DEV Community: Steve P The latest articles on DEV Community by Steve P (@steveeep). https://dev.to/steveeep https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F715740%2Fb021165a-edac-4553-8eb3-8fdf655040a3.png DEV Community: Steve P https://dev.to/steveeep en Azure AD - Cleanup old Service Principals / App-Registrations Steve P Wed, 02 Aug 2023 08:45:46 +0000 https://dev.to/steveeep/azure-ad-cleanup-old-service-principals-app-registrations-noi https://dev.to/steveeep/azure-ad-cleanup-old-service-principals-app-registrations-noi <h2> Background </h2> <p>An Azure AD can extensively grow in numbers of service principals due to lifetime of applications and service connections. Some of them are created for one-time use and have been forgotten or an application is just not in use anymore.</p> <p>After 6 years of usage, our development Active Directory counts over 9000 service principals and no one clearly knows whether these applications are still in use. Therefore, we had to think about a process on how we can cleanup the directory from obsolete applications.</p> <h2> The Process </h2> <p>The cleanup process consists off of multiple steps to determine whether an application is still in use or not.</p> <ol> <li>Select all applications and iterate over them by</li> <li>checking if the creation date is prior to 90 days</li> <li>checking for valid credentials and certificates</li> <li>checking if no sign-in activities happened in the last 90 days</li> </ol> <p>If all criteria are fulfilled the applications is tagged for deletion.</p> <h2> Prerequisites </h2> <p><strong><em>To perform some of the following configuration steps, an account with Global Admin privileges is needed.</em></strong></p> <p>Step #1, #2 and #3 can easily be accomplished through the Micosoft-Graph API endpoint</p> <blockquote> <p>GET /applications</p> </blockquote> <p>We get all applications inside the tenant and additionally can check for the creation date as well as for credentials and certificates. To query applications, a service principal with proper authorization for Mircosoft Graph with</p> <blockquote> <p>Application.ReadWrite.All</p> </blockquote> <p>must be granted.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxn6w1cmuc3n3jygtppr0.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxn6w1cmuc3n3jygtppr0.png" alt="API Permissions"></a></p> <p>Step #4 requires some preparation. </p> <p>By Default, Azure persists Sing-In Logs only for 30 days. To increase the retention period of the logs to the desired 90 days, we have to set a custom destination in the Azure-AD diagnostic settings.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpn2fvz6zq97aa5sxzp4m.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpn2fvz6zq97aa5sxzp4m.png" alt="logs settings"></a></p> <p>To get all sign-in activities, we have to select the following categories:</p> <ul> <li>AADManagedIdentitySignInLogs</li> <li>AADNonInteractiveUserSignInLogs</li> <li>AADServicePrincipalSignInLogs</li> <li>SigninLogs</li> </ul> <p><em>It seems the category <strong>ManagedIdentitySignInLogs</strong> only contain logs of authorization flows between Azure resources configured with managed identities and will therefore be ignored in the following step.</em></p> <p>To reduce the amount of storage, we create data slices on a daily bases with the minimum amount of information needed and store them in a custom table (ApplicationSignInLogs_CL). The retention time is set to 90 days. The script itself runs inside an automation account with a scheduled job and utilizes the <a href="https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal" rel="noopener noreferrer">Azure logs ingestion api</a> to store the data inside the log analytics workspace.</p> <p>The following Kusto query selects and aggregates all relevant logs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// select &amp; aggregate user sign-in logs let UserLogs = view() { SigninLogs | project TimeGenerated, AppId, AppDisplayName | summarize NumOfLogs = count() by bin(TimeGenerated, 1d), AppId, DisplayName = AppDisplayName | where TimeGenerated &gt;= datetime_add('day', -2, now()) and TimeGenerated &lt; bin(now(), 1d) }; // select &amp; aggregate user non-interactive sign-in logs let UserNonInteractiveLogs = view() { AADNonInteractiveUserSignInLogs | project TimeGenerated, AppId, AppDisplayName | summarize NumOfLogs = count() by bin(TimeGenerated, 1d), AppId, DisplayName = AppDisplayName | where TimeGenerated &gt;= datetime_add('day', -2, now()) and TimeGenerated &lt; bin(now(), 1d) }; // select &amp; aggregate service principal sign-in logs let PrincipalsLogs = view() { AADServicePrincipalSignInLogs | project TimeGenerated, AppId, DisplayName = ServicePrincipalName | summarize NumOfLogs = count() by bin(TimeGenerated, 1d), AppId, DisplayName | where TimeGenerated &gt;= datetime_add('day', -2, now()) and TimeGenerated &lt; bin(now(), 1d) }; // union all logs and create one entry per principal per day union UserLogs, UserNonInteractiveLogs, PrincipalsLogs | summarize NumOfLogs = sum(NumOfLogs) by TimeGenerated, AppId, DisplayName </code></pre> </div> <p>We end up having one log entry per application per day.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb3vaebs8gmnx1mbita0i.