Skip to content

Export Entra ID app registrations Certificates and Secrets expiry report

You need a quick way that shows you all the Entra ID app registrations certificates or secrets and their expiration date. If you don’t renew before that time, the connection to the app will not work anymore. So it’s important not to let the certificates or secrets for the app registrations expire. In this article, you will learn how to export Entra ID app registrations with their certificates and client secrets expiry dates to a report using Microsoft Graph PowerShell.

Check application registration Certificates and Secrets expiration dates in Microsoft Entra

To check if the app registrations certificate or secret has expired, go through the below steps:

  1. Sign in to Microsoft Entra admin center
  2. Expand Identity > Applications > App registrations
  3. Select All applications
  4. Click on the application that you want to check the certificate expiration status for

In our example, we have 4 applications, and the application Kairo shows that the certificate & secrets are expired.

  1. Click Certificates & secrets
  2. Select Certificates or Client secrets

In our example, the application Kairo only has clients secrets and no certificates. One client secret is expired (red), and the other one expires soon (orange).

To Renew the client secret in Microsoft Entra ID, we need to create a new client secret and delete the expired client secret.

Going through all the applications and checking the certificate or client secret expiration date, including their status, takes time. So, the best way is to run a PowerShell script that creates a report with all the information.

Let’s look at the PowerShell script in the next step.

Get Entra ID app registrations Certificates and Secrets expiration dates with PowerShell

A great way to get all the app registrations with their certificates and secrets expiration dates is with Microsoft Graph PowerShell.

The Get-AppCertSecStatus.ps1 script will get all the app registrations in Microsoft Entra ID and gather the following details:

  1. ApplicationName
  2. ApplicationID
  3. CredentialName
  4. SignInType
  5. CreatedDateTime
  6. StartDateTime
  7. EndDateTime
  8. ExpireStatus
  9. AuthType
  10. DaysLeft
  11. Owner
  12. OwnerID

Step 1. Prepare Get-AppCertSecStatus PowerShell script

Create two folders on the (C:) drive:

  • Temp
  • Scripts

Download the Get-AppCertSecStatus.ps1 PowerShell script and place it in C:\scripts folder. The script will export the CSV file to the C:\temp folder.

Ensure the file is unblocked to prevent errors when running the script. Read more in the article Not digitally signed error when running PowerShell script.

Another option is to copy and paste the below code into Notepad. Give it the name Get-AppCertSecStatus.ps1 and place it in the C:\scripts folder.


    Export Entra ID app registrations certificates and secrets expiration date.


    Written by: ALI TAJRAN

    V1.00, 01/14/2024 - Initial version
    V1.10, 04/30/2024 - Added AppId property to the results

# CSV file path to export
$CsvPath = "C:\temp\AppRegistrationsReport.csv"

# Connect to MgGraph with necessary scopes
Connect-MgGraph "Directory.Read.All", "Application.Read.All"

# Create an array
$Results = @()

# Get properties
$Properties = @(

# Get Applications
$Apps = Get-MgApplication -All -Property $Properties | Select-Object $Properties

foreach ($App in $Apps) {

    # Get Owner information
    $Owner = Get-MgApplicationOwner -All -ApplicationId $App.Id
    $Username = if ($Owner) { $Owner.AdditionalProperties.userPrincipalName -join ';' } else { "N/A" }
    $OwnerID = if ($Owner) { $Owner.Id -join ';' } else { "N/A" }

    # Check application for client secret
    if ($null -ne $App.PasswordCredentials) {

        foreach ($Creds in $App.PasswordCredentials) {

            # Calculate days left until expiration
            $DaysLeft = ($Creds.EndDateTime - (Get-Date)).Days

            # Create custom object for client secret results
            $AppObject = [PSCustomObject]@{
                ApplicationName = $App.DisplayName
                ApplicationID   = $App.AppId
                CredentialName  = $Creds.DisplayName
                SignInType      = $App.SignInAudience
                CreatedDateTime = $App.CreatedDateTime
                StartDateTime   = $Creds.StartDateTime
                EndDateTime     = $Creds.EndDateTime
                ExpireStatus    = if ($Creds.EndDateTime -lt (Get-Date)) { "Expired" } else { "Not expired" }
                AuthType        = "Client_Secret"
                DaysLeft        = $DaysLeft
                Owner           = $Username
                OwnerID         = $OwnerID

