Upload certificate credential to Azure Ad app via Powershell

Sam Davidoff 1 Reputation point
2023-01-07T12:25:03.8+00:00

I have an application registered in Azure AD that needs to be able access resources as the application, i.e., Application (Role) type permissions. The required scopes and consent are configured, and in order for the actual app code to authenticate as the app service principal, I'm using a certificate. The certificate is stored in a keyvault. Uploading it via the portal is simple enough. I can also automate it using the Azure AD cli via: 

az ad app credential reset --id "my-app-id" --keyvault "myKeyVaultName" --cert "myCertName" --append

However, I want to do this through Powershell, not the CLI. The recommended SDK to use for AAD app related things is the MS Graph Powershell SDK, but I can't find any information on how to upload a certificate using this SDK. Can someone point me to the correct cmdlet?

(Note, I didn't have any issue setting up the required access and consent themselves using Update-MgApplication and New-MgServicePrincipalAppRoleAssignment, respectively. What I can't see is how to setup the credentials so actual app code can authenticate as the application. Also, this question is basically the same as this SO question, but the answer there refers to the Azure AD sdk which is now deprecated--as it tells you in big red letters if you go to the link.)

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,741 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sam Davidoff 1 Reputation point
    2023-01-07T13:12:40.647+00:00

    Got it. It's Update-MgApplication with the -KeyCredentials parameter for a new cert, or Add-MgApplicationKey to update an existing cert. The word "Key" through me off since you aren't actually uploading a private key, but I guess it is meant to refer to the fact that the authentication will use a key (which will be validated by the cert you upload).

    Here's a working example of a function that pulls the cert from a keyvault and uploads to a registered app: 

    function Set-AppCredential  
{  
    Param(  
        [Parameter(Mandatory)]  
        [string]$AppDisplayName,  
        [Parameter(Mandatory)]  
        [string]$KeyVaultName,  
        [Parameter(Mandatory)]  
        [string]$CertificateName  
    )  
  
    $Application = Get-MgApplication -Filter "DisplayName eq '$($AppDisplayName)'"  
  
    $KeyVaultCertificate = Get-AzKeyVaultCertificate -VaultName $KeyVaultName -Name $CertificateName  
  
    $CertCredential = @{  
        Type = "AsymmetricX509Cert"  
        Usage = "Verify"  
        Key = $KeyVaultCertificate.Certificate.RawData  
    }  
  
    Update-MgApplication -ApplicationId $Application.Id -KeyCredentials @($CertCredential)  
  
}
    0 comments