Edit

Get all Microsoft Entra application proxy applications published with the identical certificate and replace it

  • Article

This PowerShell script example allows you to replace the certificate in bulk for all the Microsoft Entra application proxy applications that are published with the identical certificate.

If you don't have an Azure subscription, create an Azure free account before you begin.

Note

We recommend that you use the Azure Az PowerShell module to interact with Azure. See Install Azure PowerShell to get started. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.

Azure Cloud Shell

Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. You can use either Bash or PowerShell with Cloud Shell to work with Azure services. You can use the Cloud Shell preinstalled commands to run the code in this article, without having to install anything on your local environment.

To start Azure Cloud Shell:

Option Example/Link
Select Try It in the upper-right corner of a code or command block. Selecting Try It doesn't automatically copy the code or command to Cloud Shell. Screenshot that shows an example of Try It for Azure Cloud Shell.
Go to https://shell.azure.com, or select the Launch Cloud Shell button to open Cloud Shell in your browser. Screenshot that shows how to launch Cloud Shell in a new window.
Select the Cloud Shell button on the menu bar at the upper right in the Azure portal. Screenshot that shows the Cloud Shell button in the Azure portal

To use Azure Cloud Shell:

  1. Start Cloud Shell.

  2. Select the Copy button on a code block (or command block) to copy the code or command.

  3. Paste the code or command into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux, or by selecting Cmd+Shift+V on macOS.

  4. Select Enter to run the code or command.

This sample requires the Azure Active Directory PowerShell 2.0 for Graph module or the Azure Active Directory PowerShell 2.0 for Graph module preview version (AzureADPreview).

Sample script

# This sample script gets all Azure AD Application Proxy applications published with the identical certificate.
#
# .\get-custom-domain-replace-cert.ps1 -CurrentThumbprint <thumbprint of the current certificate> -PFXFilePath <full path with PFX filename>
#
# This script requires PowerShell 5.1 (x64) and one of the following modules:
#     AzureAD 2.0.2.52
#     AzureADPreview 2.0.2.53
#
# Before you begin:
#    Run Connect-AzureAD to connect to the tenant domain.
#    Required Azure AD role: Global Administrator or Application Administrator

param(
[string] $CurrentThumbprint = "null",
[string] $PFXFilePath = "null"
)

$certThumbprint = $CurrentThumbprint
$pfxPath = $PFXFilePath

If (($certThumbprint -eq "null") -or ($pfxPath -eq "null")) {

    Write-Host "Parameter is missing." -BackgroundColor "Black" -ForegroundColor "Green"
    Write-Host " "
    Write-Host ".\get-custom-domain-replace-cert.ps1 -CurrentThumbprint <thumbprint of the current certificate> -PFXFilePath <full path with PFX filename>" -BackgroundColor "Black" -ForegroundColor "Green"
    Write-Host " "

    Exit
}

If ((Test-Path -Path $pfxPath) -eq $False) {

    Write-Host "The pfx file does not exist." -BackgroundColor "Black" -ForegroundColor "Red"
    Write-Host " "

    Exit
}

$securePassword = Read-Host -AsSecureString // please provide the password of the pfx file

Write-Host "Reading service principals. This operation might take longer..." -BackgroundColor "Black" -ForegroundColor "Green"

$aadapServPrinc = Get-AzureADServicePrincipal -Top 100000 | where-object {$_.Tags -Contains "WindowsAzureActiveDirectoryOnPremApp"}  

Write-Host "Reading Azure AD applications. This operation might take longer..." -BackgroundColor "Black" -ForegroundColor "Green"

$allApps = Get-AzureADApplication -Top 100000 

Write-Host "Reading application. This operation might take longer..." -BackgroundColor "Black" -ForegroundColor "Green"

$aadapApp = $aadapServPrinc | ForEach-Object { $allApps -match $_.AppId} 

foreach ($item in $aadapApp) { 

    $tempApps = Get-AzureADApplicationProxyApplication -ObjectId $item.ObjectId

    Write-Host ("")
    Write-Host ("SSL certificate change for the Azure AD Application Proxy apps below:")
    Write-Host ("")

    If ($tempApps.VerifiedCustomDomainCertificatesMetadata -match $certThumbprint) {
 
      $aadapServPrinc[$aadapApp.IndexOf($item)].DisplayName + " (AppId: " + $aadapServPrinc[$aadapApp.IndexOf($item)].AppId + ")"; 

       $tempApps | select ExternalUrl,InternalUrl,ExternalAuthenticationType | fl

       Set-AzureADApplicationProxyApplicationCustomDomainCertificate -ObjectId  $item.ObjectId -PFXFilePath $pfxPath -Password $securePassword

    }
}

Write-Host ("")
Write-Host ("Finished.") -BackgroundColor "Black" -ForegroundColor "Green"
Write-Host ("")

Script explanation

Command Notes
Get-AzureADServicePrincipal Gets a service principal.
Get-AzureADApplication Gets a Microsoft Entra application.
Get-AzureADApplicationProxyApplication Retrieves an application configured for Application Proxy in Microsoft Entra ID.
Set-AzureADApplicationProxyApplicationCustomDomainCertificate Assigns a certificate to an application configured for Application Proxy in Microsoft Entra ID. This command uploads the certificate and allows the application to use Custom Domains.

Next steps

For more information on the Azure AD PowerShell module, see Azure AD PowerShell module overview.

For other PowerShell examples for Application Proxy, see Azure AD PowerShell examples for Microsoft Entra application proxy.