使用Azure PowerShell证书身份验证在Azure AD中创建应用程序

时间:2016-02-25 22:55:42

标签: azure certificate azure-active-directory azure-powershell azure-keyvault

我尝试使用Azure PowerShell证书身份验证在Azure AD中创建应用程序,下面是Powershell代码段:

Login-AzureRmAccount
$cert = New-Object    System.Security.Cryptography.X509Certificates.X509Certificate("PATH_TO_CER_FILE")
$key = [System.Convert]::ToBase64String($cert.GetRawCertData())
$app = New-AzureRmADApplication -DisplayName "SetupTet4" -HomePage  "http://localhost" -IdentifierUris "http://localhost" -KeyValue $key -KeyType AsymmetricX509Cert
New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId
New-AzureRmRoleAssignment -RoleDefinitionName "Owner" -ServicePrincipalName  $app.ApplicationId

Azure AD应用程序已成功创建,但对于具有证书身份验证的Azure AD应用程序,创建后customKeyIdentifierkeyCredentials中的值为null,这是我的应用程序清单的一部分我从Azure门户下载:

"keyCredentials": [{
"customKeyIdentifier": null,
"endDate": "2017-02-25T20:48:35.5174541Z",
"keyId": "575580cc-ce4e-4862-ad3e-1ba5833fe7f6",
"startDate": "2016-02-25T20:48:35.5174541Z",
"type": "AsymmetricX509Cert",
"usage": "Verify",
"value": null
}],

仅供参考,证书是自签名证书,我使用本地生成的makecert命令。

任何建议,非常感谢。

詹姆斯

1 个答案:

答案 0 :(得分:1)

添加对 Set-AzureRmKeyVaultAccessPolicy 的调用,以指定您希望服务原则对密钥保管库具有的访问级别。查看脚本最后两行的更改。

Login-AzureRmAccount
$cert = New-Object    System.Security.Cryptography.X509Certificates.X509Certificate("PATH_TO_CER_FILE")
$key = [System.Convert]::ToBase64String($cert.GetRawCertData())
$app = New-AzureRmADApplication -DisplayName "SetupTet4" -HomePage  "http://localhost" -IdentifierUris "http://localhost" -KeyValue $key -KeyType AsymmetricX509Cert
$sp = New-AzureRmADServicePrincipal -ApplicationId $app.ApplicationId
Set-AzureRmKeyVaultAccessPolicy -VaultName "<your-vault-name>" `
    -ServicePrincipalName $sp.ServicePrincipalName `
    -PermissionsToKeys all -PermissionsToSecrets all `
    -ResourceGroupName "<your-resource-group-name>"
相关问题
最新问题