Managing Azure AD Application for Key Vault

This post looks into the life cycle of managing an Azure AD application that is used to secure access to Key Vault.

Rahul Pulikkot Nath
Rahul Pulikkot Nath

Table of Contents

Please check here for scripts using the latest PowerShell cmdlets.

Access to the Key Vault is secured using AD application token, as we had seen in the 'Authenticating a Client Application with Azure Key Vault'. Quite often administrators require to manage the AD application created, performing activities like creating new AD applications, changing the certificate used to authenticate with the AD application, remove a certificate or even delete an application. All of these are possible using PowerShell scripts and administrators can even run this as part of their automation scripts. With the latest Azure PowerShell version(0.9.2 or higher), the Key Vault cmdlet's are included automatically and does not require any additional installations. For managing the Azure AD application we need to install the Azure AD module for PowerShell and import them into the PowerShell command prompt.

Creating AD application

The New-AzureADApplication cmdlet is used to create a new Azure AD application. It also provides an option to specify the certificate details used to authenticate with the AD application at the time of creation itself. This can be done as a separate step if required, which is shown later in the post.

First we need a certificate that is to be used for authenticating against the AD application, for which I use the below commands to generate a test certificate

makecert -sv mykey.pvk -n "cn=AD Test Vault Application" ADTestVaultApplication.cer -b 03/03/2014 -e 06/05/2017 -r -len 2048
pvk2pfx -pvk mykey.pvk -spc ADTestVaultApplication.cer -pfx ADTestVaultApplication.pfx -po test

This certificate is then used to create the AD application using the below script.

$certificateFilePath = "C:\certificates\ADTestVaultApplication.cer"
$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$rawCertificateData = $certificate.GetRawCertData()
$credential = [System.Convert]::ToBase64String($rawCertificateData)
$startDate= [System.DateTime]::Now
$endDate = $startDate.AddYears(1)
$adApplication = New-AzureADApplication -DisplayName "KeyVaultADApplication"
  -HomePage  "" -IdentifierUris ""
  -KeyValue  $credential -KeyType "AsymmetricX509Cert" -KeyUsage "Verify"
  -StartDate $startDate -EndDate $endDate

To associate the application created with the Key Vault, we need to create a service principal using New-AzureADServicePrincipal and then associate that with the Vault using the Set-AzureKeyVaultAccessPolicy

$servicePrincipal = New-AzureADServicePrincipal -ApplicationId $adApplication.ApplicationId
Set-AzureKeyVaultAccessPolicy -VaultName 'KeyVaultRahul' -ObjectId  $servicePrincipal.Id -PermissionsToKeys all -PermissionsToSecrets all
$ServicePrincipal.ApplicationId #Outputs the ServicePrincipalName/AppPrincipalId

Adding a Certificate

The New-MsolServicePrincipalCredential cmdlet is used to add a new credential to a service principal or to an application. The service principal is identified by supplying one of the following: object ID, appPrincipalID, service principal name (SPN).

$msolCredentials = get-credential
connect-msolservice -credential $msolCredentials
$certificateFilePath = "C:\certificates\ADTestVaultApplicationNew.cer"
$x509Certificate2 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
$rawCertData = $x509Certificate2.GetRawCertData()
$credentialValue = [System.Convert]::ToBase64String($rawCertData)
$startDate= [System.DateTime]::Now
$endDate = $startDate.AddYears(1)
New-MsolServicePrincipalCredential -ServicePrincipalName $ServicePrincipal.ApplicationId -Type Asymmetric -Value $credentialValue -StartDate $startDate -EndDate   $endDate

Removing a Certificate

Whenever a credential gets compromised or as part of regular credential refresh, administrators would want to remove an old certificate and replace with a new one. The Remove-MsolServicePrincipalCredential cmdlet is used to remove a credential key from a service principal by specifying the key ID for the credential and the objectID/applicationID/ServicePrincipalName to identify the service principal. To get the key ID of an existing credential, Get-MsolServicePrincipalCredential cmdlet can be used, which returns the list of credentials associated with a service principal. The below script just removes the first credential, you could loop through and remove all.

$servicePrincipalCredential = Get-MsolServicePrincipalCredential -ServicePrincipalName $ServicePrincipal.ApplicationId -ReturnKeyValues 0
Remove-MsolServicePrincipalCredential -ServicePrincipalName $ServicePrincipal.ApplicationId -KeyIds $servicePrincipalCredential[0].KeyId

Delete an application

The Remove-MsolServicePrincipal cmdlet removes a service principal from Microsoft Azure Active Directory, by specifying objectID/applicationID/ServicePrincipalName to identify the service principal.

Remove-MsolServicePrincipal -ObjectId <Guid>
Remove-MsolServicePrincipal -AppPrincipalId <Guid>
Remove-MsolServicePrincipal -ServicePrincipalName <string>

Managing the AD application is a very important and necessary process in the life cycle of a Key Vault, as the access to the Vault is controlled using that. Certificates securing the AD applciation should be rolled/updated frequently and application permissions should be reviewed often to make sure that all applications have only the required permissions.

AzureAzure Key Vault