Reputation: 86
Using Graph API to Add Keys to Service Principals
I am trying to use this endpoint to create a service principal and simultaneously create a key, which according to MS documentation(link) should be possible "Create servicePrincipal and Update servicePrincipal operations can continue to be used to add and update key credentials for any servicePrincipal with or without a user's context."
POST https://graph.microsoft.com/v1.0/servicePrincipals
My body looks like this:
{
"appId": "65415bb1-9267-4313-bbf5-ae259732ee12",
"keyCredentials": [{
"key" : "redacted",
"type" : "Symmetric",
"usage" : "Verify"
}]
}
but Postman is throwing this error:
Cannot convert the literal 'redacted' to the expected type 'Edm.Binary'.
Has anyone run into this issue? Or better yet, has anyone been able to create a service principal for an app registration using the graph API and also create/add the key? The post to this endpoint works fine when only including the APPID in the body.
Tried using both the direct endpoint:
POST
https://graph.microsoft.com/v1.0/servicePrincipals/$Id/addKey
and also the standard one to add the service principal
POST
https://graph.microsoft.com/v1.0/servicePrincipals
I would expect them to succeed and create the serviceprincipal/add the key
Upvotes: 0
Views: 814
Answers (2)
Reputation: 20758
The key property of keyCredential should contain the certificate's raw data in byte array converted to Base64 string.
You are using the correct endpoint, but you need to convert certificate's raw data to Base64 string.
POST https://graph.microsoft.com/v1.0/servicePrincipals
Body
{
"appId": "65415bb1-9267-4313-bbf5-ae259732ee12",
"keyCredentials": [{
"key": "<certificate_raw_data_in_base64>",
"type": "Symmetric",
"usage": "Verify"
}]
}
Documentation
Upvotes: 1
Reputation: 738
There is no API to add the key simultaneously while creating the service principle, As per the doc , you have to create the service principle first using the App Id .
POST https://graph.microsoft.com/v1.0/servicePrincipals Content-type: application/json
{ "appId": "65415bb1-9267-4313-bbf5-ae259732ee12" }
Once the SP created you will get the empty "keyCredentials": [] in response, doc - https://learn.microsoft.com/en-us/graph/api/serviceprincipal-post-serviceprincipals?view=graph-rest-1.0&tabs=http#response-1
Now you will follow the same Doc to add key.
POST https://graph.microsoft.com/v1.0/servicePrincipals/{id}/addKey Content-type: application/json
{
"keyCredential": {
"type": "AsymmetricX509Cert",
"usage": "Verify",
"key": "MIIDYDCCAki..."
},
"passwordCredential": null,
"proof":"eyJ0eXAiOiJ..."
}
Request body required 3 property keyCredential , passwordCredential , proof , !]3
Hope this helps
Thanks
Upvotes: 0
Related Questions
- Unable to get Sign Ins for Service Principal using Microsoft Graph API
- Add Service Principal as Enterprise Application Owner
- Grant admin consent for service principal
- Azure: permissions to list service principals
- GraphServiceClient and its usage programmatically
- How do I query service principal group membership with the Microsoft.Graph library?
- Azure active directory add a service principal to a group - without assigning directory permissions
- MS Graph API: Assign keyCredentials and requireResourceAccess to application
- How to access Microsoft Graph's services with service-user credentials
- MS Graph API - Accessing "policies" endpoint with application permissions