Housekeeping of App Registrations/SPN’s in your Azure AD can be somewhat of a challenge sometimes. In this blogpost I will focus on the following scenario.

My problem

Our Azure Devops environment contains a good amount of projects. In each project there is at least one Service Connection defined. A Service Connection is nothing more than an App Registration in your Azure AD with a secret. For a default Service Connection in Azure the expiration date is set 2 years after creation.

  • For whatever reason, some (older) projects contain a lot of (>50) Service Connections. Some in use, some don’t.
  • The name of the Service Connection is not the same as the App Registration in Azure AD.
  • In Azure AD Service Connections from the same Azure DevOps project have the same name. Only a different Application Id…

So how do you find the right Service Connection with, for example, an expired secret inthe Azure DevOps Project so that I can renew the secret?

What I’ve tried

  • Finding more info in Azure DevOps. No luck.
  • Trying the Azure CLI. No luck. Only some simple tasks.
  • Making an API-call to Azure DevOps. BINGO!

The solution (so far). Quick and dirty.

I found the solution on Stack Overflow (where else?) and I want to document it here, because I will probably need this myself in the future.

Note! I assume you already have the needed access rights to the project settings / service connections as a user.

Step 1 - Create a Personal Access Token

Create a personal access token as described here. Make sure you don’t “overpower” it and give a time limit that make sense to you.

Step 2 - Run the following Powershell code

  • Replace {pat} with your newly created personal access token.
  • Replace {project} in $url with the project you want get the overview from.
  • Run the script.
$token = "{pat}"
$token = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(":$($token)"))
$url="https://dev.azure.com/{organization}/{project}/_apis/serviceendpoint/endpoints?api-version=7.1-preview.4"
$head = @{ Authorization =" Basic $token" }
$endpoints = Invoke-RestMethod -Uri $url -Method GET -Headers $head
$results = $endpoints.value
$results

So now you have at least all the data available and you can start digging. I’m still figuring out how the different entries are build up. But for what I needed it was enough to search on the AppId of the App Registration in the output.

I hope this helps.