question

TimdeHaas-8116 avatar image
0 Votes"
TimdeHaas-8116 asked TimdeHaas-8116 commented

How to programmatically set Azure AD User's userCertificate and/or userSMIMECertificate attribute

I wish to publish S/MIME certificates to Azure AD for an Azure AD User without any user interaction (from a certificate management platform).

Using on-premise Active Directory we can simply publish the Certificate to the user's userCertificate attribute via LDAP. For Azure AD it is possible to update User attributes via Graph API.(https://docs.microsoft.com/en-us/graph/api/user-update?view=graph-rest-1.0&tabs=http) However, I cannot find how to set the UserCertificate (and/or UserSMIMECertificate) attribute.

Azure AD Connect sync synchronizes the userCertificate attribute, however without an on-premise AD to synchronize this will not suffice. Given that it synchronizes the userCertificate field I assume the attribute is at least possible with Azure AD Users.

My setup is a basic Azure AD environment with a few test users. I'm making the Graph API calls using cURL in a C++ application. The calls are authenticated with an authentication token acquired for a Client Application with User.ReadWrite.All rights. I can successfully read and write other (documented) values.
The response is a 'Request_BadRequest' with error message "One or more property values specified are invalid." The same response is given when trying to set a value for a non-existing attribute.

Am I mistaken in assuming the existence of the UserCertificate and/or UserSMIMECertificate?
Do I need to add services to Azure AD to "add" these attributes?
Are there other ways to programmatically / without user interaction upload S/MIME certificates to Azure AD?

azure-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

michev avatar image
2 Votes"
michev answered TimdeHaas-8116 commented

Afaik the attributes in question exist only within ExODS currently, thus you need to use Exchange tools to set them. No Graph API support. This article has some samples: https://techcommunity.microsoft.com/t5/exchange-team-blog/how-to-configure-s-mime-in-office-365/ba-p/584516

Via PowerShell, you should be able to use the Set-Mailbox cmdlet.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you! Your answer has helped me forward a lot!

0 Votes 0 ·

Hi Tim,

Did you get this to work? I have a similar scenario. I had previously followed the steps outlined in the reply reference link (and a few other sources that have basically the same powershell steps). I upload the SST. I install certs for each user either with Outlook Publish to GAL or via PowerShell. I can use PowerShell to see each user has a UserSMIMECertificate in Exchange. Still, encryption doesn't work with internal emails. If users save each other's certs from signed emails to local client (mostly Outlook) Contacts, then internal signing and encryption works fine. But all that cert sharing/saving is what I'm trying to avoid. I must be missing some step or setting.

Thanks

0 Votes 0 ·

Hi Kenneth,

We have not implemented this yet due to changes in priority. Concerning your question, is there a way to trigger a GAL update? I remember reading that it was possible but did not act on it at that time, so I don't have the URL stored. Hope you can get it to work!

0 Votes 0 ·