Previously I’ve posted about using PowerShell to access the Microsoft AzureAD/Graph API in a number of different ways. Two such examples I’ve listed below. The first uses a Username and Password method for Authentication, whilst the second uses a registered application and therefore ClientID and Client Secret.
- Using the Active Directory Application Libraries from the PowerShell Azure AD Modules
- Leveraging the Azure Graph API with PowerShell and oAuth 2.0
As time has gone on I have numerous WebApp’s doing all sorts of automation. However they all rely on accounts with a username and password, or clientid and secret, where the passwords and secrets expire. Granted the secrets have a couple of years of life and are better than passwords which depending on the environment roll every 30-45 days.
However using Certificates would allow for a script that is part of an automated process to run for much longer than the key lifetime available for WebApps and definitely longer than passwords. Obviously there is security around the certificate to be considered so do keep that in mind.
This post is going to detail a couple of simple but versatile scripts;
- Using PowerShell we will;
- Configure AzureAD
- Create a Self Signed 10yr Certificate
- Create an AzureAD WebApp and assign the Certificate to it
- Apply permissions to the WebApp (this is manual via the Azure Portal)
- Record the key parameters for use in the second script
- Connect to AzureAD using our Certificate and new WebApp
- Configure AzureAD
Creating the AzureAD WebApp, Self Signed Certificate and Assigning Application Permissions
The script below does everything required. Run it line by line, or in small chunks as you step through the process. You will need the AzureRM and Azure AD Utils Powershell Modules installed on the machine you run this script on.
- Lines 3 & 4 if you want a certificate with a time-frame other than 10yrs
- Line 5 for the password you want associated with the certificate for exporting/importing the private key
- Line 6 for the certificate subject name and location it’ll be stored
- Line 8 for a valid location to export it too
- Line 11 for the same path as provided in Line 8
- Lines 24 & 25 for an account to automatically connect to AAD with
- Line 31 for the name of your WebApp
Before running line 37 login to the Azure Portal and assign permissions to the WebApp. e.g. AzureAD Directory Permissions. When you then run Line 37 it will trigger a GUI for AuthN and AuthZ to be presented. Sign in as an Admin and accept the oAuth2 Permission Authorizations for whatever you have request on the WebApp.
e.g Graph API Read/Write Permissions
Connecting to AzureAD using our Certificate and new WebApp
Update lines 3, 4, 6 and 7 as you step through lines 40-43 from the configuration script above which copies key configuration settings to the clipboard.
The following script then gets our certificate out of the local store and takes the Tenant and WebApp parameters and passes them to Connect-AzureAD in Line 15 which will connect you to AAD and allow you to run AzureAD cmdlets.
If you wish to go direct to the GraphAPI, lines 20 and 23 show leveraging the AzureADUtils Module to connect to AzureAD via the GraphAPI.
Notes on creating your Self-Signed Certificate in PowerShell
I’m using the PowerShell New-SelfSignedCertifcate cmdlet to create the self signed certificate. If when you run New-SelfSignedCertificate you get the error as shown below, make sure you have Windows Management Framework 5.1 and if you don’t have Visual Studio or the Windows 8.1/10 SDK, get the Windows 8.1 SDK from here and just install the base SDK as shown further below.
Once the install is complete copy C:\Program Files (x86)\Windows Kits\8.1\bin\x86\makecert.exe to C:\windows\system32
The two scripts above show how using PowerShell we can quickly create a Self Signed Certifcate, Create an Azure AD WebApp and grant it some permissions. Then using a small PowerShell script we can connect and query AAD/GraphAPI using our certificate and not be concerned about passwords or keys expiring for 10yrs (in this example which can be any timeframe you wish).