如何使用 Powershell 获取与服务主体关联的证书的指纹？

Question

I have a certificate associated with a service principal in Azure AD. How can I get the certificate name or thumbprint associated with it using powershell?

I have tried Get-AzureRmADServicePrincipalCredential , Get-AzureRmADSpCredential and Get-AzureADServicePrincipalKeyCredential commands but they return Key Identifier not thumbprint.

Basically I want to recognize which certificate is associated with the principal before revoking it.

Answer 1

As @Stanley Gong mentioned, you can use MS Graph to get it.

Here is another way, try the command as below, the $Thumbprint is that you want.

Note the <object-id> is the object id of your AD App(App registration), not the service principal(Enterprise application), they are different.

$CustomKeyIdentifier = (Get-AzureADApplicationKeyCredential -ObjectId "<object-id>").CustomKeyIdentifier
$Thumbprint = [System.Convert]::ToBase64String($CustomKeyIdentifier)

Answer 2

Try the PS command below to get cert thumbprint via Microsoft Graph API:

$clientId = "<your Azure AD App ID>"
$clientSec="<your Azure AD App Secret>"

$appObjId = "<object ID of the app that you want to query>"

$tenant = "<your tenant ID>"
$body=@{
    "grant_type"="client_credentials";
    "resource"="https://graph.microsoft.com/";
    "client_id"= $clientId;
    "client_secret" = $clientSec
}

$accessToken=(Invoke-RestMethod -Uri "https://login.windows.net/$tenant/oauth2/token" -Method POST -Body $body ).access_token

$keyCreds = Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/applications/$appObjId/keyCredentials" -Method Get -Headers @{"Authorization" = "Bearer $accessToken"}

$keyCreds.value.customKeyIdentifier

Result: my certs on portal:

query result:

Pls note that make sure your app which you used for getting token with permission below so it can call Microsoft graph API to query your apps: