问题
I have a certificate associated with a service principal in Azure AD. How can I get the certificate name or thumbprint associated with it using powershell?
I have tried Get-AzureRmADServicePrincipalCredential
, Get-AzureRmADSpCredential
and Get-AzureADServicePrincipalKeyCredential
commands but they return Key Identifier
not thumbprint.
Basically I want to recognize which certificate is associated with the principal before revoking it.
回答1:
As @Stanley Gong mentioned, you can use MS Graph to get it.
Here is another way, try the command as below, the $Thumbprint
is that you want.
Note the <object-id>
is the object id of your AD App(App registration), not the service principal(Enterprise application), they are different.
$CustomKeyIdentifier = (Get-AzureADApplicationKeyCredential -ObjectId "<object-id>").CustomKeyIdentifier
$Thumbprint = [System.Convert]::ToBase64String($CustomKeyIdentifier)
回答2:
Try the PS command below to get cert thumbprint via Microsoft Graph API :
$clientId = "<your Azure AD App ID>"
$clientSec="<your Azure AD App Secret>"
$appObjId = "<object ID of the app that you want to query>"
$tenant = "<your tenant ID>"
$body=@{
"grant_type"="client_credentials";
"resource"="https://graph.microsoft.com/";
"client_id"= $clientId;
"client_secret" = $clientSec
}
$accessToken=(Invoke-RestMethod -Uri "https://login.windows.net/$tenant/oauth2/token" -Method POST -Body $body ).access_token
$keyCreds = Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/applications/$appObjId/keyCredentials" -Method Get -Headers @{"Authorization" = "Bearer $accessToken"}
$keyCreds.value.customKeyIdentifier
Result: my certs on portal :
query result :
Pls note that make sure your app which you used for getting token with permission below so it can call Microsoft graph API to query your apps :
来源:https://stackoverflow.com/questions/58407858/how-to-get-thumbprint-of-the-certificate-associated-with-a-service-principal-usi