How to use New-AzADSpCredential to add certificate credentials

Padilla, Henry 1 Reputation point

I am using App Registrations to deploy resources and the certificate is expiring. I am trying to write a script to add a new cert to extend the life of this Service Principal but no matter who I login as (myself, a colleague, the Service Principal itself) I get the following error:

New-AzADSpCredential : Insufficient privileges to complete the operation.
At X:\XXX\XXXX\XXXXX\Add-NewDmfCertificate.ps1:496 char:63

  • ... cipalName | New-AzADSpCredential -CertValue $credValue -StartDate $ce ...
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • CategoryInfo : InvalidOperation: (:) [New-AzADSpCredential], Exception
  • FullyQualifiedErrorId : Microsoft.Azure.Commands.ActiveDirectory.NewAzureADSpCredentialCommand
Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
12,606 questions
{count} votes

2 answers

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 55,201 Reputation points

    @Padilla, Henry You need to use below commands for this purpose:

    1. Copy the certificate at C:\temp\cert.cer or specify your certificate path in step 6.
    2. Copy the Object ID of the App where you want to add the certificate. You would need this in the last command.
    3. Open PowerShell as administrator and run Install-Module AzureADPreview. If this module is already installed, you can skip this step.
    4. Run Connect-AzureAD and login with a user who has Global Administrator or Application Administrator role.
    5. $cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 #create a new certificate object
    6. $cer.Import("C:\temp\cert.cer")
    7. $bin = $cer.GetRawCertData()
    8. $base64Value = [System.Convert]::ToBase64String($bin)
    9. $bin = $cer.GetCertHash()
    10. $base64Thumbprint = [System.Convert]::ToBase64String($bin)
    11. $keyid = [System.Guid]::NewGuid().ToString()
    12. New-AzureADApplicationKeyCredential -ObjectId 37fe33f9-xxxx-xxxx-xxxx-xxxxxxxxxxxx -CustomKeyIdentifier $base64Thumbprint -Type AsymmetricX509Cert -Usage Verify -Value $base64Value -StartDate $cer.GetEffectiveDateString()


    Please "mark as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.

    No comments

  2. Marc Kassay 1 Reputation point

    cross-post; on Stack Overflow

    No comments