Last active
April 16, 2019 04:43
-
-
Save darrenjrobinson/8b3f0b15acdfcd4fd95fc91de566fee3 to your computer and use it in GitHub Desktop.
Create a Self Signed Certificate and an Azure AD WebApp and Assign the Cert for Authentication. Associated blog post https://blog.darrenjrobinson.com/creating-an-azuread-webapp-using-powershell-to-leverage-certificate-based-authentication/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Create a new self signed cert | |
$currentDate = Get-Date | |
$endDate = $currentDate.AddYears(10) | |
$notAfter = $endDate.AddYears(10) | |
$pwd = "P@SSW0rd1" | |
$myCert= New-SelfSignedCertificate -CertStoreLocation Microsoft.PowerShell.Security\Certificate::currentuser\my -DnsName mydev.mim.azure -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $notAfter | |
# get thumbprint from Cert generated in line above | |
$thumbprint = 'fa782440c99cf86063b93e690f6df0ffakefakefake' | |
$pwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText | |
Export-PfxCertificate -cert "cert:\localmachine\my\$thumbprint" -FilePath C:\temp\oAuth\CertBased\AzureAppsCert.pfx -Password $pwd | |
# Get the certificate | |
$x509cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("C:\temp\oAuth\CertBased\AzureAppsCert.pfx", $pwd) | |
$keyValue = [System.Convert]::ToBase64String($x509cert.GetRawCertData()) | |
$keyId = [guid]::NewGuid() | |
Import-Module AzureRM.Resources | |
$keyCreds = New-Object Microsoft.Azure.Graph.RBAC.Version1_6.ActiveDirectory.PSADKeyCredential | |
$keyCreds.StartDate = $currentDate | |
$keyCreds.EndDate= $endDate | |
$keyCreds.KeyId = $keyId | |
$keyCreds.CertValue = $keyValue | |
$keyCreds | |
# Login to Azure PowerShell | |
Import-Module AzureRM | |
$user = "admin@my.aadtenant.com" | |
$pass = "P@ssw0rd1" | |
$pass = ConvertTo-SecureString -String $pass -Force -AsPlainText | |
$creds = new-object -typename System.Management.Automation.PSCredential -argumentlist $user,$pass | |
$azureRM = Login-AzureRmAccount -Credential $creds | |
# Create the Azure AD App | |
$aadApp = New-AzureRmADApplication -DisplayName "AzureAD Scripts" -HomePage "https://localhost" -IdentifierUris "https://localhost" -KeyCredentials $keyCreds | |
# Create the Service Principal and connect it to the Application | |
New-AzureRmADServicePrincipal -ApplicationId $aadApp.ApplicationId | |
# Trigger GUI AuthN. Sign in as an Admin and accept the oAuth2 Permission Authorizations | |
Get-AzureADGraphAPIAccessTokenFromUser -ClientId $aadApp.ApplicationId -RedirectUri https://localhost -TenantDomain $azureRM.Context.Tenant.id | |
# Run these one by one to copy out the key variables to the clipboard to copy into our Connection Script. | |
$aadApp.ObjectId | clip | |
$aadApp.ApplicationId | clip | |
$thumbprint | clip | |
$azureRM.Context.Tenant.id | clip |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment