Azure Active Directory: Threat Hunting - App Reg Key Count

As part of your organisation's proactive threat hunting, app registrations with secrets and passwords configured should be reviewed to look for any suspicious entries.

The following Powershell script which I like to run in CloudShell will give you an overview within your tenant.

Service principals work hand-in-hand with app registrations, therefore these should also be periodically reviewed.

There's a similar Powershell script you can run in another post. See here: https://www.cyber.engineer/azure-active-directory-threat-hunting-spn-key-count/

// PWSH script to assess the number of password and key credentials configured for the tenant's app registrations

$Apps = Get-AzureADApplication -All $True
foreach ($App in $Apps) {
	if ($App.PasswordCredentials.Count -ne 0 -or $App.KeyCredentials.Count -ne 0) {
	Write-Host 'Application Display Name: '$App.DisplayName
	Write-Host 'Application Password Count: '$App.PasswordCredentials.Count
	Write-Host 'Application Key Count: '$App.KeyCredentials.Count
	Write-Host ''
	}
}

Read about app registrations https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app