Learning and Sharing
  • Home
  • Blog
  • Linux
  • macOS
  • Virtualization
    • VMware
    • VirtualBox
  • Windows
    • Windows 11
    • Windows 10
    • Windows Server
  • Series
    • Symantec
    • Intune
    • Microsoft Azure
    • Powershell
    • VirtualBox
    • VMware
    • PowerShell Learning
    • Microsoft Graph
  • More
    • Auto Installation
    • AEC Installation
  • Contact
No Result
View All Result
  • Home
  • Blog
  • Linux
  • macOS
  • Virtualization
    • VMware
    • VirtualBox
  • Windows
    • Windows 11
    • Windows 10
    • Windows Server
  • Series
    • Symantec
    • Intune
    • Microsoft Azure
    • Powershell
    • VirtualBox
    • VMware
    • PowerShell Learning
    • Microsoft Graph
  • More
    • Auto Installation
    • AEC Installation
  • Contact
No Result
View All Result
No Result
View All Result

How to Upload Certificate to App Registration Using PowerShell

August 30, 2023
in Blog, Microsoft Graph, Powershell
0
ADVERTISEMENT

Table of Contents

This Graph API PowerShell article will show how to create a self-signed certificate on a Windows machine and upload it to an App Registration using Graph API.

The advantage of PowerShell with Graph API is that it handles the API requests and reduces the amount of code needed to contract API calls to the Service.

Before you begin

Before you begin, make sure the following requirements are met:

  • You’ve Windows PowerShell 5.1 or PowerShell 7 installed.
  • The Microsoft Graph PowerShell SDK in installed on your computer.
  • An account with admin privileged (Global admin) in your Microsoft 365 tenant.

Create a Self Signed Certificate

1️⃣ The first step we need to take is creating a self-signed certificate on a Windows machine. To do it, Open a PowerShell console and run the following code.

Note Note: Make sure you note down the certificate name (in our case, the cert CN name is graphapi. You can use any CN as you need.
$params = @{
    Subject = 'CN=GraphApi'
    CertStoreLocation = 'cert:\LocalMachine\My'
    NotAfter = (Get-Date).AddYears(5)
    KeySpec = 'KeyExchange'
}
$mycert = New-SelfSignedCertificate @params

2️⃣ Get details about the newly created self-certificate. Take note the certificate thumbprint for later use.

PS C:\> $mycert

   PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

Thumbprint                                Subject
----------                                -------
5F257B383DE9B3B6C1C32C9CD6DF4DFFC9AA2978  CN=GraphApi

For reference, you can check the certificate is created in the local certificate store.

2w9UvoLDlE45EWch0CguxDEs020kVNgAbmP4g6KDbywuLi0UTubVON6lx7hW

Upload Certificate to App Registration

Once the self-certificate has been created, the next step is connect to Microsoft Graph PowerShell then upload the certificate to an registered application.

1️⃣ Connect to Microsoft Graph PowerShell with required scopes. Once connected, you can verify the delegated permissions by Get-MgContext cmdlet.

Connect-MgGraph -Scopes "Application.ReadWrite.All","User.Read.All"
PS C:\> Get-MgContext | select -ExpandProperty scopes
Application.Read.All
Application.ReadWrite.All
Group.ReadWrite.All
openid
profile
User.Read.All
email

2️⃣ We assume you’ve created an app registration in Microsoft Entra admin center. To get the list of registered apps in your tenant, you can run Get-MgApplication cmdlet.

Get-MgApplication | select DisplayName, Id, AppId
DisplayName  Id                                   AppId
-----------  --                                   -----
testapp      06a8af7d-381a-43a3-a391-c9047811c548 d80ccfc5-a78b-49e0-9795-75997a357d7a
BrowserStack 0a3c2014-9075-40f2-b6f6-4a5144a78e72 d7ccf457-4f55-46ba-bce7-968d3fffb211
Salesforce   0fb923ba-a245-49ad-b7c6-1c66c89dcc6e df387b96-2a5d-424a-bc99-7e45d1277791
LinkedIn     54fdad86-ef08-4993-9c61-3257e4e837eb b28c84bc-3a52-4194-9822-c69c68add95b
Box          69ae07d5-d795-41ed-ab95-c729a1132102 bb40b45c-4f15-464c-a405-31e6ed96406a
EXO_App2     856cd348-426b-4c93-aa14-7d7bcb8636b6 827a61b5-86f5-48ee-a938-730dacf05272

From the output, write-down the id of the app (Object ID). It’s the object ID not AppID (Client ID).

kc3NKO8Fw0jTTiXkDVtHijvlT23OAHPrkxdrw9KOZTTw4rAHlqGsvQuZva1N

3️⃣ The final step will be to upload the certificate to an Azure App Registration. In the below codes, don’t forget to replace the subject (CN=GraphApi) and the Object Id of your app.

