How to renew the App Secret Asymmetric Keys on Azure

Geeaz 121 Reputation points
2021-02-15T07:43:14.093+00:00

Hi Team,

We were able to renew the Symmetric Keys for the applications using the below PowerShell command

New-MsolServicePrincipalCredential -AppPrincipalId $AppID -Type Symmetric -Usage Sign -Value $newclientsecret -StartDate $dtStart -EndDate $dtEnd

Reference: https://learn.microsoft.com/en-us/sharepoint/dev/sp-add-ins/replace-an-expiring-client-secret-in-a-sharepoint-add-in[68070-azure-ad-data-security-considerations.pdf](/api/attachments/68070-azure-ad-data-security-considerations.pdf?platform=QnA)

Similarly, we want to renew Asymmetric keys for our apps whose keys are expired. How can this be done? Please suggest.

In one of the Azure AD considerations - Document, I noticed that the Asymmetric keys are auto-renewed. Please confirm. Attached the document for reference.
Request your assistance on the above.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,478 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Siva-kumar-selvaraj 15,671 Reputation points
    2021-02-17T08:51:01.713+00:00

    Hello @Geeaz ,

    Thank you for reaching out. The renewal of the certificates (AsymmetricX509Cert), you would have to renew that manually, but, before the cert expires, there would be a notification email that you would receive updating you about the date for the cert expiration.

    You can check the following article for configuring the notification email and also steps for renewing the certificate here: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/manage-certificates-for-federated-single-sign-on#add-email-notification-addresses-for-certificate-expiration

    The following article is worth checking out as it speaks about managing the certs SSO in Azure AD: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/manage-certificates-for-federated-single-sign-on.

    You can also use PowerShell way to renew cert as shown below:

    Create New AsymmetricX509Cert:

    $RunAsCert = New-SelfSignedCertificate -DnsName SAMLTestkey -CertStoreLocation cert:\LocalMachine\My -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter (Get-Date).AddMonths(12) -HashAlgorithm SHA256

    Convert raw AsymmetricX509Cert to base64:

    $keyValue = [System.Convert]::ToBase64String($RunAsCert.GetRawCertData())

    Add AsymmetricX509Cert to Enterprise Application:
    New-MsolServicePrincipalCredential -ObjectId <Object ID of SPN> -Value $keyValue -Type Asymmetric

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as an Answer; if the above response helped in answering your query.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.