azure-powershell icon indicating copy to clipboard operation
azure-powershell copied to clipboard

Published 20 hours ago verified publisher icon Azure

[Feature]: New-AzADServicePrincipal without creating app secret

Open damienpontifex opened this issue 3 years ago • 6 comments

Description of the new feature

When utilising federated identity credential such as on GitHub, a client secret is never needed as part of the app registration/spn. It seems currently as part of New-AzADServicePrincipal, with no application id provided, it creates a client secret assumedly as a convenience as it's likely needed to quickstart the usage of the new credential. It would be nice to skip this secret creation so the app never needs and doesn't report in a years time of expiring secrets

To achieve this I have to do the two step process of New-AzADApplication and then New-AzADServicePrincipal with the previous application id. The convenience of New-AzADServicePrincipal that creates both together is nice, but an option to skip the default creation of client secret would be desirable.

Proposed implementation details (optional)

Something along the lines of: New-AzADServicePrincipal -DisplayName sample -SkipPasswordCreation

I did try passing in an empty array to -PasswordCredential parameter with New-AzADServicePrincipal -DisplayName sample2 -PasswordCredential @() with the current release, but got the error New-AzADServicePrincipal: Parameter set cannot be resolved using the specified named parameters. One or more parameters issued cannot be used together or an insufficient number of parameters were provided. where an empty array wasn't accepted

damienpontifex avatar Jan 16 '22 02:01 damienpontifex

@VeryEarly , please look int this ask.

dingmeng-xue avatar Jan 17 '22 02:01 dingmeng-xue

@damienpontifex can you confirm if you are trying to use Azure PowerShell cmdlets to create Federated identity credentials as described in the Overview of federated identity credentials in Azure Active Directory document ?

dcaro avatar Jan 21 '22 05:01 dcaro

@dcaro I am using azure powershell cmdlets, although I couldn't see any reference to them on the page following your link.

An overview of what I'm doing:

$sp = New-AzADServicePrincipal -DisplayName sample -Debug
$federationBody = ConvertTo-Json @{
    name = "main-branch"
    issuer = "https://token.actions.githubusercontent.com"
    subject = "repo:$($repoOrganisation)/$($repoName):ref:refs/heads/main"
    description = "Federation credentials for $githubRepository main branch"
    audiences = @(
        "api://AzureADTokenExchange"
    )
};
Invoke-AzRestMethod -Method POST -Payload $federationBody "https://graph.microsoft.com/beta/applications/$((Get-AzADApplication -AppId $sp.AppId).Id)/federatedIdentityCredentials"

This creates the app, enterprise app/spn and sets up the federation credentials as desired, but it also creates a secret within the app as seen if I run:

Get-AzADAppCredential -ObjectId (Get-AzADApplication -AppId $sp.AppId).Id

The desire here was to be able to run these commands, but for them not to create the default secret as it won't be used for federation credentials

damienpontifex avatar Jan 22 '22 21:01 damienpontifex

@damienpontifex can you confirm that the goal is to create federated identity credentials? If this is the case, we have plans to support this in the coming months.

dcaro avatar Feb 03 '22 23:02 dcaro

Exactly @dcaro Goal is to create a federated identity credentials and with that, have the app with no secrets in AD

damienpontifex avatar Feb 05 '22 00:02 damienpontifex

commenting to track, also interested in this one.

brwilkinson avatar Sep 14 '22 23:09 brwilkinson

Yes, please make creating the app secret optional . As was suggested earlier, this can be done via a switch parameter and would be great to have.

Thank you.

saldroubi avatar Jul 28 '23 16:07 saldroubi