Control Secrets in Azure App Reg – Manage Azure App Reg with PowerShell and MSGRAPH API – Part 2

This is the second part of this Blog Series on controlling Azure App Registration with PowerShell and MSGRAPH API. Now we take a look in how to create and delete Secrets for Azure App Registrations.

Here you see the other Articles of their Series.

  • Part 1: Create and delete Azure App Regs – LINK
  • Part 2: Control Secrets in Azure App Reg – LINK
  • Part 3: Add and Remove Permission in Azure App Reg – LINK
  • Part 4: Self-Service Azure App Registration with au2mator – TBP

Prerequisites

Ensure you follow the Prerequisites in Part 1, as we need the created App Registration.

The Script – Create a Secret

In the beginning, we configure the Authentication and Script Details like the App Name, Secret Name, and Duration in Months.
NOTE: when you use PowerShell to create a Secret, you can choose a longer Duration than 24 Months.


#Graph API Details
$MSGRAPHAPI_clientID = 'your Client ID'
$MSGRAPHAPI_tenantId = 'your Tenant ID'
$MSGRAPHAPI_Clientsecret = 'your Secret'
$MSGRAPHAPI_BaseURL = "https://graph.microsoft.com/v1.0"


#Enter Azure App Details
$AzureAppName = "TestApp1"
$SecretDescription="Secret1"
$SecretDurationInMonth=24

Now, as always, we take care of Authentication.


#Auth MS Graph API and Get Header
$MSGRAPHAPI_tokenBody = @{  
    Grant_Type    = "client_credentials"  
    Scope         = "https://graph.microsoft.com/.default"  
    Client_Id     = $MSGRAPHAPI_clientID  
    Client_Secret = $MSGRAPHAPI_Clientsecret  
}   
$MSGRAPHAPI_tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$MSGRAPHAPI_tenantId/oauth2/v2.0/token" -Method POST -Body $MSGRAPHAPI_tokenBody  
$MSGRAPHAPI_headers = @{
    "Authorization" = "Bearer $($MSGRAPHAPI_tokenResponse.access_token)"
    "Content-type"  = "application/json"
}

Now, the Magic happens. We get the ID from the Azure App Name and build the JSON Body to create the Secret. As a Response, we get the Secret Value.


#Add Secret to App
$AddSecretToAppReg_Body = @"
    {
        "passwordCredential": {
            "displayName": "$SecretDescription",
            "endDateTime": "$(Get-Date -format o (Get-Date).AddMonths($SecretDurationInMonth))"
        }
    }
"@

$AddSecretToAppReg_Params = @{
    Method = "POST"
    Uri    = "$MSGRAPHAPI_BaseURL/applications/$($GetIDfromName_Result.value.id)/addPassword"
    header = $MSGRAPHAPI_headers
    Body   = $AddSecretToAppReg_Body
}


$AddSecretToAppReg_Result = Invoke-RestMethod @AddSecretToAppReg_Params


#Secret
$AddSecretToAppReg_Result.secretText

The Script – Remove a Secret from Azure App Registration

We start with Script Settings and Authentication.



#Graph API Details
$MSGRAPHAPI_clientID = 'your Client ID'
$MSGRAPHAPI_tenantId = 'your Tenant ID'
$MSGRAPHAPI_Clientsecret = 'your Secret'

$MSGRAPHAPI_BaseURL = "https://graph.microsoft.com/v1.0"




#Enter Details
$AzureAppName = "TestApp1"
$SecretDescription = "Secret1"




#Auth MS Graph API and Get Header
$MSGRAPHAPI_tokenBody = @{  
    Grant_Type    = "client_credentials"  
    Scope         = "https://graph.microsoft.com/.default"  
    Client_Id     = $MSGRAPHAPI_clientID  
    Client_Secret = $MSGRAPHAPI_Clientsecret  
}   
$MSGRAPHAPI_tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$MSGRAPHAPI_tenantId/oauth2/v2.0/token" -Method POST -Body $MSGRAPHAPI_tokenBody  
$MSGRAPHAPI_headers = @{
    "Authorization" = "Bearer $($MSGRAPHAPI_tokenResponse.access_token)"
    "Content-type"  = "application/json"
}

Next, we get the ID from the APP Name.



#Get Appi from App Name
$GetIDfromName_Params = @{
    Method = "GET"
    Uri    = "$MSGRAPHAPI_BaseURL/applications?`$filter=displayName eq '$AzureAppName'"
    header = $MSGRAPHAPI_headers
}        

$GetIDfromName_Result = Invoke-RestMethod @GetIDfromName_Params


And now the magic is happening, we get the APP Details and search for the Secret Name in the “passwordCredentials.” Next, we call the “removePassword” URL with the JSON Body containing the Secret KeyID



#Get Secret from App
$GetSecretAppReg_Params = @{
    Method = "GET"
    Uri    = "$MSGRAPHAPI_BaseURL/applications/$($GetIDfromName_Result.value.id)"
    header = $MSGRAPHAPI_headers
}

$GetSecret_Result = Invoke-RestMethod @GetSecretAppReg_Params


$Secrets = $GetSecret_Result.passwordCredentials | Where-Object -Property displayName -Value $SecretDescription -eq


foreach ($S in $Secrets) {

    $DeleteSecretFromAppReg_Body = @"
    {
        "keyId": "$($S.keyid)"
    }
"@

    $DeleteSecretFromAppReg_Params = @{
        Method = "POST"
        Uri    = "$MSGRAPHAPI_BaseURL/applications/$($GetIDfromName_Result.value.id)/removePassword"
        header = $MSGRAPHAPI_headers
        Body   = $DeleteSecretFromAppReg_Body
    }


    $DeleteSecretFromAppReg_Result = Invoke-RestMethod @DeleteSecretFromAppReg_Params

}


Summary

So, we can now create and delete a Secret from an Azure APP Registration with Powershell. We are one step further to manage Azure App Registrations with Powershell ultimately.

GitHub

See the Script in GitHub: https://github.com/Seidlm/Microsoft-Azure

– Add Secret to Azure App Reg.ps1
– Delete Secret from Azure App Reg.ps1

Michael Seidl aka Techugy
au2mate everything

2 thoughts on “Control Secrets in Azure App Reg – Manage Azure App Reg with PowerShell and MSGRAPH API – Part 2”

  1. Dear Michael, do you also have a script that allows me to import a certificate into an app registration, including the thumbprint? I have the certificate locally on my PC.

Leave a Comment

Your email address will not be published. Required fields are marked *

*