north7
reference / toolbelt

Find every app registration with an expiring secret

One Graph query, sorted by how soon it bites you.

Updated: 13 May 2026 · Read: 2 min

The first you hear of an expired client secret is usually a production outage. This finds them while they are still warnings:

Get-MgApplication -All |
  ForEach-Object {
    foreach ($cred in $_.PasswordCredentials) {
      [pscustomobject]@{
        App     = $_.DisplayName
        Expires = $cred.EndDateTime
        Days    = ($cred.EndDateTime - (Get-Date)).Days
      }
    }
  } |
  Where-Object Days -lt 30 |
  Sort-Object Days

Run it on a schedule and pipe the result somewhere you will actually look. Thirty days is enough notice to renew without drama; pick a smaller number once you trust the report.