I have been working a fair bit on Azure AD App Registrations using Graph cmdlets this past week.
There’s very little help available for most of these cmdlets so this post is meant to be a running reference for my future self on the stuff I figured out.
Application vs Service Principal
Get-MgApplication
is for the App Registration.
Get-MgServicePrincipal
is for the Enterprise Application (the Service Principal that gets created from the App Registration basically).
Searching
To search for an App Registration (and ditto for Service Principal just use the other cmdlet):
1 2 3 4 5 6 7 8 |
# By AppId Get-MgApplication -All -Filter "AppId eq '9d2a2179-f98c-47fe-be39-a8c2103a5543'" # By Name Get-MgApplication -All -Filter "DisplayName eq 'Kamboocha'" # By Name (starting with) Get-MgApplication -Filter "startsWith(DisplayName,'My Apps')" |
The result has an Id and AppId.
1 2 3 |
Id DisplayName AppId SignInAudience PublisherDomain -- ----------- ----- -------------- --------------- d2d57545-6528-4faf-b5dc-a364051969cd Ragnarak - App1 9d2a2179-f98c-47fe-be39-a8c2103a5543 AzureADMyOrg ragnarak.onmicrosoft.com |
The AppId
is the application/ client Id in the portal, but the Id
is what you’ll need when dealing with Graph. In the portal this is the object Id.
For the next few sections assume I have an App Registration object stored in a variable:
1 |
$appRegObj = Get-MgApplication -All -Filter "DisplayName eq 'Test App'" |
Secrets & Certificates
The KeyCredentials property has the certificates. The PasswordCredentials property has the secrets. Both appear empty if you were to look at the application properties, so you’ll have to refer to them explicitly. For example:
1 |
Get-MgApplication -ApplicationId a2d57545-6528-4f1f-b5dc-a364051669cd).PasswordCredentials |
This is because these properties are not pulled by default.
To add a secret use Add-MgApplicationPassword
:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
$passwordCred = @{ "displayName" = $appRegNewSecretName "endDateTime" = (Get-Date).AddDays($newSecretExpiryDays) } $newSecretObj = $null # Send the request and get the new password $newSecretObj = Add-MgApplicationPassword -ApplicationId $appRegObject.Id -PasswordCredential $passwordCred if (!$newSecretObj) { Write-Error "Something went wrong. Unable to set the secret for $appRegId. Aborting." throw } |
For certificates the corresponding Add-MgApplicationKey
cmdlet doesn’t do the trick as it expects you to submit a “proof” signed with the key of an existing certificate. I haven’t managed to get this working though I have a question open on StackOverflow and Microsoft regarding this so I’ll update the post once I have an answer.
If the App Registration has no certificates currently then a different cmdlet Update-MgApplicationKey
can help with certificates.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
if ($IsWindows) { $pathSeparator = "\" } else { $pathSeparator = "/" } # Read the certificate $certData = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("$($Global:CertPath)${pathSeparator}${certname}") # Create a keyCredential hash table for use in the cmdlet $keyCreds = @{ Type = "AsymmetricX509Cert"; Usage = "Verify"; key = $certData.RawData } try { Update-MgApplication -ApplicationId $appRegObj.Id -KeyCredentials $keyCreds } catch { Write-Error $Error[0] } |
Information on the keyCredential
resource type can be found at this link. The key thing is the key
. If you are using Graph API directly this has to be a Base64 encoded version of the public certificate, converted via for example [System.Convert]::ToBase64String($Cert.GetRawCertData())
. But when using the Graph cmdlets it has to be the binary version.
Type
has to be AsymmetricX509Cert
and Usage
has to be Verify
.
To remove secrets there’s the Remove-MgApplicationPassword
. It needs the Id of the Key you want to remove.
1 2 3 |
Remove-MgApplicationPassword -ApplicationId $appRegObject.Id -KeyId $newSecretObj.KeyId # $newSecretObj is the output of Add-MgApplicationPassword earlier and thus has the Key Id. |
For certificates, the Remove-MgApplicationKey
won’t do the job for similar reasons as adding a certificate. Again, if it’s the last certificate that you want to remove then Update-MgApplication
can help.
1 |
Update-MgApplication -ApplicationId $appRegObj.Id -KeyCredentials @{} |
Owner Info
The output of Get-MgApplication
does not include the owner info. For this you need Get-MgApplicationOwner
.
1 2 3 4 5 |
Get-MgApplicationOwner -ApplicationId $appRegObj.Id Id DeletedDateTime -- --------------- c38e8340-f903-4e63-9624-3dee3241d1f3 |
The result is a GUID of the object who owns it, so a further call to Get-MgUser
is required to convert this to a name. For instance:
1 2 3 4 |
$appOwners = @(Get-MgApplicationOwner -ApplicationId $appRegObject.Id).Id $ownerNames = if ($appOwners.Count -ne 0) { foreach ($appOwner in $appOwners) { (Get-MgUser -UserId $appOwner).DisplayName } } else { "No Owner Info" } |
Redirect Urls etc.
These can be for Web, Single Page Apps (SPA), and Mobile.
The corresponding properties for these are called web
, spa
, and publicClient
. The web
property gives the redirectUris
and also implicitGrantSettings
.
The spa
and publicClient
properties give the redirectUris
.