Microsoft Graph API: Application addKey

Aaron 5 Reputation points
2023-07-17T17:08:13.3366667+00:00

Hi All,

I've been attempting for days to test using the addKey to rotate a key. But regardless of how I do it, I always end up with
"Authentication_MissingOrMalformed" and Error code 401. Is there something else I need to do?

I first created an Azure AD App Registration with the following permissions:

https://user-images.githubusercontent.com/22307415/253676379-1f620a2a-e993-4dcf-b6fe-d073d92b3093.png

I then created a Self-Signed certificate and uploaded it to use as a Client Certificate, following this guide.

I then followed the guide as specified here to generate the proof.

string pfxFilePath = "certandkey.pfx";
string password = "password";
string objectId = {objectId}";

// Get signing certificate
X509Certificate2 signingCert = new X509Certificate2(pfxFilePath, password);

// audience
string aud = $"00000003-0000-0000-c000-000000000000";

// aud and iss are the only required claims.
var claims = new Dictionary<string, object>()
{
    { "aud", aud },
    { "iss", objectId }
};

// token validity should not be more than 10 minutes
var now = DateTime.UtcNow;
var securityTokenDescriptor = new SecurityTokenDescriptor
{
    Claims = claims,
    NotBefore = now,
    Expires = now.AddMinutes(10),
    SigningCredentials = new X509SigningCredentials(signingCert)
};

var handler = new JsonWebTokenHandler();
var x = handler.CreateToken(securityTokenDescriptor);

Then I generated a new self-signed certificate that I'd like to add, and export that to another file. I then attempt to call the API as follows below, but I cannot get past the exception that I see.

string tenantId = "{tenantId}";
string clientId = "{clientId}";
string newCertPath = "newcert.pfx";
X509Certificate2 newCert = new X509Certificate2(newCertPath);
var credential = new ClientCertificateCredential(tenantId, clientId, signingCert);
var graphClient = new GraphServiceClient(credential);

var requestBody = new Microsoft.Graph.Applications.Item.AddKey.AddKeyPostRequestBody
{
    KeyCredential = new KeyCredential
    {
        Type = "AsymmetricX509Cert",
        Usage = "Verify",
        Key = newCert.GetRawCertData()
    },
    PasswordCredential = null,
    Proof = x,
};
var result = await graphClient.Applications[objectId].AddKey.PostAsync(requestBody);

I would really appreciate some help in figuring out what I'm doing wrong here. I've tried this using both C# and Java, and have resulted in the same error.

I should ***not ***need to give my app registration any additional permissions, because in the documentation, it specifically says I do not need to do so.

User's image

Thanks,
Aaron

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
13,014 questions
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.