$cer = Get-ChildItem -Path Cert:\LocalMachine\my | Where-Object{$_.Subject -eq "CN=GraphApi"}
$objectId = '06a8af7d-381a-43a3-a391-c9047811c548' #Object ID not Application (client) ID

$CertCredentials = @(
    @{
        Type = "AsymmetricX509Cert"
        Usage = "Verify"
        Key = [byte[]]$cer.RawData
    }
)
Update-MgApplication -ApplicationId $objectId -KeyCredentials $CertCredentials -Verbose

For instance, after a few minutes, you can check the certificate has been uploaded.

gpP4bEurNEjuHWG91j8UmvG6uApaMVLStOHQzhkSEOUX2CsVh504qhvj2JVE

Connect to Microsoft Graph PoweShell

To verify it works, you can use the below script with your own client id, tenant id and certificate name or certificate thumbprint.

$connectparams = @{
    ClientId = 'd80ccfc5-a78b-49e0-9795-75997a357d7a'
    TenantId = 'c032627b-6715-4e39-9990-bcf48ee5e0c5'
    CertificateThumbprint = '6F912458C166B141D3E353BC1E1C7A8E4AEED210'
    #CertificateName = 'CN=GraphApi'
}
Connect-MgGraph @connectparams

In our case, we’ve connected to Microsoft Graph PowerShell using app-only authentication with certificate.

PS C:\> Get-MgContext

ClientId               : d80ccfc5-a78b-49e0-9795-75997a357d7a
TenantId               : c032627b-6715-4e39-9990-bcf48ee5e0c5
Scopes                 : {User.Read.All}
AuthType               : AppOnly
TokenCredentialType    : ClientCertificate
CertificateThumbprint  : 6F912458C166B141D3E353BC1E1C7A8E4AEED210
CertificateSubjectName :
Account                :
AppName                : testapp
ContextScope           : Process
Certificate            :
PSHostVersion          : 5.1.22621.1778

Not a reader? Watch this related video tutorial:

5/5 - (1 vote)
Previous Post

How to Use Find-MgGraphPermission cmdlet in Microsoft Graph PowerShell

Next Post

How to Create Entra ID App Registration with Microsoft Graph PowerShell

Related Posts

Running Hyper-V and VMware Workstation on The Same Machine

August 15, 2024

How to Uninstall All Autodesk Products At Once Silently

July 29, 2024
Ftr5

How to Uninstall the Autodesk Genuine Service on Windows

July 29, 2024
Ftr19

How to Fix Windows Cannot Read the ProductKey From the Unattend Answer File in VirtualBox

July 26, 2024
Ftr25

How to Update Windows Terminal in Windows 10/11

July 26, 2024

How to Disable The Beep Sound in WSL Terminal on Windows

July 26, 2024

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • How To Turn On uBlock Origin Extension in Chrome (2025)
  • Images Hidden Due To Mature Content Settings In CivitAI
  • Azure OpenAI vs Azure AI Hub, How to Choose the Right One for Your Needs

Categories

Stay in Touch

Discord Server

Join the Discord server with the site members for all questions and discussions.

Telegram Community

Jump in Telegram server. Ask questions and discuss everything with the site members.

Youtube Channel

Watch more videos, learning and sharing with Leo ❤❤❤. Sharing to be better.

Newsletter

Join the movement and receive our weekly Tech related newsletter. It’s Free.

General

Microsoft Windows

Microsoft Office

VMware

VirtualBox

Technology

PowerShell

Microsoft 365

Microsoft Teams

Email Servers

Copyright 2025 © All rights Reserved. Design by Leo with ❤

No Result
View All Result
  • Home
  • Linux
  • Intune
  • macOS
  • VMware
  • VirtualBox
  • Powershell
  • Windows 10
  • Windows 11
  • Microsoft 365
  • Microsoft Azure
  • Microsoft Office
  • Active Directory

No Result
View All Result
  • Home
  • Linux
  • Intune
  • macOS
  • VMware
  • VirtualBox
  • Powershell
  • Windows 10
  • Windows 11
  • Microsoft 365
  • Microsoft Azure
  • Microsoft Office
  • Active Directory