Hot to get azure app registration client secret in azure key vault to update automatically

Niklas Österholm 26 Reputation points
2022-10-28T11:12:46.827+00:00

Hi!

We have a few app registrations for applications that are using secrets to connect. What we want to do is use Azure key vault to rotate them quite often. My plan is to use automation account to automatically create a new app secret and update the Azure key vault. Getting access to the key vault from my automation account was quite easy but how do I do to give my automation account access to edit the secret of a specific app registration in Azure?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
775 questions
Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,895 questions
Microsoft Graph Identity API
Microsoft Graph Identity API
A Microsoft API to access Azure Active Directory (Azure AD) resources to enable scenarios like managing administrator (directory) roles, inviting external users to an organization, and, if you are a Cloud Solution Provider (CSP), managing your customer's data.
285 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Carlos Solís Salazar 11,851 Reputation points
    2022-10-28T19:10:49.887+00:00

    Hi anonymous user

    Thank you for asking this question on the **Microsoft Q&A Platform. **

    To log in to Azure AD PowerShell with Admin Account, you can execute the following commands: 

    $connectionName="AzureRunAsConnection"  
    $servicePrincipalConnection=Get-AutomationConnection -Name $connectionName           
  
# Now you can login to Azure PowerShell with your Service Principal and Certificate  
  
Connect-AzureAD -TenantId $servicePrincipalConnection.TenantId -ApplicationId $servicePrincipalConnection.ApplicationId -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint

    Source: https://social.msdn.microsoft.com/Forums/azure/en-US/5a596b5c-c7f6-4e22-9568-24b12d7d9588/connectazuread-in-azure-automation-runbook?forum=azureautomation

    To create a password credential via power shell you can use this command 

    $secret = New-AzureADApplicationPasswordCredential -ObjectId "3ddd22e7-a150-4bb3-b100-e410dea1cb84"  
  
Write-Host $secret. Value

    Source: https://learn.microsoft.com/en-us/powershell/module/azuread/new-azureadapplicationpasswordcredential?view=azureadps-2.0

    I this that with these two sets of commands you can complete your runbook.

    Hope this helps!

    ----------

    Accept Answer and Upvote, if any of the above helped, this thread can help others in the community looking for remediation for similar issues.
    NOTE: To answer you as quickly as possible, please mention me in your reply.

  2. Roderick Bant 2,031 Reputation points
    2022-11-08T21:53:19.477+00:00

    If you want to use a managed identity assign the Application Administrator Azure AD role to it from the Azure AD Roles and Administrators blade in the Azure portal.

    See Assign Azure AD roles to users for instructions on how to assign an Azure AD rule and type the name of your managed id in the user selection search box.

    @Carlos Solís Salazar answer gives a good instruction in the second code example on how you can generate the new secret once the Azure AD role has been assigned.

    0 comments