Can I provide my own client secret either from the portal or via command line - while adding a New Client Secret?
It is possible, If you want to create a new client secret just use the --append parameter with az ad app credential reset
az ad app credential reset --id "<application id or object id>" --password "stackoverflowrocks!"
Related
I used this command to create a client secret,
az ad sp create-for-rbac -n my_app --years 99
but I found this command will create a new secret named "rbac" to override the old secret as below.
I want to create a new secret with a specific "Description", but I have not found any way in doc to do that.
I tried to reproduce the same in my environment and got below results:
I ran the same command as you and got same response with rbac in Description like below:
az ad sp create-for-rbac -n my_app --years 99
To get these results from Azure CLI, you can use below command:
az ad app credential list --id <ApplicationID>
Response:
To create a new secret with a specific "Description", you can make use of below command:
az ad app credential reset --id <ApplicationID> --display-name <Enter description here> --append
I ran the above command and created new secret with description.
When I tried to list the secrets of that application, I got both client secret details successfully like below:
az ad app credential list --id <ApplicationID>
Response:
When I checked the same in Azure Portal, I can see the new client secret with description like below:
I am following the guide https://learn.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli?toc=%2Fazure%2Fazure-resource-manager%2Ftoc.json&view=azure-cli-latest
to create a service principal to be able to use in shell scripts.
az ad sp create-for-rbac --name ServicePrincipalName --create-cert --cert CertName --keyvault VaultName
Using the above I stored the created certificate in a keyvault.
I could not figure out how to use the new sp however..
What I see from the doc. is :-
az login --service-principal --username APP_ID --tenant TENANT_ID --password /path/to/cert
But this is not working even though I downloaded the cert and private key from the keyvault.
How can I tell login to fetch the key from keyvault?
Clarification (update):
If there's really no way to use keyvault for service principal login, then I really wonder what is the point of two statements in that official doc. suggesting that way
1)
The --keyvault argument can be added to use a certificate in Azure Key
Vault. In this case, the --cert value is the name of the certificate.
az ad sp create-for-rbac --name ServicePrincipalName --cert CertName --keyvault VaultName
2)
For certificates stored in Key Vault, retrieve the certificate's
private key with az keyvault secret show. In Key Vault, the name of
the certificate's secret is the same as the certificate name. If you
lose access to a certificate's private key, reset the service
principal credentials.
If you use az login -h, you can see a sample of using a certificate:
az login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p ~/mycertfile.pem --tenant contoso.onmicrosoft.com
So you need:
-u the id of the service principal
-p the certificate file
--tenant (or -t) the Azure AD tenant id
I don't think it can use a certificate in Key Vault to log in, as you need to be logged in to get a token to call Key Vault.
Bit of a chicken and egg problem :)
We have a multi-tenant application in our Azure AD tenant. It is authorized in some other tenants (we know which ones). And it has multiple certificates registered to it to be used as client credentials.
We want to remove the certificates from the local stores and use a certificate in the key vault to request a token for one of the external tenant. According to the documentation this is one of the use cases.
Our tenant (id: xxxx):
Has app registration (app id: abcd-xxx-xxxx-xxx)
has keyvault
has managed service principal (with access to the key vault)
other tenant (id: yyyy):
Executed Admin consent for our application.
Question 1:
How do I create a certificate in the Key vault that is connected to an existing application (app id: abcd-xxx-xxxx-xxx)? It is important to note that since the application is already approved by several third party admins, it cannot be recreated. Same counts for creating a new certificate after it would be expired.
Question 2:
How to I setup the Microsoft.Azure.Services.AppAuthentication library to:
Use the managed identity to access the key vault in our tenant (xxxx).
Use the certificate in the key vault to request a token for our app (abcd-xxx-xxxx-xxx) in other companies tenant (yyyy)
Answer 1:
You could use az ad sp credential reset command like below. If you don't want to overwrite the existing certificate of the App, please pass the --append parameter.
az ad sp credential reset --name '<application-id>' --keyvault joykeyvault --cert cer136 --create-cert --append
Answer 2:
1.To use the MSI access the keyvault in your tenant, just use the code below.
No code changes are required, when you run your code on an Azure App Service or an Azure VM with a managed identity enabled, the library automatically uses the managed identity, see this link.
The environment variable AzureServicesAuthConnectionString has to be set to any credential with access to the keyvault. RunAs=Developer; DeveloperTool=AzureCli for dev or RunAs=App; for managed service identity (automatically in azure).
using Microsoft.Azure.Services.AppAuthentication;
using Microsoft.Azure.KeyVault;
// Instantiate a new KeyVaultClient object, with an access token to Key Vault
var azureServiceTokenProvider1 = new AzureServiceTokenProvider();
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider1.KeyVaultTokenCallback));
2.If you want to use the service principal along with its certificate stored in the keyvault to get the token for the resources in another tenant, the connection string on the AzureServiceTokenProvider has to be set to RunAs=App;AppId={TestAppId};KeyVaultCertificateSecretIdentifier={KeyVaultCertificateSecretIdentifier} then you can get tokens for other tenants like.
const string appWithCertConnection = "RunAs=App;AppId={TestAppId};KeyVaultCertificateSecretIdentifier=https://myKeyVault.vault.azure.net/secrets/myCert";
Then use the code to get the token, e.g. for the resource https://management.azure.com/.
var azureServiceTokenProvider2 = new AzureServiceTokenProvider(appWithCertConnection);
string accessToken = await azureServiceTokenProvider2.GetAccessTokenAsync("https://management.azure.com/", "tenant-id-of-thridh-party-tenant").ConfigureAwait(false);
How can I use AZ commands to create client secret the same way I can do it from the portal?
You are looking for az ad app credential reset, it appends or overwrites an application's password(i.e. client secret) or certificate credentials.
az ad app credential reset --id
[--append]
[--cert]
[--create-cert]
[--credential-description]
[--end-date]
[--keyvault]
[--password]
[--years]
Sample(you can also specify other parameters, it depends on you):
az ad app credential reset --id xxxxxxxxxxxx --append
When attempting to get an access token for a custom AD Application, using az account get-access-token --resource '<APP ID Uri>', I receive the following error:
AADSTS65001: The user or administrator has not consented to use the application with ID '04b07795-8ddb-461a-bbee-02f9e1bf7b46' named 'Microsoft Azure CLI'. Send an interactive authorization request for this user and resource.
04b07795-8ddb-461a-bbee-02f9e1bf7b46 is not my application id, and my application has had administrator consent granted. I've tried putting this id in an interactive login request with no change in behavior.
get-access-token works fine when the resource is a defined MS endpoint like https://database.windows.net or https://vault.azure.net/
My goal is to have Azure App Services with Managed Service Identity authenticating to each other with short-lived AD bearer tokens. Each service has a configured audience that corresponds to the AD App.
Running az account get-access-token --resource '<APP ID Uri>' from local CLI, you are trying to get token from '<APP ID Uri>' using Azure CLI, which client ID is exactly 04b07795-8ddb-461a-bbee-02f9e1bf7b46.
To handle this you could go to:
Azure Active Directory → App registrations → {your app} → Expose an API → Add client application with:
ID: 04b07795-8ddb-461a-bbee-02f9e1bf7b46
Authorized scopes: check '<APP ID Uri>'
To make sure you have right ID you could run az account get-access-token paste token to jwt.io and find value of "appid".
Documentation reference:
Application IDs for commonly used Microsoft applications
I can reproduce your issue with a --resource '<APP ID Uri>', if I login cli with a user account.
If I login with a service principal, it works fine.
You could try to login azure cli with a service principal, refer to this link.