Geek Answers Handbook

Azure AD adds keys through the Azure CLI

I am trying to add a key to my Azure AD application using the Azure CLI. But, looking through the Azure CLI API, it seems that there is no such command.

For exmaple:

I am trying to automate a task from the link below via the Azure CLI: http://blog.davidebbo.com/2014/12/azure-service-principal.html

I can create an AD application, a service principal, but I cannot find a way to add a key for a new creation of an AD application.

I would be grateful for any ideas and guidance :)

Thanks in advance!

+7
azure azure-active-directory azure-ad-graph-api azure-cli
source share
2 answers

For a new AD application, you can specify the -p switch when creating. For example,

 azure ad app create -n <your application name> --home-page <the homepage of you application> -i <the identifier URI of you application> -p <your key>

For an existing AD application, of course, the Graph API can update the credentials of the AD Application. Read this API link and you will see that password credentials can use "POST, GET, PATCH". However, it is too difficult to use the Graph API. I checked the Azure CLI. This functionality has not yet been implemented, and the source is not readable to me. Then I looked at the Azure SDK for Python, because I am familiar with python, and I found out that they already implemented it in 2.0.0rc2. See GitHub Repo

I wrote a python script. But to use my script you need to install not only azure2.0.0rc2, but also msrest and msrestazure.

 from azure.common.credentials import UserPassCredentials from azure.graphrbac import GraphRbacManagementClient, GraphRbacManagementClientConfiguration from azure.graphrbac.models import ApplicationCreateParameters, PasswordCredential credentials = UserPassCredentials("<your Azure Account>", "<your password>") subscription_id = "<your subscription id>" tenant_id = "<your tenant id>" graphrbac_client = GraphRbacManagementClient( GraphRbacManagementClientConfiguration( credentials, subscription_id, tenant_id ) ) application = graphrbac_client.application.get('<your application object id>') passwordCredential = PasswordCredential(start_date="2016-04-13T06:08:04.0863895Z", end_date="2018-04-13T06:08:04.0863895Z", value="<your new key>") parameters = ApplicationCreateParameters(application.available_to_other_tenants, application.display_name, "<the homepage of your AD application>", application.identifier_uris, reply_urls=application.reply_urls, password_credentials = [passwordCredential]) application = graphrbac_client.application.update('<your application object id>', parameters)

The only problem with this script is that you can only override all existing keys of your AD application. You cannot add a new key. This is a problem of the Graph API. The Graph API does not allow users to read an existing key. One possible solution would be to store your existing keys in a different place. But this will bring an additional security risk.

+2
source share

I have no experience automating adding a key, I'm not sure that you can even be honest. However, look at the ApplicationEntity documentation in the Graph API, perhaps this will be possible with a POST request for the web service.

+1
source share

More articles:


All Articles