New-EntraApplicationKeyCredential

Reference

Module:: Microsoft.Graph.Entra

Creates a key credential for an application.

Syntax

New-EntraApplicationKeyCredential
   -ApplicationId <String>
   [-CustomKeyIdentifier <String>]
   [-Type <KeyType>]
   [-Usage <KeyUsage>]
   [-Value <String>]
   [-EndDate <DateTime>]
   [-StartDate <DateTime>]
   [<CommonParameters>]

Description

The New-EntraApplicationKeyCredential cmdlet creates a key credential for an application.

An application can use this command along with Remove-EntraApplicationKeyCredential to automate the rolling of its expiring keys.

As part of the request validation, proof of possession of an existing key is verified before the action can be performed.

Examples

Example 1: Create a new application key credential

Connect-Entra -Scopes 'Application.ReadWrite.All','Application.ReadWrite.OwnedBy'
$application = Get-EntraApplication -Filter "DisplayName eq 'Contoso Helpdesk Application'"
$params = @{
    ApplicationId = $application.Id
    CustomKeyIdentifier = 'EntraPowerShellKey'
    StartDate = '2024-03-21T14:14:14Z'
    Type = 'Symmetric'
    Usage = 'Sign'
    Value = '<my-value>'
}
New-EntraApplicationKeyCredential @params

CustomKeyIdentifier : {84, 101, 115, 116}
EndDate             : 2024-03-21T14:14:14Z
KeyId               : aaaaaaaa-0b0b-1c1c-2d2d-333333333333
StartDate           : 2025-03-21T14:14:14Z
Type                : Symmetric
Usage               : Sign
Value               : {49, 50, 51}

This example shows how to create an application key credential.

-ApplicationId Specifies a unique ID of an application
-CustomKeyIdentifier Specifies a custom key ID.
-StartDate Specifies the time when the key becomes valid as a DateTime object.
-Type Specifies the type of the key.
-Usage Specifies the key usage. for AsymmetricX509Cert the usage must be Verifyand for X509CertAndPassword the usage must be Sign.
-Value Specifies the value for the key.

You can use the Get-EntraApplication cmdlet to retrieve the application Object ID.

Example 2: Use a certificate to add an application key credential

Connect-Entra -Scopes 'Application.ReadWrite.All','Application.ReadWrite.OwnedBy'
$application = Get-EntraApplication -Filter "DisplayName eq 'Contoso Helpdesk Application'"
$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 #create a new certificate object
$cer.Import('C:\Users\ContosoUser\appcert.cer') 
$bin = $cer.GetRawCertData()
$base64Value = [System.Convert]::ToBase64String($bin)
$bin = $cer.GetCertHash()
$base64Thumbprint = [System.Convert]::ToBase64String($bin)
$keyid = [System.Guid]::NewGuid().ToString() 

$params = @{
    ApplicationId = $application.Id
    CustomKeyIdentifier = $base64Thumbprint
    Type = 'AsymmetricX509Cert'
    Usage = 'Verify'
    Value = $base64Value
    StartDate = $cer.GetEffectiveDateString()
    EndDate = $cer.GetExpirationDateString()
}
New-EntraApplicationKeyCredential @params

This example shows how to create an application key credential.

-ApplicationId Specifies a unique ID of an application
-CustomKeyIdentifier Specifies a custom key ID.
-StartDate Specifies the time when the key becomes valid as a DateTime object.
-EndDate Specifies the time when the key becomes invalid as a DateTime object.
-Type Specifies the type of the key.
-Usage Specifies the key usage. for AsymmetricX509Cert the usage must be Verifyand for X509CertAndPassword the usage must be Sign.
-Value Specifies the value for the key.

Parameters

-ApplicationId

Specifies a unique ID of an application in Microsoft Entra ID.

Type:	System.String
Aliases:	ObjectId
Position:	Named
Default value:	None
Required:	True
Accept pipeline input:	True
Accept wildcard characters:	False

-CustomKeyIdentifier

Specifies a custom key ID.

Type:	System.String
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	True
Accept wildcard characters:	False

-EndDate

Specifies the time when the key becomes invalid as a DateTime object.

Type:	System.DateTime
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	True
Accept wildcard characters:	False

-StartDate

Specifies the time when the key becomes valid as a DateTime object.

Type:	System.DateTime
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	True
Accept wildcard characters:	False

-Type

Specifies the type of the key.

Type:	KeyType
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	True
Accept wildcard characters:	False

-Usage

Specifies the key usage.

AsymmetricX509Cert: The usage must be Verify.
X509CertAndPassword: The usage must be Sign.

Type:	KeyUsage
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	True
Accept wildcard characters:	False

-Value

Specifies the value for the key.

Type:	System.String
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	True
Accept wildcard characters:	False

Share via

New-EntraApplicationKeyCredential

Syntax

Description

Examples

Example 1: Create a new application key credential

Example 2: Use a certificate to add an application key credential

Parameters

-ApplicationId

-CustomKeyIdentifier

-EndDate

-StartDate

-Type

-Usage

-Value

Feedback

Additional resources

Share via

New-EntraApplicationKeyCredential

Syntax

Description

Examples

Example 1: Create a new application key credential

Example 2: Use a certificate to add an application key credential

Parameters

-ApplicationId

-CustomKeyIdentifier

-EndDate

-StartDate

-Type

-Usage

-Value

Related Links

Feedback

Additional resources