            # Output results to array
            $Results += $AppObject

    # Check application for certificate
    if ($null -ne $App.KeyCredentials) {

        foreach ($Cert in $App.KeyCredentials) {

            # Calculate days left until expiration
            $DaysLeft = ($Cert.EndDateTime - (Get-Date)).Days

            # Create custom object for certificate results
            $AppObject = [PSCustomObject]@{
                ApplicationName = $App.DisplayName
                ApplicationID   = $App.AppId
                CredentialName  = $Cert.DisplayName
                SignInType      = $App.SignInAudience
                CreatedDateTime = $App.CreatedDateTime
                StartDateTime   = $Cert.StartDateTime
                EndDateTime     = $Cert.EndDateTime
                ExpireStatus    = if ($Cert.EndDateTime -lt (Get-Date)) { "Expired" } else { "Not expired" }
                AuthType        = "Certificate"
                DaysLeft        = $DaysLeft
                Owner           = $Username
                OwnerID         = $OwnerID

            # Output results to array
            $Results += $AppObject

# Sort the results based on DaysLeft
$Results = $Results | Sort-Object -Property DaysLeft

# Export to CSV file
$Results | Export-Csv $CsvPath -Encoding utf8 -NoTypeInformation

# Out-GridView
$Results | Out-GridView -Title "Microsoft Entra ID app registrations report"
  • Line 21: Edit the CSV file path

Step 2. Install Microsoft Graph PowerShell

Run Windows PowerShell as administrator and Install Microsoft Graph PowerShell.

Install-Module Microsoft.Graph -Force
Install-Module Microsoft.Graph.Beta -AllowClobber -Force

Important: Always install the Microsoft Graph PowerShell and Microsoft Graph Beta PowerShell modules. That’s because some cmdlets are not yet available in the final version, and they will not work. Update both modules to the latest version before you run a cmdlet or script to prevent errors and incorrect results.

Step 3. Run Get-AppCertSecStatus PowerShell script

Get all the Entra ID app registrations certificates and secrets expiry dates, including their status, with PowerShell.

Run the below command to run the script Get-AppCertSecStatus.ps1.


An Out-GridView will show all the information you need.

Out-GridView app registrations certificates and client secrets

Step 4. Open Entra ID app registrations report

The Get-AppCertSecStatus.ps1 PowerShell script exports all app registrations with their certificate and client secret expiration status to CSV file.

Find the file AppRegistrationsReport.csv in the path C:\temp.

CSV file export in temp folder

Open the CSV file with your favorite application. In our example, it’s Microsoft Excel.

Microsoft Excel app registrations certificates and client secrets report

The Entra ID app registrations certificates and client secrets expiry report looks great.

Read more: Configure Exchange Online Certificate Based Authentication for unattended scripts »


You learned how to export Entra ID app registrations certificates and secrets with Microsoft Graph PowerShell. Run the script, and it will collect all the information and export it to a CSV file report. Ensure that you renew the certificate or client secret before it expires so the connection to the app will remain intact.

Did you enjoy this article? You may also like Export Microsoft 365 inactive users report. Don’t forget to follow us and share this article.



ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 6 Comments

  1. Hi Ali,

    Fantastic script. Is it possible to run Task Scheduler and email Administrators of the content?

  2. Hello Ali,

    Thanks for this excellent blog. I have a question can we have this integrated with a Logic App and scheduled this which would be great. Need your inputs and suggestions on this.

Leave a Reply

Your email address will not be published. Required fields are marked *