Creating a new application inside of Azure AD is a pain. First, you have to go to the portal, then create the application itself, and then assign the necessary permissions. Depending on what type of service you want to access, you then need to either create a Client Key or upload a certificate. If you want to use a certificate (which is definitely the preferred method for app-only, and in some cases, required), you have to either acquire the certificate or create a self-signed certificate and then add that certificate to your application. Finally, you have to generate a PFX certificate that can then be presented when you try to authenticate to your selected service. Once you’ve done all of that, you run your app and hope you haven’t screwed up any of the bits. Or, is it just a matter of waiting until everything updates across Azure and the rest of the Microsoft Online services? Ugh.
I’ve been working on what, at least for me, is a better way and I’d like to share that solution. It’s just a simple PowerShell script. The complete script is pasted below.
## Update these parameters appropriately $appName = "Demo App" $appIdentifier = "http://localhost/DemoApp" $certOutputLocation = “C:\Temp\DemoApp” $certName = "DemoApp" $certPassword = "SuperSecretPassword" ## $certCerFile = Join-Path $certOutputLocation "$certName.cer" $certPfxFile = Join-Path $certOutputLocation "$certName.pfx" $securePassword = ConvertTo-SecureString $certPassword -AsPlainText -Force $cert = New-SelfSignedCertificate -KeyLength 2048 -KeyExportPolicy Exportable -FriendlyName "CN=$certName" -CertStoreLocation Cert:\CurrentUser\My -Subject $certName -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" Export-Certificate -Cert $cert -FilePath $certCerFile -type CERT | Out-Null Export-PfxCertificate -Cert $cert -FilePath $certPfxFile -Password $securePassword | Out-Null Remove-Item -Path "Cert:\CurrentUser\My\$($cert.Thumbprint)" Login-AzureRmAccount | Out-Null $cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate $cer.Import($certCerFile) $binCert = $cer.GetRawCertData() $credValue = [System.Convert]::ToBase64String($binCert) $newApp = New-AzureRmADApplication -DisplayName $appName -IdentifierUris $appIdentifier -CertValue $credValue Write-Host "PFX: $certPfxFile" Write-Host "PFX Password: $certPassword" Write-Host "Azure App ID: $($newApp.ApplicationId)"
How it works
The script is actually incredibly simple, but for those of us that create a lot of applications for demos and testing, it saves quite a lot of time. The script has the following major steps:
- Generate a .cer certificate that’s loaded in the current user’s personal cert store.
- Export that .cer certificate for uploading to Azure later.
- Export a .pfx certificate that’s used by the application.
- Remove the certificate from the personal cert store (this is just for cleanup – it could be left if the application was going to find the cert in the cert store instead of via the direct certificate file.)
- Login to the user’s Azure Remote Management account.
- Convert the certificate to a base 64 text string.
- Create the new Azure AD Application, uploading the certificate data.
- Display the necessary information to the user to embed in their application.
We just need to update the few lines at the top of the script and let it fly. Note: Midway through the script, a Microsoft login box will popup. Enter your Azure admin credentials here. If all goes well, when the script is complete, the application will have been created in Azure AD and the certificate will be ready to use by our application. The last step is simply to assign permissions to the application for the services that the application will need to access. You can find a walkthrough on how to do that here: https://www.jonathanhuss.com/assigning-permissions-to-an-azure-ad-application/
Also, check out this GitHub repository: https://github.com/JonathanHuss/AzureADAppDemo. It has both the sample script and a demo .NET application.