How to use New-AzADSpCredential to add certificate credentials

Padilla, Henry 1 Reputation point
2019-12-12T12:25:07.467+00:00

I am using App Registrations to deploy resources and the certificate is expiring. I am trying to write a script to add a new cert to extend the life of this Service Principal but no matter who I login as (myself, a colleague, the Service Principal itself) I get the following error:

New-AzADSpCredential : Insufficient privileges to complete the operation.
At X:\XXX\XXXX\XXXXX\Add-NewDmfCertificate.ps1:496 char:63

  • ... cipalName | New-AzADSpCredential -CertValue $credValue -StartDate $ce ...
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • CategoryInfo : InvalidOperation: (:) [New-AzADSpCredential], Exception
  • FullyQualifiedErrorId : Microsoft.Azure.Commands.ActiveDirectory.NewAzureADSpCredentialCommand
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,928 questions
{count} votes

2 answers

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,726 Reputation points
    2019-12-13T05:06:42.353+00:00

    @Padilla, Henry You need to use below commands for this purpose:

    1. Copy the certificate at C:\temp\cert.cer or specify your certificate path in step 6.
    2. Copy the Object ID of the App where you want to add the certificate. You would need this in the last command.
    3. Open PowerShell as administrator and run Install-Module AzureADPreview. If this module is already installed, you can skip this step.
    4. Run Connect-AzureAD and login with a user who has Global Administrator or Application Administrator role.
    5. $cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 #create a new certificate object
    6. $cer.Import("C:\temp\cert.cer")
    7. $bin = $cer.GetRawCertData()
    8. $base64Value = [System.Convert]::ToBase64String($bin)
    9. $bin = $cer.GetCertHash()
    10. $base64Thumbprint = [System.Convert]::ToBase64String($bin)
    11. $keyid = [System.Guid]::NewGuid().ToString()
    12. New-AzureADApplicationKeyCredential -ObjectId 37fe33f9-xxxx-xxxx-xxxx-xxxxxxxxxxxx -CustomKeyIdentifier $base64Thumbprint -Type AsymmetricX509Cert -Usage Verify -Value $base64Value -StartDate $cer.GetEffectiveDateString()

    -----------------------------------------------------------------------------------------------------------

    Please "mark as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.

    0 comments No comments

  2. Marc Kassay 1 Reputation point
    2019-12-16T20:49:43.353+00:00

    cross-post; on Stack Overflow

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.