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fb3vaebs8gmnx1mbita0i.png" alt="Aggregated Logs"></a></p> <h2> Application selection </h2> <p>A Python script queries all applications and checks for the defined criteria. If an application is tagged for deletion, an entry for further processing is created in a storage account.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">apps</span> <span class="o">=</span> <span class="p">[]</span> <span class="c1"># loop trough all applications and check for creation date &amp; expired certificates / credentials </span><span class="n">done</span> <span class="o">=</span> <span class="bp">False</span> <span class="n">iterations</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">while</span> <span class="n">done</span> <span class="ow">is</span> <span class="bp">False</span><span class="p">:</span> <span class="nf">if</span><span class="p">(</span><span class="n">iterations</span> <span class="o">==</span> <span class="mi">0</span><span class="p">):</span> <span class="n">url</span> <span class="o">=</span> <span class="sh">'</span><span class="s">https://graph.microsoft.com/v1.0/applications/</span><span class="sh">'</span> <span class="n">applications</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">authHeaderGraph</span><span class="p">).</span><span class="nf">json</span><span class="p">()</span> <span class="k">else</span><span class="p">:</span> <span class="n">url</span> <span class="o">=</span> <span class="n">applications</span><span class="p">[</span><span class="sh">'</span><span class="s">@odata.nextLink</span><span class="sh">'</span><span class="p">]</span> <span class="n">applications</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">authHeaderGraph</span><span class="p">).</span><span class="nf">json</span><span class="p">()</span> <span class="k">for</span> <span class="n">app</span> <span class="ow">in</span> <span class="n">applications</span><span class="p">[</span><span class="sh">'</span><span class="s">value</span><span class="sh">'</span><span class="p">]:</span> <span class="c1"># check for creation date prior 90 days </span> <span class="nf">if</span><span class="p">(</span><span class="n">app</span><span class="p">[</span><span class="sh">'</span><span class="s">createdDateTime</span><span class="sh">'</span><span class="p">]</span> <span class="o">!=</span> <span class="bp">None</span><span class="p">):</span> <span class="n">creationDate</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">fromisoformat</span><span class="p">(</span><span class="n">app</span><span class="p">[</span><span class="sh">'</span><span class="s">createdDateTime</span><span class="sh">'</span><span class="p">][:</span><span class="mi">19</span><span class="p">])</span> <span class="nf">if</span><span class="p">(</span><span class="n">creationDate</span> <span class="o">&gt;</span> <span class="p">(</span><span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">-</span> <span class="nf">relativedelta</span><span class="p">(</span><span class="n">months</span><span class="o">=</span><span class="mi">3</span><span class="p">))):</span> <span class="k">continue</span> <span class="c1">#check for valid credentials </span> <span class="n">hasValidCred</span> <span class="o">=</span> <span class="bp">False</span> <span class="k">for</span> <span class="n">entry</span> <span class="ow">in</span> <span class="n">app</span><span class="p">[</span><span class="sh">'</span><span class="s">passwordCredentials</span><span class="sh">'</span><span class="p">]:</span> <span class="n">expDate</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">fromisoformat</span><span class="p">(</span><span class="n">entry</span><span class="p">[</span><span class="sh">'</span><span class="s">endDateTime</span><span class="sh">'</span><span class="p">][:</span><span class="mi">19</span><span class="p">])</span> <span class="nf">if</span><span class="p">(</span><span class="n">expDate</span> <span class="o">&gt;</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">()):</span> <span class="n">hasValidCred</span> <span class="o">=</span> <span class="bp">True</span> <span class="k">break</span> <span class="c1">#check for valid certificates </span> <span class="n">hasValidCert</span> <span class="o">=</span> <span class="bp">False</span> <span class="k">for</span> <span class="n">entry</span> <span class="ow">in</span> <span class="n">app</span><span class="p">[</span><span class="sh">'</span><span class="s">keyCredentials</span><span class="sh">'</span><span class="p">]:</span> <span class="n">expDate</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">fromisoformat</span><span class="p">(</span><span class="n">entry</span><span class="p">[</span><span class="sh">'</span><span class="s">endDateTime</span><span class="sh">'</span><span class="p">][:</span><span class="mi">19</span><span class="p">])</span> <span class="nf">if</span><span class="p">(</span><span class="n">expDate</span> <span class="o">&gt;</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">()):</span> <span class="n">hasValidCert</span> <span class="o">=</span> <span class="bp">True</span> <span class="k">break</span> <span class="c1"># at