Methods available for updating application keys / Passwords
Applications can roll their own existing keys by providing the proof value in payload without any extra permissions.
Keys of a an application can’t be rotated by another application using the addKey method – Keys can be rotated by the permission Application.ReadWrite.OwnedBy
and then using method of /applications/ patch
for the target applicaction
method | Application.ReadWrite.OwnedBy | Application itself |
---|---|---|
addKey | An application does not need any specific permission to roll its own keys. | ✅ Example |
Update with another application using patch | ✅ Example | This method uses other application to update keyCredentials of another application |
Update applications own credentials (adds new key Credentials to itself)
Code is sourced from existing implementation https://github.com/jsa2/aadClientCredWithCert
- ObjectId of the app is the objectId of the application calling graph API (not an objectId of another app)
var payload ={
url:`https://graph.microsoft.com/v1.0/applications/2fdfb42a-a106-4821-9602-7e7041126697/addKey`,
headers:{"authorization": `Bearer ${access_token}`},
method:"post",
data:{
"keyCredential": {
"type": "AsymmetricX509Cert",
"usage": "Verify",
"key": require('fs').readFileSync('./newk.pem').toString()
},
"passwordCredential": null,
proof:await createToken(config,pub,priv,undefined,"00000002-0000-0000-c000-000000000000")
}
}
Making owner of the application another application
- ObjectID for the application
- ObjectID for the servicePrincipal that is the managing object in the data payload
var payload = {
url:`https://graph.microsoft.com/v1.0/applications/ecd58a1a-f800-4cde-bdfe-fd727720e3fd/owners/$ref`,
headers:{"authorization": `Bearer ${JSON.parse(stdout)}`},
method:"post",
data:{
"@odata.id": "https://graph.microsoft.com/v1.0/servicePrincipals/68f1c8b3-4255-40dd-9b25-89eb5a2dcefa"
}
}
Updating KeyCredentials using Application.ReadWrite.OwnedBy
- ObjectId of the target application needs to be the same, which the updating application is set as owner
var payload = {
url:`https://graph.microsoft.com/v1.0/applications/ecd58a1a-f800-4cde-bdfe-fd727720e3fd`,
headers:{"authorization": `Bearer ${access_token}`, "content-type":"application/json"},
method:"patch",
data:{
keyCredentials:[
{
"@odata.type": "#microsoft.graph.keyCredential",
"customKeyIdentifier": "53216E4E206E0913CA7FC5DD53BC33A5FF5B9F80",
"endDateTime": "2023-12-18T14:10:27Z",
"keyId": "a997fe1b-7b77-4c62-ba36-a43ba5c16552",
"startDateTime": "2021-12-28T14:10:27Z",
"type": "AsymmetricX509Cert",
"usage": "Verify",
"key": "MIIDCzCCAfMCFA3...",
"displayName": "firendly"
}
]
}
}
0 comments on “Using Application.ReadWrite.OwnedBy and addKey methods for Graph API”