stackoom
  简体   繁体   中英

Remove-MgApplicationKey - delete expired app registration certificates

 原文  2023-02-01 10:45:02       powershell/ azure-active-directory/ microsoft-graph-api/ azure-app-registration

Question

I am updating my current scripts from the AzureAD module and want to update a script which deletes expired app registration certificates.

I can remove expired secrets using the new module, however the new command Remove-MgApplicationKey requires proof as per Microsoft document: https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.applications/remove-mgapplicationkey?view=graph-powershell-1.0 . (As part of the request validation for this method, a proof of possession of an existing key is verified before the action can be performed). 

`$params = @{
    KeyId = "f0b0b335-1d71-4883-8f98-567911bfdca6"
    Proof = "eyJ0eXAiOiJ..."
}
Remove-MgApplicationKey -ApplicationId $applicationId -BodyParameter $params`

Any suggestions on how to code this in PowerShell?

Thanks.

C# example from Microsoft doc: https://learn.microsoft.com/en-us/graph/application-rollkey-prooftoken

1 answers

solution1
 0  2023-02-01 11:25:14

Code would look something like this

using assembly System;
using assembly System.Security.Cryptography.X509Certificates;

# Configure the following
$pfxFilePath = "<Path to your certificate file";
$password = "<Certificate password>";
$objectId = "<id of the application or servicePrincipal object>";

# Get signing certificate
#$signingCert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new([string]$pfxFilePath, [string]$password);
#$signingCert = [System.Security.Cryptography.X509Certificates]::X509Certificate2($pfxFilePath, $password);
$signingCert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new();
$signingCert.CreateFromEncryptedPemFile($pfxFilePath, $password, $null)
#$signingCert | Format-Table
#$signingCert.filename = $pfxFilePath;
#$signingCert.password = $password;
# audience
$aud = "00000002-0000-0000-c000-000000000000";

#aud and iss are the only required claims.
$claims = [System.Collections.Generic.Dictionary[string, object]]::new()
$claims.Add("aud", $aud)
$claims.Add("iss", $objectId)

#token validity should not be more than 10 minutes
$now = [DateTime]::UtcNow;
$securityTokenDescriptor = New-Object [System.Security.Cryptography.X509Certificates.SecurityTokenDescriptor]::new()

    $securityTokenDescriptor.Claims = $claims,
    $securityTokenDescriptor.NotBefore = $now,
    $securityTokenDescriptor.Expires = $now.AddMinutes(10),
    $securityTokenDescriptor.SigningCredentials = New-Object X509SigningCredentials($signingCert);


$handler = [Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler]::new();
$x = handler.CreateToken($securityTokenDescriptor);
Write-Host x;

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Azure ArmClient: Delete Azure App Registration Delete Immutable container with expired retention in Azure Storage Account Detailed Setup for App Registration Endpoint Version 2 Azure App Registration "Roles and administrators" List all the certificates under a azure app service Single app registration in Azure for mobile app calling own backend Invalid registration token provided. Make sure it matches the registration token the client app receives from registering with FCM Azure AD add App Role in App Registration using REST API Trigger Angular app logic after Firebase notifications registration and device token Redirect URL with http but NOT 'localhost' value in app registration microsoft azure
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM