Delete a Secret from an Azure Application Registration with PowerShell and MS GRAPH API

In this post, we will delete a Secret from an existing Azure Application Registration.

Graph API Basics

I did an MS Graph API Series some time ago to learn all the Basics that we will not cover in this Post

To learn more from Microsoft GRAPH API, see my Blog Series:
Part 1 – Authentication and Azure App – Use Microsoft Graph API with PowerShell – Part 1 » TechGuy
Part 2 – Oauth2.0 – Use Microsoft Graph API with PowerShell – Part 2 » TechGuy
Part 3 – First Powershell Script to get a Teams Lis and Walkthrough – Use Microsoft Graph API with PowerShell – Part 3 » TechGuy
Part 4 – this one – Use Microsoft Graph API with PowerShell – Part 4 » TechGuy

API Reference and Permissions

Read the following DOCS for more Details

https://docs.microsoft.com/en-us/graph/api/application-removepassword?view=graph-rest-1.0&tabs=http

Create an Azure App Reg with the following GRAPH API Application Permissions

  • Application.ReadWrite.OwnedBy
  • Application.ReadWrite.All

All done, then let’s see the Script

The Script

# Reference: https://docs.microsoft.com/en-us/graph/api/application-removepassword?view=graph-rest-1.0&tabs=http

#Application Permission:
#- Application.ReadWrite.OwnedBy
#- Application.ReadWrite.All



#Graph API Details
$MSGRAPHAPI_clientID = 'yourClientID'
$MSGRAPHAPI_tenantId = 'yourTenantID'
$MSGRAPHAPI_Clientsecret = 'yourSecret'

$MSGRAPHAPI_BaseURL = "https://graph.microsoft.com/v1.0"




#Enter Details
$AzureAppName = "TestApp1"
$SecretDescription = "Secret1"




#Auth MS Graph API and Get Header
$MSGRAPHAPI_tokenBody = @{  
    Grant_Type    = "client_credentials"  
    Scope         = "https://graph.microsoft.com/.default"  
    Client_Id     = $MSGRAPHAPI_clientID  
    Client_Secret = $MSGRAPHAPI_Clientsecret  
}   
$MSGRAPHAPI_tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$MSGRAPHAPI_tenantId/oauth2/v2.0/token" -Method POST -Body $MSGRAPHAPI_tokenBody  
$MSGRAPHAPI_headers = @{
    "Authorization" = "Bearer $($MSGRAPHAPI_tokenResponse.access_token)"
    "Content-type"  = "application/json"
}





#Get Appi from App Name
$GetIDfromName_Params = @{
    Method = "GET"
    Uri    = "$MSGRAPHAPI_BaseURL/applications?`$filter=displayName eq '$AzureAppName'"
    header = $MSGRAPHAPI_headers
}        

$GetIDfromName_Result = Invoke-RestMethod @GetIDfromName_Params




#Get Secret from App
$GetSecretAppReg_Params = @{
    Method = "GET"
    Uri    = "$MSGRAPHAPI_BaseURL/applications/$($GetIDfromName_Result.value.id)"
    header = $MSGRAPHAPI_headers
}


$GetSecret_Result = Invoke-RestMethod @GetSecretAppReg_Params


$Secrets = $GetSecret_Result.passwordCredentials | Where-Object -Property displayName -Value $SecretDescription -eq


foreach ($S in $Secrets) {

    $DeleteSecretFromAppReg_Body = @"
    {
        "keyId": "$($S.keyid)"
    }
"@

    $DeleteSecretFromAppReg_Params = @{
        Method = "POST"
        Uri    = "$MSGRAPHAPI_BaseURL/applications/$($GetIDfromName_Result.value.id)/removePassword"
        header = $MSGRAPHAPI_headers
        Body   = $DeleteSecretFromAppReg_Body
    }


    $DeleteSecretFromAppReg_Result = Invoke-RestMethod @DeleteSecretFromAppReg_Params

}

The Result

We now deleted a Secret from our Azure Application Registration

GitHub Repo

Make sure you get the Script from my Azure Github Repo: Seidlm/Microsoft-Azure: Azure Rest API Examples (github.com)

Name: Delete Secret from Azure App Reg.ps1

Delete a Secret from an Azure Application Registration Self Service with au2mator

With au2mator Self Service Portal, you can create a Service and delegate the removal of a Secret from an Azure Application Registration.

Some of the Use cases❗
✔️Delegate the Secret removal of an Azure App Registration
✔️Control your Secret Configuration outside Azure Portal.
✔️Mass remove Secrets from an Azure App Registration
✔️Approve or deny a Secret Removal Request of an Azure App Registration
✔️Many more…

More Details: www.au2mator.com

Michael Seidl aka Techguy
au2mate everything

Leave a Comment

Your email address will not be published. Required fields are marked *

*