least one valid certificate or credentials </span> <span class="nf">if</span><span class="p">(</span><span class="n">hasValidCred</span> <span class="ow">is</span> <span class="bp">False</span> <span class="ow">and</span> <span class="n">hasValidCert</span> <span class="ow">is</span> <span class="bp">False</span><span class="p">):</span> <span class="n">apps</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">app</span><span class="p">)</span> <span class="nf">if</span><span class="p">(</span><span class="sh">'</span><span class="s">@odata.nextLink</span><span class="sh">'</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">applications</span><span class="p">):</span> <span class="n">done</span> <span class="o">=</span> <span class="bp">True</span> <span class="n">iterations</span> <span class="o">=</span> <span class="n">iterations</span> <span class="o">+</span> <span class="mi">1</span> <span class="c1"># get aggregated sign-in logs and aggregate to latest login date per application (in the last 90 days) </span><span class="n">query</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">query</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ApplicationSignInLogs_CL </span><span class="sh">"</span> <span class="sh">"</span><span class="s">| project TimeGenerated, AppId </span><span class="sh">"</span> <span class="sh">"</span><span class="s">| summarize LatestLogin = max(TimeGenerated) by AppId </span><span class="sh">"</span> <span class="sh">"</span><span class="s">| where LatestLogin &gt; ago(90d) </span><span class="sh">"</span> <span class="sh">"</span><span class="s">| project AppId</span><span class="sh">"</span> <span class="p">}</span> <span class="n">principalLogs</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="sh">"</span><span class="s">https://api.loganalytics.azure.com/v1/workspaces/{workspace-id}/query</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="n">query</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">authHeaderLogs</span> <span class="p">).</span><span class="nf">json</span><span class="p">()</span> <span class="c1"># helper function to check for log entries </span><span class="k">def</span> <span class="nf">signInLogExists</span><span class="p">(</span><span class="n">appId</span><span class="p">):</span> <span class="k">for</span> <span class="n">entry</span> <span class="ow">in</span> <span class="n">principalLogs</span><span class="p">[</span><span class="sh">'</span><span class="s">tables</span><span class="sh">'</span><span class="p">][</span><span class="mi">0</span><span class="p">][</span><span class="sh">'</span><span class="s">rows</span><span class="sh">'</span><span class="p">]:</span> <span class="nf">if</span><span class="p">(</span><span class="n">entry</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">==</span> <span class="n">appId</span><span class="p">):</span> <span class="k">return</span> <span class="bp">True</span> <span class="k">return</span> <span class="bp">False</span> <span class="c1"># loop trough all applications and check for login in the last 90 days. If no login occurred, create entry in storage account for further processing </span><span class="k">for</span> <span class="n">i</span><span class="p">,</span> <span class="n">app</span> <span class="ow">in</span> <span class="nf">enumerate</span><span class="p">(</span><span class="n">apps</span><span class="p">):</span> <span class="n">appId</span> <span class="o">=</span> <span class="n">app</span><span class="p">[</span><span class="sh">'</span><span class="s">appId</span><span class="sh">'</span><span class="p">]</span> <span class="n">blob</span> <span class="o">=</span> <span class="n">container_client</span><span class="p">.</span><span class="nf">get_blob_client</span><span class="p">(</span><span class="n">appId</span><span class="p">)</span> <span class="nf">if</span><span class="p">(</span><span class="nf">signInLogExists</span><span class="p">(</span><span class="n">appId</span><span class="p">)</span> <span class="o">==</span> <span class="bp">False</span><span class="p">):</span> <span class="n">blob</span><span class="p">.</span><span class="nf">upload_blob</span><span class="p">(</span><span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">().</span><span class="nf">strftime</span><span class="p">(</span><span class="sh">"</span><span class="s">%Y-%m-%dT%H:%M:%S</span><span class="sh">"</span><span class="p">))</span> </code></pre> </div> <h2> Conclusion </h2> <p>The above process describes a possible way on how to cleanup the Azure Active Directory from obsolete service principals.</p> <blockquote> <p>Learnings:</p> <ul> <li>We falsely assumed that all activities related to service principals are logged in the service principal sign-in logs. However, principals as part of an identity provider log their activities in the user sign-in logs as users authenticate trough the principal to the Azure Active Directory.</li> <li>Aggregation of the the sign-in logs save a lot of storage and time when analysing the login activities.</li> <li>A manual check before deleting tagged principals is recommended. However, delete principals can be restored within 30 days of deletion.</li> </ul> </blockquote> azure