Update Policy for Service Principals
For Key Credentials
For the already generated X.509 certificate, you need to generate the certificate key using PowerShell so that this key can be used for uploading the certificate on the Azure system.
Generate the Certificate Key Using PowerShell
-
Read the certificate's key using the following PowerShell command:
[convert]::ToBase64String((Get-Content C:\Users\admin\Desktop\YourCerFile.cer -Encoding byte)) | Out-File -FilePath "C:\Users\admin\Desktop\YourCerFile.key.txt" ##
-
Replace the file path with the location of your certificate.
-
provide this generated key against
spn_app_keyCredentialsas highlighted in Example 1.
For Password Credentials
For generating a new client secret for the service principal/application, you need to provide displayName as highlighted in Example 1.
Generate Client Secret Values
The provisioning request to add spn_passwordCredentials and spn_app_passwordCredentials generates the client ID and client secret for the Service Principal and corresponding Application. The secret an only be viewed once and is available as an API response. The added secrets are available as part the ResourceObject attributes that are returned after the provisioning request is returned successfully.
Client secrets added for Service Principals are added under the key spnPasswordCreated, while client secrets added for Applications are under the key appPasswordsCreated in the returned ResourceObject. Multiple passwords can be added as part of a single AccountRequest. The data type used to store the generated client ID and client secret in the ResourceObject is Map.
The format is as follows:
<entry key="appPasswordsCreated">
<value>
<Map>
<entry key="<Client ID Friendly Name>::<Client ID>" value="<Client Secret>"/>
</Map>
</value>
</entry>
<entry key="spnPasswordsCreated">
<value>
<Map>
<entry key="<Client ID Friendly Name>::<Client ID>" value="<Client Secret>"/>
</Map>
</value>
</entry>-
To fetch the generated client secret, the result of the corresponding
AccountRequestneeds to be analyzed to get theResourceObjectand perform the required operation to store and secure the secret information.For example, a the following is a snippet to view the
ResourceObjectfrom the provisioning result:plan.getAccountRequests().get(0).getResult().getObject().toxml()
The following are sample update service principal requests:
Example 1
The following modify request will add/update basic attributes for SPN, appRoles, keyCredentials, and some application properties such as owners:
<ProvisioningPlan>
<AccountRequest op="Modify" nativeIdentity="23070dd0-52a0-4692-ab8c-c21fc9c72505:aa0df863-3e47-42b0-a562-274677c63189">
<AttributeRequest name="displayName" op="Set" value="EMEA Sales"/>
<AttributeRequest name="spn_homepage" op="Set" value="http://example.com"/>
<AttributeRequest name="spn_loginUrl" op="Set" value="http://example.com/login"/>
<AttributeRequest name="spn_logoutUrl" op="Set" value="http://example.com/logout"/>
<AttributeRequest name="description" op="Set" value="This is a test application"/>
<AttributeRequest name="spn_appRoles" op="Add" value="{"allowedMemberTypes":["User"],"description":"Just a test role","displayName":"Test Role","id":"f1c8de3d-1fea-4d7c-a8b0-29f63cac3454","isEnabled":true,"origin":"Application","value":"TestRole"}"/>
<AttributeRequest name="spn_app_keyCredentials" op="Add" value="{"type":"AsymmetricX509Cert","usage":"Verify","key":"MIIC4jCCAcqgAwIBAgIQY7nIg+dBqrdGxTg6pJQ3GTANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9ERVNLVE9QLURWNDFHU0wwHhcNMjIwMT...."}"/>
<AttributeRequest name="spn_keyCredentials" op="Add" value="{"type":"AsymmetricX509Cert","usage":"Verify","key":"MIIC4jCCAcqgAwIBAgIQY7nIg+dBqrdGxTg6pJQ3GTANBgkqhkiG9w0BAQsFADAaMRgwFgYDVQQDEw9ERVNLVE9QLURWNDFHU0wwHhcNMjIwMTA1MDg1..."}"/>
<AttributeRequest name="spn_tags" op="Set" value="Test Applications"/>
<AttributeRequest name="spn_passwordCredentials" op="Add" value="{displayName="Test SPN Password"}"/>
<AttributeRequest name="spn_app_owners" op="Add" value="dd315fd1-1af4-43a7-a050-c5ab968c6dde"/>
<AttributeRequest name="spn_owners" op="Add" value="dd315fd1-1af4-43a7-a050-c5ab968c6dde"/>
<AttributeRequest name="spn_app_passwordCredentials" op="Add" value="{displayName="Test APP Password 2"}"/>
</AccountRequest>
</ProvisioningPlan>
Example 2
The following modify request will remove basic attributes for SPN, appRoles, keyCredentials, and some application properties such as owners:
<ProvisioningPlan>
<AccountRequest op="Modify" nativeIdentity="23070dd0-52a0-4692-ab8c-c21fc9c72505:aa0df863-3e47-42b0-a562-274677c63189">
<AttributeRequest name="spn_appRoles" op="Remove" value="{id":"f1c3de3d-1fea-4d7c-a8b0-29f63cac3454","isEnabled":true,"origin":"Application","value":"TestRole"}"/>
<AttributeRequest name="spn_app_keyCredentials" op="Remove" value="{"type":"AsymmetricX509Cert","usage":"Verify","keyId":"1beaebc0-83be-4cb3-b33a-0b2f03231638"}"/>
<AttributeRequest name="spn_keyCredentials" op="Remove" value="{"type":"AsymmetricX509Cert","usage":"Verify","key":"82cf0d7c-457a-4592-b6a6-62889b526a3e"}"/>
<AttributeRequest name="spn_tags" op="Remove" value="Unit Test Description"/>
<AttributeRequest name="spn_passwordCredentials" op="Remove" value="{"keyId": "8624a905-2e95-4906-b83e-ef9306531601"}"/>
<AttributeRequest name="spn_app_owners" op="Remove" value="dd315fd1-1af4-43a7-a050-c5ab968c6dde"/>
<AttributeRequest name="spn_owners" op="Remove" value="dd315fd1-1af4-43a7-a050-c5ab968c6dde"/>
<AttributeRequest name="spn_app_passwordCredentials" op="Remove">
<Value>
<List>
<String>{"keyId": "5b76b745-3edf-4ce7-925e-114926ab8ec9"}</String>
<String>{"keyId": "be899d38-e390-414d-aa9d-b9078b5615cb"}</String>
</List>
</Value>
</AttributeRequest>
</AccountRequest>
</ProvisioningPlan>