Add-MgApplicationKey failing with "Insufficient privileges to complete the operation."

[bniranjanbhat]

We have a usecase in our powershell script to add multiple certificates on behalf of the application at different points of time. We were using New-AzureADApplicationKeyCredential and are planning to move to Graph PS SDK. However, I found that Add-MgApplicationKey cmdlet requires "Proof" to be provided to add the certificates or else it would fail with the "Insufficient privileges to complete the operation." error. I found here that Update-MgApplication is an option to use for adding certificates.

I tried adding certificates one after the other using Update-MgApplication cmdlet, only to find that the certificates are overwritten and the earlier updated certificates were lost.

I get First certificate at some point in time, I add the certificate using: Update-MgApplication -ApplicationId "myAppId" -KeyCredential @{Type= "AsymmetricX509Cert";Usage ="Verify";key=$CertFirst.RawData ; StartDateTime = $now ; EndDateTime = $CertFirst.NotAfter ;} And then after some time, I get the second certificate, but when I add the certificate using the below command, I lose the first one already added: Update-MgApplication -ApplicationId "myAppId" -KeyCredential @{Type= "AsymmetricX509Cert";Usage ="Verify";key=$CertSecond.RawData ; StartDateTime = $now ; EndDateTime = $CertSecond.NotAfter ;} Can you please let me know how to solve this scenario. AB#10381

[peombwa]

Thanks for reporting this. We will sync with the workload owner to understand why the proof if failing.

We will also add a helper command to assist in generating a proof here - https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/817.

[ArmaanMcleod]

The challenge with https://docs.microsoft.com/en-us/graph/application-rollkey-prooftoken, is that the private key of the signing certificate is needed. Even if we have an existing certificate in key vault, we can only fetch the public portion of the certificate programmatically. You would need to store the certificate as a base64 string in the key vault, then you could fetch the whole certificate and use the private information for signing.

@peombwa Is this correct? Or is there a simpler workaround that I'm not seeing.

I guess this only matters if you would want to keep previous valid certificates. Otherwise Update-MgApplication works fine.

[peombwa]

Sorry for the delayed response.

That's right, @ArmaanMcleod. That's the same guidance we've gotten from the workload owner.

The proof is represented by a self-signed JWT token. This JWT token must be signed using the private key of one of the application's existing valid certificates. The token lifespan should not exceed 10 minutes

As per https://github.com/microsoftgraph/microsoft-graph-docs-contrib/issues/2526, it looks like the workload owner is working on a sample on how to generate a proof of possession token in PowerShell.

[peombwa]

Closing since a proof is required when using addKey.

For additional assistance, please open a question at https://developer.microsoft.com/en-us/graph/support as this is a service issue.

[weyCC81]

Hi @peombwa Why is there a Proof needed if I want to add another Self-Signed Certificate in the same App?

In the following articles it is not clear how to generate this proof:

• https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.applications/add-mgapplicationkey?view=graph-powershell-1.0
• https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.applications/add-mgserviceprincipalkey?view=graph-powershell-1.0

The following error message is also not really helping when the proof Attribute is missing:

Add-MgApplicationKey : Insufficient privileges to complete the operation.

[peombwa]

@weyCC81, proof of procession is required by the API as stated at https://learn.microsoft.com/en-us/graph/application-rollkey-prooftoken?tabs=powershell:

You can use the addKey and removeKey methods defined on the application and servicePrincipal resources to roll expiring keys programmatically.

As part of the request validation for these methods, a proof of possession of an existing key is verified before the methods can be invoked. The proof is represented by a self-signed JWT token.

You can use the PowerShell at https://learn.microsoft.com/en-us/graph/application-rollkey-prooftoken?tabs=powershell to generate the proof of procession token.