This is the second part of this Blog Series on controlling Azure App Registration with PowerShell and MSGRAPH API. Now we take a look in how to create and delete Secrets for Azure App Registrations.
Here you see the other Articles of their Series.
- Part 1: Create and delete Azure App Regs – LINK
- Part 2: Control Secrets in Azure App Reg – LINK
- Part 3: Add and Remove Permission in Azure App Reg – LINK
- Part 4: Self-Service Azure App Registration with au2mator – TBP
Prerequisites
Ensure you follow the Prerequisites in Part 1, as we need the created App Registration.
The Script – Create a Secret
In the beginning, we configure the Authentication and Script Details like the App Name, Secret Name, and Duration in Months.
NOTE: when you use PowerShell to create a Secret, you can choose a longer Duration than 24 Months.
#Graph API Details
$MSGRAPHAPI_clientID = 'your Client ID'
$MSGRAPHAPI_tenantId = 'your Tenant ID'
$MSGRAPHAPI_Clientsecret = 'your Secret'
$MSGRAPHAPI_BaseURL = "https://graph.microsoft.com/v1.0"
#Enter Azure App Details
$AzureAppName = "TestApp1"
$SecretDescription="Secret1"
$SecretDurationInMonth=24
Now, as always, we take care of Authentication.
#Auth MS Graph API and Get Header
$MSGRAPHAPI_tokenBody = @{
Grant_Type = "client_credentials"
Scope = "https://graph.microsoft.com/.default"
Client_Id = $MSGRAPHAPI_clientID
Client_Secret = $MSGRAPHAPI_Clientsecret
}
$MSGRAPHAPI_tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$MSGRAPHAPI_tenantId/oauth2/v2.0/token" -Method POST -Body $MSGRAPHAPI_tokenBody
$MSGRAPHAPI_headers = @{
"Authorization" = "Bearer $($MSGRAPHAPI_tokenResponse.access_token)"
"Content-type" = "application/json"
}
Now, the Magic happens. We get the ID from the Azure App Name and build the JSON Body to create the Secret. As a Response, we get the Secret Value.
#Add Secret to App
$AddSecretToAppReg_Body = @"
{
"passwordCredential": {
"displayName": "$SecretDescription",
"endDateTime": "$(Get-Date -format o (Get-Date).AddMonths($SecretDurationInMonth))"
}
}
"@
$AddSecretToAppReg_Params = @{
Method = "POST"
Uri = "$MSGRAPHAPI_BaseURL/applications/$($GetIDfromName_Result.value.id)/addPassword"
header = $MSGRAPHAPI_headers
Body = $AddSecretToAppReg_Body
}
$AddSecretToAppReg_Result = Invoke-RestMethod @AddSecretToAppReg_Params
#Secret
$AddSecretToAppReg_Result.secretText
The Script – Remove a Secret from Azure App Registration
We start with Script Settings and Authentication.
#Graph API Details
$MSGRAPHAPI_clientID = 'your Client ID'
$MSGRAPHAPI_tenantId = 'your Tenant ID'
$MSGRAPHAPI_Clientsecret = 'your Secret'
$MSGRAPHAPI_BaseURL = "https://graph.microsoft.com/v1.0"
#Enter Details
$AzureAppName = "TestApp1"
$SecretDescription = "Secret1"
#Auth MS Graph API and Get Header
$MSGRAPHAPI_tokenBody = @{
Grant_Type = "client_credentials"
Scope = "https://graph.microsoft.com/.default"
Client_Id = $MSGRAPHAPI_clientID
Client_Secret = $MSGRAPHAPI_Clientsecret
}
$MSGRAPHAPI_tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$MSGRAPHAPI_tenantId/oauth2/v2.0/token" -Method POST -Body $MSGRAPHAPI_tokenBody
$MSGRAPHAPI_headers = @{
"Authorization" = "Bearer $($MSGRAPHAPI_tokenResponse.access_token)"
"Content-type" = "application/json"
}
Next, we get the ID from the APP Name.
#Get Appi from App Name
$GetIDfromName_Params = @{
Method = "GET"
Uri = "$MSGRAPHAPI_BaseURL/applications?`$filter=displayName eq '$AzureAppName'"
header = $MSGRAPHAPI_headers
}
$GetIDfromName_Result = Invoke-RestMethod @GetIDfromName_Params
And now the magic is happening, we get the APP Details and search for the Secret Name in the “passwordCredentials.” Next, we call the “removePassword” URL with the JSON Body containing the Secret KeyID
#Get Secret from App
$GetSecretAppReg_Params = @{
Method = "GET"
Uri = "$MSGRAPHAPI_BaseURL/applications/$($GetIDfromName_Result.value.id)"
header = $MSGRAPHAPI_headers
}
$GetSecret_Result = Invoke-RestMethod @GetSecretAppReg_Params
$Secrets = $GetSecret_Result.passwordCredentials | Where-Object -Property displayName -Value $SecretDescription -eq
foreach ($S in $Secrets) {
$DeleteSecretFromAppReg_Body = @"
{
"keyId": "$($S.keyid)"
}
"@
$DeleteSecretFromAppReg_Params = @{
Method = "POST"
Uri = "$MSGRAPHAPI_BaseURL/applications/$($GetIDfromName_Result.value.id)/removePassword"
header = $MSGRAPHAPI_headers
Body = $DeleteSecretFromAppReg_Body
}
$DeleteSecretFromAppReg_Result = Invoke-RestMethod @DeleteSecretFromAppReg_Params
}
Summary
So, we can now create and delete a Secret from an Azure APP Registration with Powershell. We are one step further to manage Azure App Registrations with Powershell ultimately.
GitHub
See the Script in GitHub: https://github.com/Seidlm/Microsoft-Azure
– Add Secret to Azure App Reg.ps1
– Delete Secret from Azure App Reg.ps1
Michael Seidl aka Techugy
au2mate everything
Dear Michael, do you also have a script that allows me to import a certificate into an app registration, including the thumbprint? I have the certificate locally on my PC.
not yet