Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Create AAD Application, Azure Key Vault, Azure Key Vault Key, Rights to Vault from Application (created for use with Extensible Key Management Using Azure Key Vault (SQL Server))
param (
[string]$Version = $( Read-Host "Input version" ),
[string]$DomainName = $( Read-Host "Input domain name" ),
[string]$ApplicationName = $( Read-Host "Input application name" )
$ApplicationURI = $("https://$DomainName/$ApplicationName")
# to create 256 bit AES key
function Create-AesManagedObject($key, $IV) {
$aesManaged = New-Object "System.Security.Cryptography.AesManaged"
$aesManaged.Mode = [System.Security.Cryptography.CipherMode]::CBC
$aesManaged.Padding = [System.Security.Cryptography.PaddingMode]::Zeros
$aesManaged.BlockSize = 128
$aesManaged.KeySize = 256
if ($IV) {
if ($IV.getType().Name -eq "String") {
$aesManaged.IV = [System.Convert]::FromBase64String($IV)
else {
$aesManaged.IV = $IV
if ($key) {
if ($key.getType().Name -eq "String") {
$aesManaged.Key = [System.Convert]::FromBase64String($key)
else {
$aesManaged.Key = $key
function Create-AesKey() {
$aesManaged = Create-AesManagedObject
#This function is used to get the authentication token.
function GetAuthToken
$adal = "${env:ProgramFiles(x86)}\Microsoft SDKs\Azure\PowerShell\ServiceManagement\Azure\Services\Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = "${env:ProgramFiles(x86)}\Microsoft SDKs\Azure\PowerShell\ServiceManagement\Azure\Services\Microsoft.IdentityModel.Clients.ActiveDirectory.WindowsForms.dll"
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
$clientId = "1950a258-227b-4e31-a9cf-717495945fc2"
$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
$resourceAppIdURI = ""
$authority = "$TenantName"
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
$authResult = $authContext.AcquireToken($resourceAppIdURI, $clientId,$redirectUri, "Auto")
return $authResult
#You can then submit a POST request to the Azure Active Directory Graph API in order to create your application. However there is a little setup required...
# The name of this AAD instance
$global:tenant = $DomainName
$global:aadSecretGuid = New-Guid
$global:aadDisplayName = $ApplicationName
$global:aadIdentifierUris = @($ApplicationURI)
#BH: Not using this now. Using function "Create-AesKey" instead..
#$guidBytes = [System.Text.Encoding]::UTF8.GetBytes($global:aadSecretGuid)
$global:aadSecretKey = Create-AesKey
$global:aadSecret = @{
'endDate'=[DateTime]::UtcNow.AddDays(365).ToString('u').Replace(' ', 'T');
'startDate'=[DateTime]::UtcNow.AddDays(-1).ToString('u').Replace(' ', 'T');
#Save the key to a file
$SecretFile = $("$SecretFilePath\$($ApplicationName)_Secret.key")
$global:aadSecretKey | out-file $SecretFile
Write-Host $("----- Application Key is $global:aadSecretKey")
Write-Host $("----- Application Key Value saved to file $SecretFile")
# ADAL JSON token - necessary for making requests to Graph API
$global:token = GetAuthToken -TenantName $global:tenant
# REST API header with auth token
$global:authHeader = @{
#Now you can hit the Graph API, and create the AAD application
# I modifed the original code taken from
# so that the "PasswordCredentials" are suplpied rather than "KeyCredentials". Having checked the manifest of an application and key
# created manually in the portal, this is what needs to be provded to achive the same thing here)
$resource = "applications"
$payload = @{
'homepage'= $ApplicationURI;
'identifierUris'= $global:aadIdentifierUris;
$payload = ConvertTo-Json -InputObject $payload
$uri = "$($global:tenant)/$($resource)?api-version=1.6"
Write-Host $("----- Calling Graph REST API to create application $ApplicationName")
$result = (Invoke-RestMethod -Uri $uri -Headers $global:authHeader -Body $payload -Method POST -Verbose).value
Get-AzureRmADApplication -DisplayNameStartWith $ApplicationName | Select-Object -ExpandProperty 'ApplicationId' | Out-File $SecretFile -Append
$Version = '001'
$DomainName = ''
$ApplicationNameSQLAdmin = $("SQLServerSA$version-app")
$ApplicationNameSQLDB = $("SQLServerAPP$version-app")
$SecretFilePath = "C:\xxxxxxx\GeneratedKeys"
$SubscriptionName = 'Pay-As-You-Go'
$ApplicationURI = $("https://$domainName/$applicationName")
$KeyVaultResourceGroupName = $("SQLServerKeyVault$version-rg")
$KeyVaultName = $("SQLServer$version-kv")
$KeyVaultKeyName = $("SQLServer$version-kvk")
$Location = 'West Europe'
$SKU = 'premium'
$KeyVaultDestination = 'HSM' #'software' or 'HSM'
$CreateAADApplicationScript = 'CreateAADApplication.ps1'
$CreateKeyVaultScript = 'CreateKeyVault.ps1'
$CreateKeyVaultKeyScript = 'CreateKeyVaultKey.ps1'
$AssignAADAppRightsToKeyVaultScript = 'CreateKeyVaultRightsToAADApplication.ps1'
$executingScriptDirectory = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent
