I wish to publish S/MIME certificates to Azure AD for an Azure AD User without any user interaction (from a certificate management platform).
Using on-premise Active Directory we can simply publish the Certificate to the user's userCertificate attribute via LDAP. For Azure AD it is possible to update User attributes via Graph API.(https://docs.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http) However, I cannot find how to set the UserCertificate (and/or UserSMIMECertificate) attribute.
Azure AD Connect sync synchronizes the userCertificate attribute, however without an on-premise AD to synchronize this will not suffice. Given that it synchronizes the userCertificate field I assume the attribute is at least possible with Azure AD Users.
My setup is a basic Azure AD environment with a few test users. I'm making the Graph API calls using cURL in a C++ application. The calls are authenticated with an authentication token acquired for a Client Application with User.ReadWrite.All rights. I can successfully read and write other (documented) values.
The response is a 'Request_BadRequest' with error message "One or more property values specified are invalid." The same response is given when trying to set a value for a non-existing attribute.
Am I mistaken in assuming the existence of the UserCertificate and/or UserSMIMECertificate?
Do I need to add services to Azure AD to "add" these attributes?
Are there other ways to programmatically / without user interaction upload S/MIME certificates to Azure AD?