How to get thumbprint of the cert associated with a service principal in AzureAD when the sp is created independently without App and Cred

Question

I have a service principal that I've creating using below powershell.

$sp3 = New-AzureRmADServicePrincipal `
    -DisplayName "<service-principal-name>" `
    -CertValue $certValue3 `
    -EndDate ([System.TimeZoneInfo]::ConvertTimeBySystemTimeZoneId($cert3.Certificate.GetExpirationDateString(), [System.TimeZoneInfo]::Local.Id, 'GMT Standard Time'))

where certValue3 is Base64String RawCertData. This service principal works fine and I am able to get a token when using the cert.

Once service principal is created in Azure AD, how do I see thumbprint of the certificate associated with the service principal using Powershell?

I've tried this , but I get Forbidden when I try to execute Get-AzureADApplicationKeyCredential

I also checked the manifest in Azure Portal under the service principal that gets created under Azure Active Directory → App Registrations → <service-principal-name> → Manifest, but the keyCredentials node is empty

"keyCredentials": [],

Please note that when I create an application using New-AzureRmADApplication followed by credential New-AzureRmADAppCredential and then New-AzureRmADServicePrincipal , then I see the keyCredentials with customKeyIdentifier set to the certificate thumbprint. Sample script below -

$adapp = New-AzureRmADApplication -DisplayName "<application-name>" `
    -HomePage "<home-page-url>" `
    -IdentifierUris "<identifier-url>" `
    -CertValue $certValue `
    -StartDate ([System.TimeZoneInfo]::ConvertTimeBySystemTimeZoneId($cert.Certificate.GetEffectiveDateString(), [System.TimeZoneInfo]::Local.Id, 'GMT Standard Time')) `
    -EndDate ([System.TimeZoneInfo]::ConvertTimeBySystemTimeZoneId($cert.Certificate.GetExpirationDateString(), [System.TimeZoneInfo]::Local.Id, 'GMT Standard Time'))

New-AzureRmADAppCredential -ApplicationId $adapp.ApplicationId -CertValue $certValue2 

$sp2 = New-AzureRmADServicePrincipal -ApplicationId $adapp.ApplicationId -DisplayName "<application-name>"

How to get thumbprint of the certificate associated with a service principal in Azure AD using powershell when the service principal is created independently without AzureRmADApplication and AzureRmADAppCredential?

Answer 1

According to my test, we can use the following Azure AD Graph API to get the key credentials of the sp. The customKeyIdentifier in KeyCredential is the thumbprint of the certificate

GET https://graph.windows.net/<your teanant id>/servicePrincipals/<your sp object id>/keyCredentials?api-version=1.6

For example

1. Create sp and get thumbprint

$tenantId ="<tenant id>"
#use the goabl admin account to login 
Connect-AzureRmAccount -Tenant $tenantId

$certificateObject = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$certificateObject.Import("E:\Cert\examplecert.pfx","Password0123!", [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet)
Write-Host "the thumbrint of cert"
$certificateObject.Thumbprint

$keyValue = [System.Convert]::ToBase64String($certificateObject.GetRawCertData())

$sp =New-AzureRmADServicePrincipal -DisplayName "jimtestsample" -CertValue $keyValue -EndDate $endDate
$context=Get-AzureRmContext
$token=$context.TokenCache.ReadItems() |Where-Object { ($_.TenantId -eq $tenantId) -and ($_.Resource -eq "https://graph.windows.net/")  }
$accesstoken=$token.AccessToken

$url = "https://graph.windows.net/$tenantId/servicePrincipals/"+$sp.Id+"/keyCredentials?api-version=1.6"

$keyCreds = Invoke-RestMethod -Uri $url  -Method Get -Headers @{"Authorization" = "Bearer $accesstoken"}
Write-Host "--------------------------------------------"
$keyCreds.value | Select-Object customKeyIdentifier

Answer 2

I test your command, it should work. When using New-AzADServicePrincipal to create the service principal, it will create an AD App(ie App Registration) for you automatically, and the certificate will also appear in the Certificates & secrets of your AD App.

In my sample, I use the new Az module, for the old AzureRm module which you used, it should also work(Not completely sure, I recommend you to use the new Az module, because the AzureRm module has been deprecated and will not be updated). And make sure you are looking into the correct AD App in the portal, because the DisplayName of the AD App could be repeated.

$cert=New-SelfSignedCertificate -Subject "CN=TodoListDaemonWithCert" -CertStoreLocation "Cert:\CurrentUser\My"  -KeyExportPolicy Exportable -KeySpec Signature
$bin = $cert.RawData
$base64Value = [System.Convert]::ToBase64String($bin)

New-AzADServicePrincipal -DisplayName joy134 -CertValue $base64Value 

Check in the portal:

Then you can use this way you have tried, to fix the Forbidden error, your account should at least be the Owner of the AD App, or if your account has an admin role in the tenant eg Application administrator , Groups administrator , it will also work.

$CustomKeyIdentifier = (Get-AzureADApplicationKeyCredential -ObjectId "<object-id>").CustomKeyIdentifier
$Thumbprint = [System.Convert]::ToBase64String($CustomKeyIdentifier)

---

Besides , you should note the different command combinations will lead to different results, see this link . So when you test it, I recommend you to use different values of the parameters.