowerShell Script. We designed it specifically for the situation you have
encountered right now.
Please do not modify or change any preset parameters.
Please note that we will not be able to support the script if it's changed or altered in any way
or used in a different situation for other means.
This code-sample is provided "AS IS" without warranty of any kind, either expressed or implied,
including but not limited to the implied warranties of merchantability and/or fitness for a
particular purpose.
This sample is not supported under any Microsoft standard support program or service.
Microsoft further disclaims all implied warranties including, without limitation, any implied
warranties of merchantability or of fitness for a particular purpose.
The entire risk arising out of the use or performance of the sample and documentation remains with
you.
In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or
delivery of the script be liable for any damages whatsoever (including, without limitation, damages
for loss of business profits, business interruption, loss of business information, or other
pecuniary loss) arising out of the use of or inability to use the sample or documentation, even if
Microsoft has been advised of the possibility of such damages.
#################################################################################>
$loginURL = 'https://login.partner.microsoftonline.cn'
$resource = 'https://microsoftgraph.chinacloudapi.cn'
#PARAMETERS TO CHANGE
$ClientID = 'App ID'
$ClientSecret = 'APP Secret'
$TenantName = 'TENANT.partner.onmschina.cn'
$Months = 'Number of months'
$Path = 'add a path here\File.csv'
###################################################################
#Repeating Function to get an Access Token based on the parameters:
function Get-RefreshedToken($LoginURL, $ClientID, $ClientSecret, $TenantName) {
$RequestParameters = @{
Method = 'POST'
Uri = "$LoginURL/$TenantName/oauth2/v2.0/token"
Body = @{
grant_type = 'client_credentials'
client_id = $ClientID
client_secret = $ClientSecret
scope = 'https://microsoftgraph.chinacloudapi.cn/.default'
}
}
Invoke-RestMethod @RequestParameters
}
#BUILD THE ACCESS TOKEN
$RefreshParameters = @{
LoginURL = $loginURL
ClientID = $ClientID
ClientSecret = $ClientSecret
TenantName = $TenantName
}
$OAuth = Get-RefreshedToken @RefreshParameters
$Identity = $OAuth.access_token
##############################################
$HeaderParams = @{
'Authorization' = "$($OAuth.token_type) $($Identity)"
}
$AppsSecrets = 'https://microsoftgraph.chinacloudapi.cn/v1.0/applications'
$ApplicationsList = Invoke-WebRequest -Headers $HeaderParams -Uri $AppsSecrets -Method GET
$Logs = @()
$NextCounter = 0
do {
$ApplicationEvents = $ApplicationsList.Content |
ConvertFrom-Json |
Select-Object -ExpandProperty value
foreach ($ApplicationEvent in $ApplicationEvents) {
$IDs = $ApplicationEvent.id
$AppName = $ApplicationEvent.displayName
$AppID = $ApplicationEvent.appId
$Secrets = $ApplicationEvent.passwordCredentials
$NextCounter++
foreach ($Secret in $Secrets) {
$StartDate = $Secret.startDateTime
$EndDate = $Secret.endDateTime
$pos = $StartDate.IndexOf('T')
$LeftPart = $StartDate.Substring(0, $pos)
$Position = $EndDate.IndexOf('T')
$LeftPartEnd = $EndDate.Substring(0, $pos)
$DateStringStart = [Datetime]::ParseExact($LeftPart, 'yyyy-MM-dd', $null)
$DateStringEnd = [Datetime]::ParseExact($LeftPartEnd, 'yyyy-MM-dd', $null)
$OptimalDate = $DateStringStart.AddMonths($Months)
if ($OptimalDate -lt $DateStringEnd) {
$Log = [PSCustomObject]@{
'Application' = $AppName
'AppID' = $AppID
'Secret Start Date' = $DateStringStart
'Secret End Date' = $DateStringEnd
}
$OwnerRequestParams = @{
Headers = $HeaderParams
Uri = "https://microsoftgraph.chinacloudapi.cn/v1.0/applications/$IDs/owners"
Method = 'GET'
}
$ApplicationsOwners = Invoke-WebRequest @OwnerRequestParams
$Users = $ApplicationsOwners.Content |
ConvertFrom-Json |
Select-Object -ExpandProperty value
foreach ($User in $Users) {
$Owner = $User.displayname
$Log | Add-Member -MemberType NoteProperty -Name 'AppOwner' -Value $Owner
}
$Logs += $Log
}
}
If ($NextCounter -eq 100) {
$OData = $ApplicationsList.Content | ConvertFrom-Json
$AppsSecrets = $OData.'@odata.nextLink'
try {
$ListRequestParams = @{
UseBasicParsing = $true
Headers = $HeaderParams
Uri = $AppsSecrets
Method = 'GET'
ContentType = 'application/Json'
}
$ApplicationsList = Invoke-WebRequest @ListRequestParams
} catch {
$_
}
$NextCounter = 0
Start-Sleep -Seconds 1
}
}
} while ($AppsSecrets -ne $null)
$Logs | Export-Csv $Path -NoTypeInformation -Encoding UTF8
此脚本以非交互方式工作。 使用它的管理员需要更改“#PARAMETERS TO CHANGE”部分中的值。 他们需要输入自己的应用 ID、应用程序机密和租户名称。 它们还需要指定应用的凭据过期期限。 最后,他们需要设置 CSV 导出的路径。
此脚本使用 Client_Credential Oauth Flow 函数“RefreshToken”基于管理员修改的参数的值生成访问令牌。
“Add-Member”命令负责在 CSV 文件中创建列。
| 命令 | 说明 |
|---|---|
| Invoke-WebRequest | 将 HTTP 和 HTTPS 请求发送到网页或 Web 服务。 它将分析响应并返回链接、图像和其他重要 HTML 元素的集合。 |
有关 Microsoft Graph PowerShell 模块的详细信息,请参阅 Microsoft Graph PowerShell 概述。
有关应用程序管理的其他 PowerShell 示例,请参阅 适用于应用程序管理的 Microsoft Graph PowerShell 示例。