Disclosure: This article was written by the team behind ExpiryPulse, a credential expiry tracking tool. The PowerShell script referenced in this article is free to use and MIT licensed.
The problem
App registration client secrets and certificates in Microsoft Entra ID expire quietly. No banner in the portal, no email from Microsoft, no Teams notification. Just a broken integration at 2am and a frantic team.
Entra ID app registrations are easy to create and easy to forget. A developer spins one up for an integration, sets the secret to expire in a year or two, and moves on. Months later that developer might not even be at the company anymore. The secret expires. Something breaks.
The portal doesn't make this easy to audit either. You can view credentials on a per-app basis, but there's no native view that shows you all secrets and certificates across all app registrations sorted by expiry date. You'd have to click into every single app manually.
In a tenant with dozens or hundreds of app registrations, that's not a workflow — it's a prayer.
The script
I wrote a PowerShell script that connects to Microsoft Graph, pulls every app registration in your tenant, extracts all client secrets and certificates with their expiry dates, and exports them to a CSV.
.\Export-EntraAppCredentials.ps1
The script solves the Entra ID piece — but in today's environments, secrets and API keys are sprawled across dozens of platforms. Azure Key Vault, AWS Secrets Manager, GitHub, Stripe, your CI/CD pipeline. Some with its own expiry logic, each with its own portal, and none with a single view across all of them.
More platform scripts are on the way. For now — here's how to run this one.
Authentication: It uses interactive login — a browser window opens, you sign in with your Microsoft account, MFA is handled natively. No service principal setup, no app registration of your own required.
Required permissions: The script only needs Application.Read.All — a read-only delegated permission. It never reads secret values, key material, or anything sensitive. It only reads metadata — names and expiry dates.
If you're running this in a tenant where you don't have that permission, your admin can grant it or run the script themselves.
Install the Microsoft.Graph module if you don't already have it:
Install-Module Microsoft.Graph -Scope CurrentUser
Then run the script:
.\Export-EntraAppCredentials.ps1
To export to a specific path:
.\Export-EntraAppCredentials.ps1 -OutputPath "C:\exports\creds.csv"
To also export an audit file listing app registrations with no trackable credentials — useful for identifying orphaned or misconfigured apps:
.\Export-EntraAppCredentials.ps1 -IncludeAudit
The output looks like this:
| name | service | expiry | notes |
|---|---|---|---|
| MyApp - ClientSecret1 | Entra ID | 2026-06-15 | App ID: xxxx \ |
| MyApp - APICert | Entra ID | 2026-09-01 | App ID: xxxx \ |
You can grab the script here: GitHub — expirypulse-tools
What to do with the output
Once you have the CSV, you have two options.
Option 1 — Open it in Excel. Sort by expiry date, identify what's expiring in the next 30, 60, 90 days, and add calendar reminders manually. Gets the job done once. But doesn't scale and it's easy to forget to run it.
Option 2 — Import into ExpiryPulse. Upload the CSV to ExpiryPulse and get automated expiry notifications without maintaining a spreadsheet. Free tier available — no credit card required. You'll get notified before anything expires. The import is direct — the script output maps exactly to ExpiryPulse's CSV format, so there's no reformatting needed.
The bigger picture
Expired app registration secrets are one of those problems that feel minor until they aren't. A broken integration at the wrong moment — during a customer demo, at end of quarter, in the middle of an incident — is entirely preventable.
The organizations that handle this well are the ones that treat credential expiry as an ongoing operational concern, not a one-time audit. That means visibility across platforms, not just Entra ID. And it means alerts before expiration, not silence until something breaks.
Run the script. Know what you have. Set up notifications so you're never surprised.
Next up: Azure Key Vault secrets and certificates — same idea, different platform.
This script is part of expirypulse-tools, an open source and MIT licensed collection of export scripts. Use it standalone, drop the output into a spreadsheet, or import it into ExpiryPulse if you want automated alerts without the maintenance.
Top comments (0)