$AADAppCreationFullPath = Join-Path $executingScriptDirectory $CreateAADApplicationScript
$KeyVaultCreationFullPath = Join-Path $executingScriptDirectory $CreateKeyVaultScript
$KeyVaultKeyCreationFullPath = Join-Path $executingScriptDirectory $CreateKeyVaultKeyScript
$AADAppRightsToVaultCreationFullPath = Join-Path $executingScriptDirectory $AssignAADAppRightsToKeyVaultScript
#Create SQL Admin Service Principal
Write-Host "Creating SQL Admin AAD Service Princpal..."
$argumentList = @{"Version"="$Version";
& $AADAppCreationFullPath @argumentList
#Create SQL App DB Service Principal
Write-Host "Creating SQL App DB AAD Service Princpal..."
$argumentList = @{"Version"="$Version";
& $AADAppCreationFullPath @argumentList
#Create Key Vault
Write-Host "Creating Key Vault..."
$argumentList = @{"Version"="$Version";
& $KeyVaultCreationFullPath @argumentList
#Create Key Vault Key
Write-Host "Creating Key Vault Key..."
$argumentList = @{"KeyVaultName"="$KeyVaultName";
& $KeyVaultKeyCreationFullPath @argumentList
#Assign rights to Key Vault for SQL Admin Service Principal
Write-Host "Assigning rights to Key Vault for SQL Admin Service Principal..."
$SAApp = Get-AzureRmADApplication -DisplayNameStartWith $ApplicationNameSQLAdmin
$argumentList = @{"KeyVaultName"="$KeyVaultName";
& $AADAppRightsToVaultCreationFullPath @argumentList
#Assign rights to Key Vault for SQL App Service Principal
Write-Host "Assigning rights to Key Vault for SQL App Service Principal..."
$DBApp = Get-AzureRmADApplication -DisplayNameStartWith $ApplicationNameSQLDB
$argumentList = @{"KeyVaultName"="$KeyVaultName";
& $AADAppRightsToVaultCreationFullPath @argumentList
Write-Host "** SCRIPT COMPLETED **"
param (
[string]$Version = $( Read-Host "Input version" ),
[string]$SubscriptionName = $( Read-Host "Input subscription name" ),
[string]$KeyVaultResourceGroupName = $( Read-Host "Input key vault resource group name" ),
[string]$KeyVaultName = $( Read-Host "Input key vault name" ),
[string]$Location = $( Read-Host "Input location" ),
[string]$SKU = $( Read-Host "Input SKU" )
$SubscriptionID = Get-AzureRmSubscription | where-Object {$_.SubscriptionName -eq $SubscriptionName} | Select-Object -ExpandProperty SubscriptionId
if (!$SubscriptionID)
Write-Host "`$SubscriptionID is null!"
Write-Host "`$SubscriptionID is $SubscriptionID"
#Set Subscription
Set-AzureRmContext -SubscriptionId $SubscriptionID
#Set Subscription
Set-AzureRmContext -SubscriptionId $SubscriptionID
#Create Resource Group
Write-Host $("----- Creating Resource Group $KeyVaultResourceGroupName at location $Location")
New-AzureRmResourceGroup –Name $KeyVaultResourceGroupName –Location $Location
#Create new Key Vault
Write-Host $("----- Creating Key Vault $KeyVaultName in resource group $KeyVaultResourceGroupName")
New-AzureRmKeyVault -VaultName $KeyVaultName -ResourceGroupName $KeyVaultResourceGroupName -Location $Location -SKU $SKU
#Wait! Make sure Key Vault is properly created
Start-Sleep -Seconds 5
param (
[string]$KeyVaultName = $( Read-Host "Input key vault name" ),
[string]$KeyVaultKeyName = $( Read-Host "Input key vault key name" ),
[string]$KeyVaultDestination = $( Read-Host "Input key vault destination" )
#Add new key to the key vault
Write-Host $("----- Creating Key Vault Key $KeyVaultKeyName in Key Vault $KeyVaultName")
$key = Add-AzureKeyVaultKey -VaultName $KeyVaultName -Name $KeyVaultKeyName -Destination $KeyVaultDestination
param (
[string]$KeyVaultName = $( Read-Host "Input key vault name" ),
[string]$ApplicationClientID = $( Read-Host "Input application client ID" ),
[string]$ApplicationObjectID = $( Read-Host "Input application object ID" )
#Set Access Policy for vault (assign right to service principle [application])
Write-Host $("----- Setting access policy on Key Vault $KeyVaultName for use by application with id $ApplicationClientID")
Set-AzureRmKeyVaultAccessPolicy -VaultName $KeyVaultName -ObjectID $ApplicationObjectID -PermissionsToKeys all -PassThru
#Register the "service principal" object (as the *local* representation)
New-AzureRmADServicePrincipal -ApplicationId $ApplicationClientID
#Works when app is created from ASM portal (use ServicePrincipalName)
Set-AzureRmKeyVaultAccessPolicy -VaultName $KeyVaultName -ServicePrincipalName $ApplicationClientID -PermissionsToKeys get, list, decrypt,sign, wrapKey, unwrapKey

This comment has been minimized.

Copy link
Owner Author

@bjh1977 bjh1977 commented Nov 9, 2016

I now recommend this method for creating the Application and Key:


This comment has been minimized.

Copy link

@msilinda msilinda commented Oct 1, 2018

Thank you for posting these. Do you have any examples on how to modify ALL properties of Azure Enterprise Applications that were installed from the Marketplace?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment