question

PadillaHenry-6154 avatar image
0 Votes"
PadillaHenry-6154 asked MarcKassay-8334 answered

How to use New-AzADSpCredential to add certificate credentials

I am using App Registrations to deploy resources and the certificate is expiring. I am trying to write a script to add a new cert to extend the life of this Service Principal but no matter who I login as (myself, a colleague, the Service Principal itself) I get the following error:

New-AzADSpCredential : Insufficient privileges to complete the operation.
At X:\XXX\XXXX\XXXXX\Add-NewDmfCertificate.ps1:496 char:63
+ ... cipalName | New-AzADSpCredential -CertValue $credValue -StartDate $ce ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [New-AzADSpCredential], Exception
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.ActiveDirectory.NewAzureADSpCredentialCommand

azure-ad-app-registration
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@PadillaHenry-6154 I just wanted to check If below answer worked for you. If it helped, please accept as answer to help other members in community.

0 Votes 0 ·
amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered

@PadillaHenry-6154 You need to use below commands for this purpose:

  1. Copy the certificate at C:\temp\cert.cer or specify your certificate path in step 6.

  2. Copy the Object ID of the App where you want to add the certificate. You would need this in the last command.

  3. Open PowerShell as administrator and run Install-Module AzureADPreview. If this module is already installed, you can skip this step.

  4. Run Connect-AzureAD and login with a user who has Global Administrator or Application Administrator role.

  5. $cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 #create a new certificate object

  6. $cer.Import("C:\temp\cert.cer")

  7. $bin = $cer.GetRawCertData()

  8. $base64Value = [System.Convert]::ToBase64String($bin)

  9. $bin = $cer.GetCertHash()

  10. $base64Thumbprint = [System.Convert]::ToBase64String($bin)

  11. $keyid = [System.Guid]::NewGuid().ToString()

  12. New-AzureADApplicationKeyCredential -ObjectId 37fe33f9-xxxx-xxxx-xxxx-xxxxxxxxxxxx -CustomKeyIdentifier $base64Thumbprint -Type AsymmetricX509Cert -Usage Verify -Value $base64Value -StartDate $cer.GetEffectiveDateString()


Please "mark as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarcKassay-8334 avatar image
0 Votes"
MarcKassay-8334 answered

cross-post; on Stack Overflow

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.