AAD

Using Application.ReadWrite.OwnedBy and addKey methods for Graph API

julkaissut Joosua Santasalo
Comments 0

Methods available for updating application keys / Passwords

Applications can roll their own existing keys by providing the proof value in payload without any extra permissions.

Keys of a an application can’t be rotated by another application using the addKey method – Keys can be rotated by the permission Application.ReadWrite.OwnedBy and then using method of /applications/ patch for the target applicaction

methodApplication.ReadWrite.OwnedByApplication itself
addKeyAn application does not need any specific permission to roll its own keys.✅ Example
Update with another application using patch✅ ExampleThis method uses other application to update keyCredentials of another application

Update applications own credentials (adds new key Credentials to itself)

https://docs.microsoft.com/en-us/graph/api/application-addkey?view=graph-rest-1.0&tabs=http

Code is sourced from existing implementation https://github.com/jsa2/aadClientCredWithCert

  • ObjectId of the app is the objectId of the application calling graph API (not an objectId of another app)
var payload ={
        url:`https://graph.microsoft.com/v1.0/applications/2fdfb42a-a106-4821-9602-7e7041126697/addKey`,
        headers:{"authorization": `Bearer ${access_token}`},
        method:"post",
        data:{
            "keyCredential": {
                "type": "AsymmetricX509Cert",
                "usage": "Verify",
                "key": require('fs').readFileSync('./newk.pem').toString()
            },
            "passwordCredential": null,
            proof:await createToken(config,pub,priv,undefined,"00000002-0000-0000-c000-000000000000")
        }
        
    }

Making owner of the application another application

https://docs.microsoft.com/en-us/graph/api/application-post-owners?view=graph-rest-1.0&tabs=http
  • ObjectID for the application
  • ObjectID for the servicePrincipal that is the managing object in the data payload
 var payload = {
        url:`https://graph.microsoft.com/v1.0/applications/ecd58a1a-f800-4cde-bdfe-fd727720e3fd/owners/$ref`,
       headers:{"authorization": `Bearer ${JSON.parse(stdout)}`},
        method:"post",
        data:{
            "@odata.id": "https://graph.microsoft.com/v1.0/servicePrincipals/68f1c8b3-4255-40dd-9b25-89eb5a2dcefa"
        }
        
    }

Updating KeyCredentials using Application.ReadWrite.OwnedBy

https://docs.microsoft.com/en-us/graph/api/application-update?view=graph-rest-1.0&tabs=http
  • ObjectId of the target application needs to be the same, which the updating application is set as owner
  var payload = {
        url:`https://graph.microsoft.com/v1.0/applications/ecd58a1a-f800-4cde-bdfe-fd727720e3fd`,
        headers:{"authorization": `Bearer ${access_token}`, "content-type":"application/json"},
        method:"patch",
        data:{
            keyCredentials:[
                {
                    "@odata.type": "#microsoft.graph.keyCredential",
                    "customKeyIdentifier": "53216E4E206E0913CA7FC5DD53BC33A5FF5B9F80",
                    "endDateTime": "2023-12-18T14:10:27Z",
                    "keyId": "a997fe1b-7b77-4c62-ba36-a43ba5c16552",
                    "startDateTime": "2021-12-28T14:10:27Z",
                    "type": "AsymmetricX509Cert",
                    "usage": "Verify",
                    "key": "MIIDCzCCAfMCFA3...",
                    "displayName": "firendly"
                }
            ]
        }
    }

0 comments on “Using Application.ReadWrite.OwnedBy and addKey methods for Graph API

Jätä kommentti