Service principal credentials, set custom identifier?

Question

We are linking personal developers certificates to a certain service principal. When a developer will leave our team, we will remove that credential from the service principal.

This works perfectly, but it's kind of a hassle because the name of the developer is not linked to the credentials.

I have noticed that their is a customIdentifierKey property on the credentials... but I cannot find how to set the customIdentifierKey.

Anyone knows how to do this?

New-AzureRmADAppCredential -ApplicationId $appId -CertValue $keyValue -EndDate $cert.NotAfter -StartDate $cert.NotBefore 

Answer 1

You can use the Azure AD v2 cmdlets to set and get custom key identifiers.

Here I am adding a certificate:

New-AzureADApplicationKeyCredential -ObjectId 2648416a-aaaa-4bc0-9190-aaaab6165710 -CustomKeyIdentifier 'Your key name' -StartDate '2017/06/01' -EndDate '2018/06/01' -Type AsymmetricX509Cert -Usage Verify -Value $keyValue

Assuming your $keyValue contains an X509 certificate. If it is a symmetric key, you can use Symmetric as the Type.

The custom key identifier is stored as bytes, encoded in ASCII.

So when you get one, you need to run it through a decode:

$cred = Get-AzureADApplicationKeyCredential -ObjectId 2648416a-aaaa-4bc0-9190-aaaab6165710
[System.Text.Encoding]::ASCII.GetString($cred.CustomKeyIdentifier)

Interestingly, if you set an identifier on a PasswordCredential (client secret) through Azure Portal, it encodes it in Unicode.