How to create an Azure AD Application and Service Principal that uses certificate authentication
Creating Azure AD Applications and Service Principals that use certificate based authentication is not quite as straightforward as you might expect.
The following article provides the instructions on how to do this https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal#create-service-principal-with-self-signed-certificate
However, what if you want to use multiple certificates using the KeyCredentials parameter to New-AzureRmAdApplication? In this case you might guess from the following article that you could create an array of objects of type
Microsoft.Azure.Commands.Resources.Models.ActiveDirectory.PSADKeyCredential
The following article provides the instructions on how to do this https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal#create-service-principal-with-self-signed-certificate
However, what if you want to use multiple certificates using the KeyCredentials parameter to New-AzureRmAdApplication? In this case you might guess from the following article that you could create an array of objects of type
The problem is if you have a version of the Azure PowerShell module newer than 4.2.1, then the object will not have a type property as per this issue: https://github.com/Azure/azure-powershell/issues/4491
Assuming you don't want to downgrade to version 4.2.1 how do you achieve this? Well the issue mentions the correct way of doing this is to use the New-AzureRmAdAppCredential cmdlet as shown in the example code below:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Login-AzureRmAccount | |
# Create the self signed cert | |
mkdir c:\certificates | |
$currentDate = Get-Date | |
$endDate = $currentDate.AddYears(1) | |
$notAfter = $endDate.AddYears(1) | |
$pwdplaintext = "P@ssW0rd1" | |
$thumb = (New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my -DnsName AadAppCertTest1 -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $notAfter).Thumbprint | |
$pwd = ConvertTo-SecureString -String $pwdplaintext -Force -AsPlainText | |
Export-PfxCertificate -cert "cert:\localmachine\my\$thumb" -FilePath c:\certificates\AadAppCertTest1.pfx -Password $pwd | |
$thumb = (New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my -DnsName AadAppCertTest2 -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $notAfter).Thumbprint | |
$pwd = ConvertTo-SecureString -String $pwdplaintext -Force -AsPlainText | |
Export-PfxCertificate -cert "cert:\localmachine\my\$thumb" -FilePath c:\certificates\AadAppCertTest2.pfx -Password $pwd | |
$thumb = (New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my -DnsName AadAppCertTest2 -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $notAfter).Thumbprint | |
# Load the certificate | |
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("C:\certificates\AadAppCertTest1.pfx", $pwdplaintext) | |
$certValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) | |
# Create the Azure AD Application using the first certificate | |
$adapp = New-AzureRmADApplication -DisplayName "TestAzureAdApp01" -HomePage "http://TestAzureAdApp01.azurewebsites.net/" -IdentifierUris "http://TestAzureAdApp01.azurewebsites.net/" -CertValue $certValue -StartDate (Get-Date $cert.GetEffectiveDateString()) -EndDate $notAfter | |
# Next add the second certificate using the New-AzureRmAdAppCredential | |
$cert2 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("C:\certificates\AadAppCertTest2.pfx", $pwdplaintext) | |
$certValue2 = [System.Convert]::ToBase64String($cert2.GetRawCertData()) | |
New-AzureRmADAppCredential -ApplicationId $adapp.ApplicationId -CertValue $certValue2 | |
# Running Get-AzureRmADApplication and piping it to Get-AzureRmADAppCredential should show the two keys | |
Get-AzureRmADApplication -ApplicationId $adapp.ApplicationId | Get-AzureRmADAppCredential | |
# Finally create the Azure AD Service Principal | |
$sp = New-AzureRmADServicePrincipal -ApplicationId $adapp.ApplicationId | |
Comments
Post a Comment