Create a Application in Azure AD with Azure PowerShell Certificate authentication

问题

I was trying to Create a Application in Azure AD with Azure PowerShell Certificate authentication, below is the Powershell snippet:

Login-AzureRmAccount
$cert = New-Object    System.Security.Cryptography.X509Certificates.X509Certificate("PATH_TO_CER_FILE")
$key = [System.Convert]::ToBase64String($cert.GetRawCertData())
$app = New-AzureRmADApplication -DisplayName "SetupTet4" -HomePage  "http://localhost" -IdentifierUris "http://localhost" -KeyValue $key -KeyType AsymmetricX509Cert
New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId
New-AzureRmRoleAssignment -RoleDefinitionName "Owner" -ServicePrincipalName  $app.ApplicationId

the Azure AD application was created successfully, however for Azure AD application with Certificate Authentication, the customKeyIdentifier and value of in the keyCredentials is null after creation, this is the portion of manifest of my application I downloaded from Azure portal:

"keyCredentials": [{
"customKeyIdentifier": null,
"endDate": "2017-02-25T20:48:35.5174541Z",
"keyId": "575580cc-ce4e-4862-ad3e-1ba5833fe7f6",
"startDate": "2016-02-25T20:48:35.5174541Z",
"type": "AsymmetricX509Cert",
"usage": "Verify",
"value": null
}],

FYI the certificate is a self signed certificate I use makecert command generated locally.

Any advice, great appreciate.

James

回答1:

Add a call to Set-AzureRmKeyVaultAccessPolicy to specify the access level you want the service principle to have for the key vault. See the changes in the last two lines for your script.

Login-AzureRmAccount
$cert = New-Object    System.Security.Cryptography.X509Certificates.X509Certificate("PATH_TO_CER_FILE")
$key = [System.Convert]::ToBase64String($cert.GetRawCertData())
$app = New-AzureRmADApplication -DisplayName "SetupTet4" -HomePage  "http://localhost" -IdentifierUris "http://localhost" -KeyValue $key -KeyType AsymmetricX509Cert
$sp = New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId
Set-AzureRmKeyVaultAccessPolicy -VaultName "<your-vault-name>" `
    -ServicePrincipalName $sp.ServicePrincipalName `
    -PermissionsToKeys all -PermissionsToSecrets all `
    -ResourceGroupName "<your-resource-group-name>"

来源：https://stackoverflow.com/questions/35640080/create-a-application-in-azure-ad-with-azure-powershell-certificate-authenticatio

标签

azure

certificate

azure-active-directory

azure-powershell

azure-keyvault